PDA

View Full Version : Virtumonde infection problem



korg2008
2008-03-04, 00:09
Hello, I've been trying to get rid of Virtumonde with Spybot, but it really sticks to my PC. As read in «Before you post» I paste the HJT log and the Kaspersky log report. I hope it fits in the same message.

Thanks in advance for your help, it will be deeply appreciated.


Note: after trying to post here, it appears my message was too long (28,219 characters instead of 20,000). I am cutting away the end part of the Kaspersky log report, and I'll wait for your indications. Thanks again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39:57, on 2008-03-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvgid.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlaz.dll,startup
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O21 - SSODL: DriveRunOnce - {26df807e-b39e-4869-95c8-99227e6ae380} - C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll
O21 - SSODL: zip - {d0c92054-3a74-4c01-8bed-653c9da6f396} - C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8277 bytes


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 03, 2008 3:28:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 594402
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 116120
Number of viruses found: 31
Number of infected objects: 83
Number of suspicious objects: 5
Duration of the scan process: 03:35:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Thu, 25 Apr 2002 21:28:48 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:48:10 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:51:27 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED/assurance.bat Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx Mail MS Outlook 5: infected - 2, suspicious - 5 skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\FHGYmUtT.exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\gos14F6.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\win14F9.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\6GFF5J12\1204512613[1].exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\6QGMS8MC\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\CQDTKLW0\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\CQESIAS1\1204510679[1].exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\JPQN5ZYK\1204512663[1].exe Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\QGZ6RHJH\reijane[1].htm Infected: Trojan-Downloader.Win32.Agent.kgo skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
C:\Documents and Settings\Claude et Francine\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Claude et Francine\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\mhyvfa.exe2 Infected: Trojan-Downloader.Win32.Agent.kgo skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

Shaba
2008-03-05, 12:22
Hi korg2008

Please post full kaspersky report next :)

korg2008
2008-03-05, 20:06
Hello Shaba and thanks for the reply, I appreciate

Things are still the same: popping ads pages in IExplorer, very slow computer at times, lots of warnings from Skybot and NAV. I clean with spybot 2 to 3 times a day, average 10 to 15 prob detected, always those two coming back: virtumonde and win32.tiny.abk

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 03, 2008 3:28:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 594402
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 116120
Number of viruses found: 31
Number of infected objects: 83
Number of suspicious objects: 5
Duration of the scan process: 03:35:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Thu, 25 Apr 2002 21:28:48 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:48:10 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:51:27 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED/assurance.bat Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx Mail MS Outlook 5: infected - 2, suspicious - 5 skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\FHGYmUtT.exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\gos14F6.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\win14F9.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\6GFF5J12\1204512613[1].exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\6QGMS8MC\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\CQDTKLW0\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\CQESIAS1\1204510679[1].exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\JPQN5ZYK\1204512663[1].exe Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\QGZ6RHJH\reijane[1].htm Infected: Trojan-Downloader.Win32.Agent.kgo skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
C:\Documents and Settings\Claude et Francine\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Claude et Francine\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\mhyvfa.exe2 Infected: Trojan-Downloader.Win32.Agent.kgo skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\2C1176CD Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Program Files\Norton AntiVirus\Quarantine\5519725A.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Norton AntiVirus\Quarantine\610F2110 Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Program Files\Norton AntiVirus\Quarantine\621671A5 Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Program Files\Norton AntiVirus\Quarantine\627F3132 Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Program Files\Norton AntiVirus\Quarantine\69FA55AA.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Norton AntiVirus\Quarantine\69FA55AA.tmp Infected: Trojan-Downloader.Win32.Zlob.hts skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B064884.exe Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B064884.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.bi skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B097280.txt Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B341451.exe Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B341451.txt Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Program Files\Norton AntiVirus\Quarantine\6DD7076A.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\Program Files\Norton AntiVirus\Quarantine\6F07481B.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\Program Files\Norton AntiVirus\Quarantine\734855FE Infected: Trojan.Win32.Dialer.yz skipped
C:\Program Files\Norton AntiVirus\Quarantine\734C7FFB Infected: Trojan.Win32.Dialer.yz skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B0248ED Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP483\A0039880.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP484\A0039883.exe Infected: Trojan-Downloader.Win32.Agent.kgo skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039942.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039943.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039944.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039945.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039946.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039947.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039949.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039950.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039951.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039952.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039953.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039954.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039955.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039956.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039957.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039958.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039959.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039960.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039961.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039963.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039964.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039966.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039968.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039969.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039970.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039972.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039973.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039974.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039983.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039984.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039994.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/patch.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.irm skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar Infected: Trojan-Downloader.Win32.Small.irm skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040028.exe Infected: Trojan-Downloader.Win32.Small.irm skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040031.exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040032.exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040033.exe Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP494\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\inf\qwetab.inf Object is locked skipped
C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll Infected: Trojan.Win32.Agent.feh skipped
C:\WINDOWS\Installer\{9d864a43-586d-41b6-ab85-431194e5c189}\zip.dll Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll Infected: Trojan-Downloader.Win32.BHO.ct skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A8CB5819-C464-4D89-866F-5CABCA5BA0A5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\fccbcdb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\tmmudjmv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\WINDOWS\system32\winmbw32.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\WINDOWS\Temp\win22.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba
2008-03-05, 20:13
Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Rename HijackThis.exe to korg2008.exe

After that:

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

korg2008
2008-03-05, 21:19
Hello Shaba, just to make sure, do you want me to go all the way with #1 and then set up #2 to #5 ? Or do you want me to do the settings #2 to #5 before #1. Presently spybot is in advance mode but Teatimer is resident.

I am now posting this in WXP Safe mode, normal mode is getting almost impossible to work with since Norton AV and Skybot pop up a continuous flow of warning windows.

I'm standing by for your answer

korg

korg2008
2008-03-06, 05:00
Good morning Shaba,

I went through the process, in numerical order. Worked fine besides Norton AV auto-protect trying to kill combofix during the procedure. I had a chance to desactivate NAV so combofix ended normally.

For a few days now, there are always 3 windows popping up when rebooting:

1- Windows' ID window (about, version, etc..)
2- RUNDLL not finding C:\windows\system32\drvgid.dll
3- RUNDLL not finding C:\windows\system32\drvlaz.dll

I haven't reboot yet (in normal mode) after Combofix procedure.

Following posts contain HJT log and Combofix report

korg

korg2008
2008-03-06, 05:01
ComboFix 08-03-05.1 - Claude et Francine 2008-03-05 19:18:46.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.426 [GMT -5:00]
Endroit: C:\Documents and Settings\Claude et Francine\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ucleaner_setup.exe
C:\WINDOWS\BMf37770d9.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\fccbcdb.dll
C:\WINDOWS\system32\hrjmhybf.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\merrxneu.dll
C:\WINDOWS\system32\qqrqr.ini
C:\WINDOWS\system32\qqrqr.ini2
C:\WINDOWS\system32\rqrqq.dll
C:\WINDOWS\system32\uenxrrem.ini
C:\WINDOWS\system32\winmbw32.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wlqcwpji.dll

.
((((((((((((((((((((((((((((( Fichiers créés 2008-02-06 to 2008-03-06 ))))))))))))))))))))))))))))))))))))
.

2008-03-05 06:37 . 2008-03-05 06:38 76,303 --a------ C:\Program Files\udefender_setup.exe
2008-03-05 06:32 . 2008-03-05 06:32 <REP> d-------- C:\Program Files\IE Extensions
2008-03-05 06:32 . 2008-03-05 06:32 16,520 --a------ C:\Program Files\tmp34768073.exe
2008-03-05 06:32 . 2008-03-05 06:32 16,496 --a------ C:\Program Files\tmp34768544.exe
2008-03-05 06:32 . 2008-03-05 06:32 13,556 --a------ C:\Program Files\tmp34770447.exe
2008-03-05 06:32 . 2008-03-05 06:32 13,472 --a------ C:\Program Files\tmp34770327.exe
2008-03-05 06:31 . 2008-03-05 06:31 16,616 --a------ C:\Program Files\tmp34768163.exe
2008-03-05 06:31 . 2008-03-05 06:31 16,436 --a------ C:\Program Files\tmp34767783.exe
2008-03-04 19:13 . 2008-03-04 19:13 <REP> d-------- C:\Program Files\COMODO
2008-03-04 19:13 . 2008-03-04 19:13 <REP> d-------- C:\Documents and Settings\Claude et Francine\Application Data\Comodo
2008-03-04 19:13 . 2008-03-04 20:18 <REP> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-04 19:13 . 2008-03-04 19:13 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-03-04 19:13 . 2008-03-04 19:13 84,856 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-04 19:13 . 2008-03-04 19:13 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-04 15:26 . 2008-03-04 15:27 <REP> d-------- C:\Downloads mars 2008
2008-03-03 22:47 . 2008-03-03 22:47 13,460 --a------ C:\Program Files\tmp9833900.exe
2008-03-03 22:44 . 2008-03-03 22:44 16,468 --a------ C:\Program Files\tmp9641774.exe
2008-03-03 16:38 . 2008-03-03 16:38 <REP> d-------- C:\Program Files\Trend Micro
2008-03-03 11:19 . 2008-03-03 11:19 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 11:19 . 2008-03-03 11:19 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 08:30 . 2008-03-03 08:30 <REP> d--h----- C:\WINDOWS\PIF
2008-03-02 22:33 . 2008-03-02 22:38 339 --a------ C:\WINDOWS\wininit.ini
2008-03-02 22:04 . 2008-03-02 22:04 <REP> d-------- C:\Program Files\SysCleaner
2008-03-02 21:13 . 2008-03-02 21:12 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-02 21:13 . 2008-03-02 21:13 2,568 --a------ C:\WINDOWS\unins000.dat
2008-03-02 20:48 . 2008-03-02 21:15 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-02 20:48 . 2008-03-02 21:22 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-02 19:08 . 2008-03-02 19:08 58,368 --a------ C:\mhyvfa.exe2
2008-03-02 19:08 . 2008-03-02 19:08 50,688 --a------ C:\mmesckoj.exe2
2008-03-02 19:07 . 2008-03-02 19:07 145 --a------ C:\WINDOWS\system32\winver.bat2
2008-03-02 18:57 . 2008-03-02 18:57 <REP> dr-h----- C:\~MSSETUP.T
2008-02-26 23:06 . 2008-02-26 23:06 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-12 16:48 . 2008-02-12 16:48 <REP> d-------- C:\Program Files\SunNetPro
2008-02-12 16:46 . 2008-02-12 16:46 <REP> d-------- C:\WINDOWS\Downloaded Installations

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 00:21 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\Skype
2008-03-03 21:30 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\skypePM
2008-03-03 15:12 --------- d-----w C:\Program Files\eMule
2008-03-03 14:12 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2008-03-03 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 00:37 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\Apple Computer
2008-02-06 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-06 00:35 --------- d-----w C:\Program Files\QuickTime
2008-02-05 12:09 --------- d-----w C:\Program Files\DivX
2007-12-20 14:08 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 07:00 15360]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [2006-04-04 11:55 71304]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-11-25 11:18 100056]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2006-12-22 20:55 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-13 20:10 409600]
"LVCOMS"="C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 15:16 90112]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-09-11 12:58 155648]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-09-11 12:57 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-05 19:25 385024]
"MSDrive"="C:\WINDOWS\system32\drvgid.dll" [ ]
"MSDisp32"="C:\WINDOWS\system32\drvlaz.dll" [ ]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-04 19:13 1502976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 07:00 15360]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-03-26 16:26 54384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DriveRunOnce"= {26df807e-b39e-4869-95c8-99227e6ae380} - C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll [2008-03-02 19:07 14374]
"zip"= {d0c92054-3a74-4c01-8bed-653c9da6f396} - C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll [2008-03-02 19:07 38438]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\WINDOWS\\system32\\CIMSVR.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-23 12:47]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-19 10:53]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 16:28]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);C:\WINDOWS\system32\DRIVERS\LV551AV.sys [2002-06-10 14:24]

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-25 11:07:26 C:\WINDOWS\Tasks\Norton AntiVirus - Analyser mon ordinateur - Claude et Francine.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-03-01 11:12:53 C:\WINDOWS\Tasks\Norton AntiVirus - Analyser mon ordinateur.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-03-06 00:39:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 19:27:45
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab]
"ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf"
.
--------------------- DLLs a chargé sous des processus courants ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll
-> C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-03-05 19:39:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 00:39:39
.
2008-02-14 08:04:30 --- E O F ---

korg2008
2008-03-06, 05:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:41:57, on 2008-03-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvgid.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlaz.dll,startup
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O21 - SSODL: DriveRunOnce - {26df807e-b39e-4869-95c8-99227e6ae380} - C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll
O21 - SSODL: zip - {d0c92054-3a74-4c01-8bed-653c9da6f396} - C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8211 bytes

Shaba
2008-03-06, 11:54
Hi

2. and 3. will go away very soon.

If Norton does that, please deactivate it just before future combofix runs.

Before that:

* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

korg2008
2008-03-06, 14:19
Hello Shaba,

My Gmer report contains approx. 96k characters, what do you propose for me to send it ?

korg2008
2008-03-06, 14:27
I sliced the report. Hope you can work with this.

page 1 of 5

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-03-06 07:08:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 83A1E328 ZwConnectPort
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwCreateKey [0xF7860A58] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwOpenKey [0xF7860B0C] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwTerminateProcess [0xF78627D2] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.14 ----

.text qwetab.inf F78600FD 62 Bytes CALL F7860102 \??\C:\WINDOWS\inf\qwetab.inf
.text qwetab.inf F786013C 102 Bytes [ 00, 00, 8D, B5, 6B, 04, 00, ... ]
.text qwetab.inf F78601A3 557 Bytes [ 00, 00, 00, 00, 81, C7, 1C, ... ]
.text qwetab.inf F78603D1 289 Bytes [ 44, C7, 45, F0, 00, 00, 00, ... ]
.text qwetab.inf F78604F3 143 Bytes [ 7D, FC, 8B, 7F, 1C, 03, 7D, ... ]
.text ...
.text C:\WINDOWS\inf\qwetab.inf section is writeable [0xF7860000, 0x6F78, 0xE8000020]
? C:\WINDOWS\inf\qwetab.inf Le fichier spécifié est introuvable.

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[516] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\services.exe[560] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\lsass.exe[572] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 009353E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!LdrUnloadDll 7C92718B 3 Bytes JMP 00935310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!LdrUnloadDll + 4 7C92718F 1 Byte [ 84 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 00934FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 009316C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 00931540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 00931850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 00931220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 009313B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ A3, 88 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 00934CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 00934E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[732] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[780] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll

Shaba
2008-03-06, 14:41
Hi

Yes that is fine :)

korg2008
2008-03-06, 14:52
Part 2 was too big, so I re-sliced the whole report in 6 pieces, here it is:

page 1 of 6

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-03-06 07:08:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 83A1E328 ZwConnectPort
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwCreateKey [0xF7860A58] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwOpenKey [0xF7860B0C] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwTerminateProcess [0xF78627D2] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.14 ----

.text qwetab.inf F78600FD 62 Bytes CALL F7860102 \??\C:\WINDOWS\inf\qwetab.inf
.text qwetab.inf F786013C 102 Bytes [ 00, 00, 8D, B5, 6B, 04, 00, ... ]
.text qwetab.inf F78601A3 557 Bytes [ 00, 00, 00, 00, 81, C7, 1C, ... ]
.text qwetab.inf F78603D1 289 Bytes [ 44, C7, 45, F0, 00, 00, 00, ... ]
.text qwetab.inf F78604F3 143 Bytes [ 7D, FC, 8B, 7F, 1C, 03, 7D, ... ]
.text ...
.text C:\WINDOWS\inf\qwetab.inf section is writeable [0xF7860000, 0x6F78, 0xE8000020]
? C:\WINDOWS\inf\qwetab.inf Le fichier spécifié est introuvable.

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[516] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\services.exe[560] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\lsass.exe[572] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 009353E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!LdrUnloadDll 7C92718B 3 Bytes JMP 00935310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!LdrUnloadDll + 4 7C92718F 1 Byte [ 84 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 00934FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 009316C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 00931540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 00931850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 00931220 C:\WINDOWS\system32\guard32.dll

korg2008
2008-03-06, 14:53
page 2 of 6

.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 009313B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ A3, 88 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 00934CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 00934E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[732] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[780] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\svchost.exe[864] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[952] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[992] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll

korg2008
2008-03-06, 14:54
page 3 of 6

.text C:\WINDOWS\system32\pctspk.exe[1036] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\pctspk.exe[1036] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\Explorer.EXE[1336] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] USER32.DLL!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] USER32.DLL!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] USER32.DLL!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\spoolsv.exe[1568] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1684] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\wdfmgr.exe[1704] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll

korg2008
2008-03-06, 14:55
page 4 of 6

.text C:\WINDOWS\system32\ctfmon.exe[1832] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\ctfmon.exe[1832] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\Mixer.exe[2044] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\WinRAR\WinRAR.exe[2112] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] OLE32.DLL!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] OLE32.DLL!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\alg.exe[3020] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Messenger\msmsgs.exe[3432] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll

korg2008
2008-03-06, 14:56
page 5 of 6

.text C:\Program Files\Outlook Express\msimn.exe[3468] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Outlook Express\msimn.exe[3468] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\svchost.exe[3500] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 4437F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 445117EF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 44511770 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 445117B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 445116FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 44511736 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 4451182A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 443A16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [005B3750] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassA] [005B38F0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcA] [005B36B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [005B3750] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [005B3390] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawFrameControl] [005B3A90] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawEdge] [005B2D70] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetScrollInfo] [005B35A0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)

korg2008
2008-03-06, 14:57
page 6 of 6

IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetScrollInfo] [005B3470] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs qwetab.inf

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip qwetab.inf

Device \Driver\NAVEX15 \Device\NAVEX15 F1BB88CE

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp qwetab.inf

Device \Driver\NAVENG \Device\NAVENG F1B5E2A9

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp qwetab.inf
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp qwetab.inf

Device \Driver\SYMTDI \Device\SymTDI qwetab.inf

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\inf\qwetab.inf (*** hidden *** ) [SYSTEM] qwetab <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\qwetab@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\qwetab@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\qwetab@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\qwetab@ImagePath \??\C:\WINDOWS\inf\qwetab.inf
Reg HKLM\SYSTEM\ControlSet002\Services\qwetab\Security
Reg HKLM\SYSTEM\ControlSet002\Services\qwetab\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab@ImagePath \??\C:\WINDOWS\inf\qwetab.inf
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab@Start 1
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab@ImagePath \??\C:\WINDOWS\inf\qwetab.inf
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab\Security
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab\Security@Security 0x01 0x00 0x14 0x80 ...

---- EOF - GMER 1.0.14 ----

korg2008
2008-03-06, 15:01
Comodo firewall seems to take a lot of room in the forwarded report, please note it was installed after the infection began. I'm not really sure if I must desactivate Windows own firewall to have it running, but this is a smaller problem..

Thanks again

korg

korg2008
2008-03-06, 15:04
By the way Shaba, things have smoothened a lot here on the PC: pop-ups and IE re-routing to unwanted pages seems to have dropped quite a bit.

Shaba
2008-03-06, 15:14
Hi

If windows own firewall is running with Comodo, please disable
windows own firewall.

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\WINDOWS\inf\qwetab.inf
Now click Delete

Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Re-run gmer

Post:

- a fresh HijackThis log
- gmer log (should be much smaller now)

korg2008
2008-03-06, 18:09
Hello Shaba,

Here is the HJT log. Folowing is the Gmer log in 5 consecutive posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:56, on 2008-03-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvgid.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlaz.dll,startup
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O21 - SSODL: DriveRunOnce - {26df807e-b39e-4869-95c8-99227e6ae380} - C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll
O21 - SSODL: zip - {d0c92054-3a74-4c01-8bed-653c9da6f396} - C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8211 bytes

korg2008
2008-03-06, 18:10
page 1 of 5

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-03-06 10:59:15
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 83AE7EF0 ZwConnectPort

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\pctspk.exe[368] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[532] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\services.exe[576] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\lsass.exe[588] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\wdfmgr.exe[696] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll

korg2008
2008-03-06, 18:11
page 2 of 5

.text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[752] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[800] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[808] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\svchost.exe[892] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[984] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1004] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll

korg2008
2008-03-06, 18:12
page 3 of 5

.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\spoolsv.exe[1740] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] USER32.DLL!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] USER32.DLL!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] USER32.DLL!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\alg.exe[2376] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\wuauclt.exe[2752] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\Mixer.exe[2888] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll

korg2008
2008-03-06, 18:13
page 4 of 5

.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 009353E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] ntdll.dll!LdrUnloadDll 7C92718B 3 Bytes JMP 00935310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] ntdll.dll!LdrUnloadDll + 4 7C92718F 1 Byte [ 84 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 00934FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 009316C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 00931540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 00931850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 00931220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 009313B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ A3, 88 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 00934CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 00934E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\svchost.exe[3220] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Messenger\msmsgs.exe[3292] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\ctfmon.exe[3432] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll

korg2008
2008-03-06, 18:14
page 5 of 5

.text C:\WINDOWS\system32\ctfmon.exe[3432] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [005B3750] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassA] [005B38F0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcA] [005B36B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [005B3750] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [005B3390] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawFrameControl] [005B3A90] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawEdge] [005B2D70] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetScrollInfo] [005B35A0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetScrollInfo] [005B3470] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

korg2008
2008-03-06, 18:21
I hope I did everything correctly since Gmer report is just a little bit smaller (85k vs 96k previously)

The only red entry Gmer gave was «qwetab» which I deleted. Wasn't there after.

Things seem normal on the PC although I dont touch it much besides the present correspondance. What is still out of normal:

1- Two RUNDLL warning windows on the desktop after rebooting: drulaz.dll and drvgid.dll (in ...system32..)

2- The keyboard is missing a lot of keys I hit, so I have to hit them twice sometimes (for instance to write this), or hit them very hard, hmm.. strange..

Shaba
2008-03-06, 19:40
Hi

"1- Two RUNDLL warning windows on the desktop after rebooting: drulaz.dll and drvgid.dll (in ...system32..)"

It will be corrected next.

"2- The keyboard is missing a lot of keys I hit, so I have to hit them twice sometimes (for instance to write this), or hit them very hard, hmm.. strange.."

I don't think it's related to this.

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\Program Files\udefender_setup.exe
C:\Program Files\tmp34768073.exe
C:\Program Files\tmp34768544.exe
C:\Program Files\tmp34770447.exe
C:\Program Files\tmp34770327.exe
C:\Program Files\tmp34768163.exe
C:\Program Files\tmp34767783.exe
C:\Program Files\tmp9833900.exe
C:\Program Files\tmp9641774.exe
C:\mhyvfa.exe2
C:\mmesckoj.exe2

Folder::
C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}
C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"=-
"MSDisp32"=-
"braviax"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DriveRunOnce"=-
"zip"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

korg2008
2008-03-06, 20:03
Hello Shaba, here is the HJT report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:00:35, on 2008-03-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7526 bytes

korg2008
2008-03-06, 20:04
and here is the new combofix log:

ComboFix 08-03-05.1 - Claude et Francine 2008-03-06 12:54:55.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.429 [GMT -5:00]
Endroit: C:\Documents and Settings\Claude et Francine\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Claude et Francine\Bureau\CFScript.txt
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

FILE ::
C:\mhyvfa.exe2
C:\mmesckoj.exe2
C:\Program Files\tmp34767783.exe
C:\Program Files\tmp34768073.exe
C:\Program Files\tmp34768163.exe
C:\Program Files\tmp34768544.exe
C:\Program Files\tmp34770327.exe
C:\Program Files\tmp34770447.exe
C:\Program Files\tmp9641774.exe
C:\Program Files\tmp9833900.exe
C:\Program Files\udefender_setup.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\mhyvfa.exe2
C:\Program Files\udefender_setup.exe
C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}
C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll
C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}
C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll

.
((((((((((((((((((((((((((((( Fichiers créés 2008-02-06 to 2008-03-06 ))))))))))))))))))))))))))))))))))))
.

2008-03-06 07:05 . 2008-03-06 07:05 3,847 --a------ C:\Program Files\tmp32187653.exe
2008-03-06 06:45 . 2008-03-06 10:37 250 --a------ C:\WINDOWS\gmer.ini
2008-03-05 06:32 . 2008-03-05 06:32 <REP> d-------- C:\Program Files\IE Extensions
2008-03-04 19:13 . 2008-03-04 19:13 <REP> d-------- C:\Program Files\COMODO
2008-03-04 19:13 . 2008-03-04 19:13 <REP> d-------- C:\Documents and Settings\Claude et Francine\Application Data\Comodo
2008-03-04 19:13 . 2008-03-04 20:18 <REP> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-04 19:13 . 2008-03-04 19:13 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-03-04 19:13 . 2008-03-04 19:13 84,856 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-04 19:13 . 2008-03-04 19:13 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-04 15:26 . 2008-03-06 10:20 <REP> d-------- C:\Downloads mars 2008
2008-03-03 16:38 . 2008-03-03 16:38 <REP> d-------- C:\Program Files\Trend Micro
2008-03-03 11:19 . 2008-03-03 11:19 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 11:19 . 2008-03-03 11:19 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 08:30 . 2008-03-03 08:30 <REP> d--h----- C:\WINDOWS\PIF
2008-03-02 22:33 . 2008-03-02 22:38 339 --a------ C:\WINDOWS\wininit.ini
2008-03-02 22:04 . 2008-03-02 22:04 <REP> d-------- C:\Program Files\SysCleaner
2008-03-02 21:13 . 2008-03-02 21:12 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-02 21:13 . 2008-03-02 21:13 2,568 --a------ C:\WINDOWS\unins000.dat
2008-03-02 20:48 . 2008-03-02 21:15 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-02 20:48 . 2008-03-02 21:22 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-02 19:07 . 2008-03-02 19:07 145 --a------ C:\WINDOWS\system32\winver.bat2
2008-03-02 18:57 . 2008-03-02 18:57 <REP> dr-h----- C:\~MSSETUP.T
2008-02-26 23:06 . 2008-02-26 23:06 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-12 16:48 . 2008-02-12 16:48 <REP> d-------- C:\Program Files\SunNetPro
2008-02-12 16:46 . 2008-02-12 16:46 <REP> d-------- C:\WINDOWS\Downloaded Installations

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 00:21 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\Skype
2008-03-03 21:30 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\skypePM
2008-03-03 15:12 --------- d-----w C:\Program Files\eMule
2008-03-03 14:12 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2008-03-03 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 00:37 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\Apple Computer
2008-02-06 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-06 00:35 --------- d-----w C:\Program Files\QuickTime
2008-02-05 12:09 --------- d-----w C:\Program Files\DivX
2007-12-20 14:08 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-07 02:08 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-05_19.31.42.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-06 11:45:28 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-01-19 01:31:10 757,760 ----a-w C:\WINDOWS\gmer.exe
+ 2008-03-06 11:45:28 85,713 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [2006-04-04 11:55 71304]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-11-25 11:18 100056]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2006-12-22 20:55 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-13 20:10 409600]
"LVCOMS"="C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 15:16 90112]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-09-11 12:58 155648]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-09-11 12:57 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-05 19:25 385024]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-04 19:13 1502976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 07:00 15360]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-03-26 16:26 54384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\WINDOWS\\system32\\CIMSVR.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-23 12:47]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-19 10:53]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 16:28]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);C:\WINDOWS\system32\DRIVERS\LV551AV.sys [2002-06-10 14:24]

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-25 11:07:26 C:\WINDOWS\Tasks\Norton AntiVirus - Analyser mon ordinateur - Claude et Francine.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-03-01 11:12:53 C:\WINDOWS\Tasks\Norton AntiVirus - Analyser mon ordinateur.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-03-06 15:37:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 12:56:53
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs a chargé sous des processus courants ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Temps d'accomplissement: 2008-03-06 12:58:00
ComboFix-quarantined-files.txt 2008-03-06 17:57:44
ComboFix2.txt 2008-03-06 00:39:44
.
2008-02-14 08:04:30 --- E O F ---

Shaba
2008-03-06, 20:09
Hi

Delete these:

C:\Program Files\tmp32187653.exe
C:\WINDOWS\Installer\{9d864a43-586d-41b6-ab85-431194e5c189}\

Empty this folder:

C:\Program Files\Norton AntiVirus\Quarantine

Empty Recycle Bin.

Delete these mails from Outlook:

C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Thu, 25 Apr 2002 21:28:48 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:48:10 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:51:27 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED/assurance.bat Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx Mail MS Outlook 5: infected - 2, suspicious - 5 skipped

Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky.


Post:

- a fresh HijackThis log
- kaspersky report

korg2008
2008-03-07, 00:21
Hello,

By the way, the PC stays online while doing those procedures, I hope it doesn't interfere. Here is the last HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:16:21, on 2008-03-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7468 bytes

korg2008
2008-03-07, 00:27
and here the new Kaspersky report, sorry I saved it in html then translated it in txt :

page 1 of 2

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Thursday, March 06, 2008 5:13:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/03/2008
Kaspersky Anti-Virus database records: 604356


Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects94293
Number of viruses found29
Number of infected objects82
Number of suspicious objects0
Duration of the scan process02:48:48

Infected Object NameVirus NameLast Action
C:\Documents and Settings\All Users\Application Data\comodo\Firewall
Pro\cfplogdb.sdb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common
Client\settings.dat Object is locked skipped

C:\Documents and Settings\Claude et Francine\Cookies\index.dat Object is
locked skipped

C:\Documents and Settings\Claude et Francine\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Claude et Francine\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Claude et Francine\Local
Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Claude et Francine\Local
Settings\Historique\History.IE5\MSHist012008030620080307\index.dat Object
is locked skipped

C:\Documents and Settings\Claude et Francine\Local Settings\Temporary
Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro
- Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0002 Infected:
not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro
- Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0003 Infected:
not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro
- Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0006 Infected:
not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro
- Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped

C:\Documents and Settings\Claude et Francine\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\Claude et Francine\NTUSER.DAT.LOG Object is
locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local
Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped


C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked
skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\QooBox\Quarantine\C\mhyvfa.exe2.vir Infected:
Trojan-Downloader.Win32.Agent.kgo skipped

C:\QooBox\Quarantine\C\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll.vir
Infected: Trojan.Win32.Agent.feh skipped

C:\QooBox\Quarantine\C\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll.vir
Infected: Trojan-Downloader.Win32.BHO.ct skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\wlqcwpji.dll.vir Infected:
not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-03-05_192706.08.zip/fccbcdb.dll Infected:
not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-03-05_192706.08.zip/rqrqq.dll Infected:
not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-03-05_192706.08.zip ZIP: infected - 2
skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP483\A0039880.dll
Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP484\A0039883.exe
Infected: Trojan-Downloader.Win32.Agent.kgo skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039942.dll
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039943.scr
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039944.EXE
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039945.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039946.EXE
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039947.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039949.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039950.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039951.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039952.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039953.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039954.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039955.SCR
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039956.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039957.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039958.EXE
Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039959.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039960.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039961.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039963.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039964.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039966.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039968.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039969.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

korg2008
2008-03-07, 00:28
page 2 of 2


C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039970.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039972.EXE
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039973.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039974.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039983.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039984.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039994.dll
Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/keygen.exe
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/patch.exe
Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/install.exe
Infected: Trojan-Downloader.Win32.Small.irm skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar
Infected: Trojan-Downloader.Win32.Small.irm skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe
RarSFX: infected - 4 skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040028.exe
Infected: Trojan-Downloader.Win32.Small.irm skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040031.exe
Infected: Trojan-Downloader.Win32.Agent.keu skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040032.exe
Infected: Trojan-Downloader.Win32.Agent.keu skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040033.exe
Infected: Trojan-Dropper.Win32.Agent.eya skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP498\A0043542.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP498\A0043543.exe
Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0043869.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0043870.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0043871.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0043872.dll
Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044231.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044232.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044233.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044234.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044235.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044236.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044237.exe
Infected: Trojan-Dropper.Win32.Agent.fbe skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044238.exe
Infected: Trojan-Dropper.Win32.Agent.fbe skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044239.dll
Infected: Trojan-Dropper.Win32.Agent.eya skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044245.inf
Infected: Trojan-Downloader.Win32.Agent.kgo skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045407.dll
Infected: Trojan.Win32.Agent.feh skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045408.dll
Infected: Trojan-Downloader.Win32.BHO.ct skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045594.exe
Infected: Trojan-Downloader.Win32.Agent.hyy skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045595.sys
Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045596.exe
Infected: Trojan-Downloader.Win32.Agent.hyy skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045597.dll
Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045598.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045599.exe
Infected: Trojan-Downloader.Win32.Adload.ma skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045601.exe
Infected: Trojan-Downloader.Win32.Adload.ma skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045602.exe
Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045603.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045604.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045605.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\change.log
Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{AB8B9527-B429-4943-A46A-EF4E258D03A4}.bin
Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba
2008-03-07, 11:38
Hi

That's ok :)

Empty this folder:

C:\QooBox\Quarantine

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

korg2008
2008-03-07, 13:22
Good morning !

So far so good Shaba, everything seems to be working as it used to here on the PC. I sure owe you one !!

korg

Shaba
2008-03-07, 13:32
Hi

Nice to hear :)

Final question:

Does Norton also have a firewall?

korg2008
2008-03-07, 14:11
No Shaba, there is only Norton Anti-virus. As firewall I use Window's and have been told to use Comodo instead. Comodo is quind of partially installed now (the icon is present on the lower right side of the task bas but with no color). When trying to install it a few days ago, it stalled. I plan to have it running and desactivate Windows firewall in the days to come, any advice on that issue ?

Shaba
2008-03-07, 19:05
Hi

Try to uninstall and re-install Comodo and post back if it helped.

korg2008
2008-03-07, 20:17
Hello Shaba,

Just tried to finish Comodo installation and the PC couldn't reboot. I had to use the «reboot with the last known working config» option. I hope I didn't get back in time where I had problems, although I doubt it. Just to be sure I post a fresh HijackThis log, to know if you see anything wrong.

I will stick with Window's firewall until I read more about firewalls pros and cons. Here' s the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:11:34, on 2008-03-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7490 bytes

Shaba
2008-03-07, 20:34
Hi

Try one of these instead:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

And fix this entry as well:

O20 - AppInit_DLLs:

Let me know how it went.

korg2008
2008-03-07, 21:13
Hello Shaba, excuse my ignorance and or lack of memory.. but how should I proceed to fix: «O20 - AppInit_DLLs:» ?

Thanks :red:

korg2008
2008-03-07, 22:50
Just installed successfully Online Armor. Feels like walking on the street with a bouncer on each side :police:

Also Shaba, should I:

1- Keep Spybot running on the system (along with Norton AV and Online Armor) ?

2- if so, re-activate Teatimer ?

3- get rid of all desinfection icons (combofix, etc..) left on the desktop

Shaba
2008-03-08, 12:31
Hi

Open HijackThis, click do a system scan only and checkmark this:


O20 - AppInit_DLLs:

Close all windows including browser and press fix checked.

1. Yes.

2. Yes.

3. Those will get deleted anyway during final cleanup step :)

Any other issues?

korg2008
2008-03-08, 14:16
Hello Shaba,

Re-activation of Teatimer generated lots of requests from both Online Armor and Spybot (20 or so), for which I didnt always know what to answer, including a «drvlaz.dll» that was part of the former troubled era.. I took a HJT log a few minutes ago:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:11:58, on 2008-03-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {26F7CA02-9E95-4132-85AA-67F489B4E112} - (no file)
O2 - BHO: (no name) - {35121FF9-930A-4186-83E2-498AA6D3E270} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A2D9B578-FC75-4098-B955-C552350EA1C5} - (no file)
O2 - BHO: (no name) - {AAE1AD9C-91A5-4E70-8837-075C8FD5E895} - (no file)
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlaz.dll,startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: fccbcdb - C:\WINDOWS\
O20 - Winlogon Notify: winmbw32 - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8338 bytes

Shaba
2008-03-08, 14:31
Hi

Yes, it looks like that TeaTimer has a "memory"

See here (http://forums.spybot.info/showpost.php?p=141685&postcount=5)

Between closing and re-enabling teatimer, fix these:

O2 - BHO: (no name) - {26F7CA02-9E95-4132-85AA-67F489B4E112} - (no file)
O2 - BHO: (no name) - {35121FF9-930A-4186-83E2-498AA6D3E270} - (no file)
O2 - BHO: (no name) - {A2D9B578-FC75-4098-B955-C552350EA1C5} - (no file)
O2 - BHO: (no name) - {AAE1AD9C-91A5-4E70-8837-075C8FD5E895} - (no file)
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} - (no file)
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlaz.dll,startup
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O20 - Winlogon Notify: fccbcdb - C:\WINDOWS\
O20 - Winlogon Notify: winmbw32 - C:\WINDOWS\

korg2008
2008-03-08, 14:43
Hello Shaba,

I already had the 1.5 version of SpyBot, so I guess there is nothing to change.

The system is running top shape, your help was really really really great Shaba, thanks again for your time. It is deeply appreciated from far away Quebec Canada !

Anything more I should do to finalize the procedure ?

Shaba
2008-03-08, 15:14
Hi

Then you will need to do this.

1) Uninstall Spybot

2) Fix these:

O2 - BHO: (no name) - {26F7CA02-9E95-4132-85AA-67F489B4E112} - (no file)
O2 - BHO: (no name) - {35121FF9-930A-4186-83E2-498AA6D3E270} - (no file)
O2 - BHO: (no name) - {A2D9B578-FC75-4098-B955-C552350EA1C5} - (no file)
O2 - BHO: (no name) - {AAE1AD9C-91A5-4E70-8837-075C8FD5E895} - (no file)
O2 - BHO: (no name) - {B3ADDB7B-3DF5-4672-82DD-775FFF180134} - (no file)
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlaz.dll,startup
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O20 - Winlogon Notify: fccbcdb - C:\WINDOWS\
O20 - Winlogon Notify: winmbw32 - C:\WINDOWS\

3) Re-install spybot and enable TeaTimer.

Post back a fresh HijackThis log after that, please :)

korg2008
2008-03-08, 16:29
Hello Shaba,

In the process of re-installing SpyBot, lots of warnings from Online Armor, I gave OK to all, but being on-line all the time, and not knowing much about who's who, I hope it didn't cause trouble.

I think I skipped step 3 out of 7 by mistake in Spybot installation process (save registry). PC seems quite slower since installation.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:23:27, on 2008-03-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7771 bytes

Shaba
2008-03-08, 17:56
Hi

Log seems to be fine now :)

That slowness likely goes away, if not, you can always disable TeaTimer and see if it helps.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 5 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it saysThe Java SE Runtime Environment (JRE) allows end-users to run Java applications..
Click the Download button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.

Next we remove all used tools.

Please download OTMoveIt2 (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and save it to desktop.

Double-click OTMoveIt2.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt2 attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:

korg2008
2008-03-08, 21:32
Its all done Shaba ! Gee.. this PC is now so well controlled ! I'll try a Freecell game later and may probably be prompted: «hey! a detected process wants to move the 8 of spades over 9 of hearts! do you allow this move ? are you really sure ??

:)

I don't know what to say besides Thanks again for your great help Shaba!!

You sure make this world a better place to be !!

:bighug:

Shaba
2008-03-10, 11:52
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.