View Full Version : Spybot won't run; spyware/malware activity
sociecide
2009-05-22, 00:26
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:56 PM, on 5/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\MSI\DigiCell\DigiCell.exe
C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-117609710-220523388-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-117609710-220523388-839522115-500\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Administrator')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Omega ASIO Control Panel.lnk = C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: DigiCell.lnk = C:\Program Files\MSI\DigiCell\DigiCell.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4907D5BF-232A-43DC-B306-CCB18BEA07EF} (WebCamX Control) - http://98.109.214.5/WebCamX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec Eraser Service (EraserSvc10910) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 11078 bytes
Hi sociecide
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
sociecide
2009-05-22, 11:00
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.0
Adobe Shockwave Player
Adobe Stock Photos 1.0
AIM 6
AIM Toolbar
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
AudibleManager
Babarosa Gif Animator 3.5
Bonjour
CCleaner (remove only)
CoffeeCup GIF Animator
Continuum 0.40
Core Center
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Download Updater (AOL LLC)
ERUNT 1.1j
EtherDetect Packet Sniffer v1.4
ffdshow [rev 1909] [2008-03-20]
GoodMEM
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
iTunes
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 13
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Lexicon Omega Studio(remove only)
LimeWire 4.14.8
LiveUpdate Notice (Symantec Corporation)
Medieval Total War
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft® Winter Fun Pack 2004 for Windows® XP
MSI DigiCell
MSI Live Update 3
Nero 6 Ultra Edition
Norton AntiVirus
Norton PC Checkup
Norton Security Scan
NVIDIA Drivers
NVIDIA nTune
OpenOffice.org Installer 1.0
PasswordKeeper
PlayersOnly Poker
PokerStars
PowerDVD
Quicken 2008
QuickTime
Realtek AC'97 Audio
RedLightCenter
Registry Mechanic 8.0
RunAlyzer
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sonalksis FreeG Plug-Ins for Windows 1.08
Sonik Synth 2 Free
Sprint media manager
Spybot - Search & Destroy
Spyware Doctor 6.0
Steinberg Cubase LE
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Utherverse 3D Client
Utherverse 3D Client
Viewpoint Media Player
Vio Video Converter 1.0
Voxengo PHA-979 VST 1.2
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 4.1 beta2
WinRAR archiver
WWAYM - NWBass V1.1
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Music Engine
Yahoo! Toolbar
ZENcast Organizer
sociecide
2009-05-22, 11:02
I appreciate your help and look forward for your next step. Thank you so much.
As per forum rules (http://forums.spybot.info/showthread.php?t=282), you will need to uninstall all p2p programs.
Those would be:
BitTorrent DNA
LimeWire 4.14.8
After that, please post back a fresh uninstall list.
sociecide
2009-05-22, 11:38
I'm sorry... I thought I got rid of my p2p programs... guess I didn't get rid of them entirely.
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.0
Adobe Shockwave Player
Adobe Stock Photos 1.0
AIM 6
AIM Toolbar
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
AudibleManager
Babarosa Gif Animator 3.5
Bonjour
CCleaner (remove only)
CoffeeCup GIF Animator
Continuum 0.40
Core Center
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Download Updater (AOL LLC)
ERUNT 1.1j
EtherDetect Packet Sniffer v1.4
ffdshow [rev 1909] [2008-03-20]
GoodMEM
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
iTunes
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 13
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Lexicon Omega Studio(remove only)
LiveUpdate Notice (Symantec Corporation)
Medieval Total War
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft® Winter Fun Pack 2004 for Windows® XP
MSI DigiCell
MSI Live Update 3
Nero 6 Ultra Edition
Norton AntiVirus
Norton PC Checkup
Norton Security Scan
NVIDIA Drivers
NVIDIA nTune
OpenOffice.org Installer 1.0
PasswordKeeper
PlayersOnly Poker
PokerStars
PowerDVD
Quicken 2008
QuickTime
Realtek AC'97 Audio
RedLightCenter
Registry Mechanic 8.0
RunAlyzer
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sonalksis FreeG Plug-Ins for Windows 1.08
Sonik Synth 2 Free
Sprint media manager
Spybot - Search & Destroy
Spyware Doctor 6.0
Steinberg Cubase LE
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Utherverse 3D Client
Utherverse 3D Client
Viewpoint Media Player
Vio Video Converter 1.0
Voxengo PHA-979 VST 1.2
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 4.1 beta2
WinRAR archiver
WWAYM - NWBass V1.1
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Music Engine
Yahoo! Toolbar
ZENcast Organizer
Please download GMER (http://gmer.net/gmer.zip) by GMER. An alternate download site (http://www2.gmer.net/).
Unzip it to a folder on your desktop.
Double click on gmer.exe to execute.
If asked, allow the gmer.sys driver load.
If you get a warning prompt about rootkit activity ... asking if you want to run Scan, click OK.
If you don't get a warning then... Click the Rootkit/Malware tab at the top of the GMER window.
Click the Scan button. Once the scan has finished... click Copy. ... Do not close the GMER window yet...
Open Notepad and paste what you copied. Ctrl+V
Select "Save As" in Notepad...saving the file to your desktop as "gmerroot.txt"... then close Notepad.
In the GMER window...
Click on the >>> tab at the top of the GMER window.
This displays the rest of the "selection" tabs for you.
Click on the Autostart tab.
Click on Scan button.
Once the scan has finished... click Copy.
Open Notepad (again) and paste what you copied. Ctrl+V
Select "Save As" in Notepad...saving the file to your desktop as "gmerauto.txt"
Copy and paste the contents of the files gmerroot.txt and gmerauto.txt in you next reply.
sociecide
2009-05-23, 05:31
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-22 19:27:01
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT 8992E498 ZwConnectPort
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA6DD514] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA6CC282] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA6CC474] <-- ROOTKIT !!!
SSDT 89867D08 ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA6DDD00] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA6DDFB8] <-- ROOTKIT !!!
SSDT 8989E9A0 ZwLoadDriver
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA6DC3FA] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA6DE422] <-- ROOTKIT !!!
SSDT 899E6300 ZwResumeThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA6DD7D8] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBA6CBF32] <-- ROOTKIT !!!
Code 89822F38 ZwEnumerateKey
Code 89A23528 ZwFlushInstructionCache
Code 897BE10E IofCallDriver
Code 897C50D6 IofCompleteRequest
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IofCallDriver 804EE00A 5 Bytes JMP 897BE113
.text ntkrnlpa.exe!IofCompleteRequest 804EE09A 5 Bytes JMP 897C50DB
.text ntkrnlpa.exe!ZwCallbackReturn + 24B0 805013A0 4 Bytes JMP 2C929D2E
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AAC4A 5 Bytes JMP 89A2352C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80619752 5 Bytes JMP 89822F3C
? SYMEFA.SYS The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00DF0001
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[192] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 012E0001
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[216] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [33, 5F]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [1E, 5F] {PUSH DS; POP EDI}
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [2A, 5F]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [12, 5F]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [18, 5F]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [1B, 5F]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [27, 5F] {DAA ; POP EDI}
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [15, 5F]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [2D, 5F]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [21, 5F]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [24, 5F] {AND AL, 0x5f}
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [30, 5F]
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C00001
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe[264] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
sociecide
2009-05-23, 05:31
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\nvsvc32.exe[280] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\nvsvc32.exe[280] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00740001
.text C:\WINDOWS\system32\nvsvc32.exe[280] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\nvsvc32.exe[280] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00720001
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[308] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[344] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes CALL 0044AD11 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 008E0001
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[772] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[836] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 02F30001
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[836] USER32.dll!SetWindowPos 7E41C01B 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[836] USER32.dll!SetWindowPos + 4 7E41C01F 2 Bytes [0B, 5F]
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[836] USER32.dll!SetForegroundWindow 7E423D4D 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[836] USER32.dll!ChangeDisplaySettingsExA 7E428AE5 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe[836] USER32.dll!ChangeDisplaySettingsExW 7E45938D 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[1000] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\csrss.exe[1000] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01330001
.text C:\WINDOWS\system32\csrss.exe[1000] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\csrss.exe[1000] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
sociecide
2009-05-23, 05:32
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[1024] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\winlogon.exe[1024] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01160001
.text C:\WINDOWS\system32\winlogon.exe[1024] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\winlogon.exe[1024] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00960001
.text C:\WINDOWS\system32\services.exe[1068] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\services.exe[1068] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B00001
.text C:\WINDOWS\system32\lsass.exe[1080] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\lsass.exe[1080] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00A80001
.text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B80001
.text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\System32\svchost.exe[1344] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 015B0001
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\System32\svchost.exe[1344] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1380] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1380] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00640001
.text C:\WINDOWS\system32\svchost.exe[1380] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1380] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1508] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00640001
.text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1508] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
sociecide
2009-05-23, 05:33
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 006D0001
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1880] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1880] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00CF0001
.text C:\WINDOWS\system32\spoolsv.exe[1880] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\spoolsv.exe[1880] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C10001
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1984] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00D60001
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1996] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00DF0001
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] USER32.dll!SetWindowsHookExW 7E42DDB5 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\CTsvcCDA.exe[2016] USER32.dll!SetWindowsHookExA 7E4311D1 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[3124] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00EB0001
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[3124] USER32.dll!SetWindowPos 7E41C01B 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[3124] USER32.dll!SetWindowPos + 4 7E41C01F 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[3124] USER32.dll!SetForegroundWindow 7E423D4D 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[3124] USER32.dll!ChangeDisplaySettingsExA 7E428AE5 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe[3124] USER32.dll!ChangeDisplaySettingsExW 7E45938D 6 Bytes JMP 5F100F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[3140] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes CALL 0044AB89 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Registry Mechanic\RegMech.exe[3208] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 04050001
.text C:\Program Files\Registry Mechanic\RegMech.exe[3208] USER32.dll!SetWindowPos 7E41C01B 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Registry Mechanic\RegMech.exe[3208] USER32.dll!SetWindowPos + 4 7E41C01F 2 Bytes [0B, 5F]
.text C:\Program Files\Registry Mechanic\RegMech.exe[3208] USER32.dll!SetForegroundWindow 7E423D4D 6 Bytes JMP 5F040F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[3208] USER32.dll!ChangeDisplaySettingsExA 7E428AE5 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[3208] USER32.dll!ChangeDisplaySettingsExW 7E45938D 6 Bytes JMP 5F100F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[3284] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C40001
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[3284] USER32.dll!SetWindowPos 7E41C01B 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[3284] USER32.dll!SetWindowPos + 4 7E41C01F 2 Bytes [0B, 5F]
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[3284] USER32.dll!SetForegroundWindow 7E423D4D 6 Bytes JMP 5F040F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[3284] USER32.dll!ChangeDisplaySettingsExA 7E428AE5 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe[3284] USER32.dll!ChangeDisplaySettingsExW 7E45938D 6 Bytes JMP 5F100F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3292] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 015D0001
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3292] USER32.dll!SetWindowPos 7E41C01B 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3292] USER32.dll!SetWindowPos + 4 7E41C01F 2 Bytes [0B, 5F]
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3292] USER32.dll!SetForegroundWindow 7E423D4D 6 Bytes JMP 5F040F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3292] USER32.dll!ChangeDisplaySettingsExA 7E428AE5 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3292] USER32.dll!ChangeDisplaySettingsExW 7E45938D 6 Bytes JMP 5F100F5A
.text C:\Program Files\MSI\DigiCell\DigiCell.exe[3372] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01F40001
.text C:\Program Files\MSI\DigiCell\DigiCell.exe[3372] USER32.dll!SetWindowPos 7E41C01B 3 Bytes [FF, 25, 1E]
.text C:\Program Files\MSI\DigiCell\DigiCell.exe[3372] USER32.dll!SetWindowPos + 4 7E41C01F 2 Bytes [0B, 5F]
.text C:\Program Files\MSI\DigiCell\DigiCell.exe[3372] USER32.dll!SetForegroundWindow 7E423D4D 6 Bytes JMP 5F040F5A
.text C:\Program Files\MSI\DigiCell\DigiCell.exe[3372] USER32.dll!ChangeDisplaySettingsExA 7E428AE5 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\MSI\DigiCell\DigiCell.exe[3372] USER32.dll!ChangeDisplaySettingsExW 7E45938D 6 Bytes JMP 5F100F5A
.text C:\Program Files\MSI\Core Center\CoreCenter.exe[3420] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01AD0001
.text C:\Program Files\MSI\Core Center\CoreCenter.exe[3420] USER32.dll!SetWindowPos 7E41C01B 3 Bytes [FF, 25, 1E]
.text C:\Program Files\MSI\Core Center\CoreCenter.exe[3420] USER32.dll!SetWindowPos + 4 7E41C01F 2 Bytes [0B, 5F]
.text C:\Program Files\MSI\Core Center\CoreCenter.exe[3420] USER32.dll!SetForegroundWindow 7E423D4D 6 Bytes JMP 5F040F5A
.text C:\Program Files\MSI\Core Center\CoreCenter.exe[3420] USER32.dll!ChangeDisplaySettingsExA 7E428AE5 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\MSI\Core Center\CoreCenter.exe[3420] USER32.dll!ChangeDisplaySettingsExW 7E45938D 6 Bytes JMP 5F100F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] kernel32.dll!VirtualProtect + 1C 7C801AEC 7 Bytes JMP 036E0034
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 036E00B8
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 036E013F
.text C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe[3540] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00DD0001
.text C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe[3540] USER32.dll!SetWindowPos 7E41C01B 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe[3540] USER32.dll!SetWindowPos + 4 7E41C01F 2 Bytes [0B, 5F]
.text C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe[3540] USER32.dll!SetForegroundWindow 7E423D4D 6 Bytes JMP 5F040F5A
.text C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe[3540] USER32.dll!ChangeDisplaySettingsExA 7E428AE5 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe[3540] USER32.dll!ChangeDisplaySettingsExW 7E45938D 6 Bytes JMP 5F100F5A
.text C:\Program Files\Sprint Instinct Applications\MEMonitor.exe[3932] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 06820001
.text C:\Program Files\Sprint Instinct Applications\MEMonitor.exe[3932] USER32.dll!SetWindowPos 7E41C01B 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Sprint Instinct Applications\MEMonitor.exe[3932] USER32.dll!SetWindowPos + 4 7E41C01F 2 Bytes [0B, 5F]
.text C:\Program Files\Sprint Instinct Applications\MEMonitor.exe[3932] USER32.dll!SetForegroundWindow 7E423D4D 6 Bytes JMP 5F040F5A
.text C:\Program Files\Sprint Instinct Applications\MEMonitor.exe[3932] USER32.dll!ChangeDisplaySettingsExA 7E428AE5 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Sprint Instinct Applications\MEMonitor.exe[3932] USER32.dll!ChangeDisplaySettingsExW 7E45938D 6 Bytes JMP 5F100F5A
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 0133BCA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 0133BC50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 01337EA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 01339100
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0133AA10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 01339370
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 01339180
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0133A010
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0133B950
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0133B990
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 0133BD30
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0133B810
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0133A970
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 01339930
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 013392E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 01339660
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 0133C2B0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 0133A360
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0133A7D0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0133AE90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0133AC20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0133AE10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0133B2F0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0133B000
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 01339250
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 013397E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0133BA70
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0133AD60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0133A910
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 0133A790
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 0133AB20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 0133BD50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 0133AB60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 0133BFF0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 0133BF90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 0133C1E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 0133C280
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3208] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 0133C0B0
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\systemroot\system32\gxvxcxcwdnusijonrnffbtdsmyqwlhwtpdcka.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3536] 0x10000000
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\gxvxctjnqsfondrfqbjhdtkluadlduaeqobgn.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxctjnqsfondrfqbjhdtkluadlduaeqobgn.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxctjnqsfondrfqbjhdtkluadlduaeqobgn.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcxcwdnusijonrnffbtdsmyqwlhwtpdcka.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxctjnqsfondrfqbjhdtkluadlduaeqobgn.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxctjnqsfondrfqbjhdtkluadlduaeqobgn.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcxcwdnusijonrnffbtdsmyqwlhwtpdcka.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\gxvxctjnqsfondrfqbjhdtkluadlduaeqobgn.sys 37888 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\gxvxccounter 4 bytes
File C:\WINDOWS\system32\gxvxcxcwdnusijonrnffbtdsmyqwlhwtpdcka.dll 26625 bytes executable
---- EOF - GMER 1.0.15 ----
sociecide
2009-05-23, 05:34
GMER 1.0.15.14972 - http://www.gmer.net
Autostart scan 2009-05-22 19:28:23
Windows 5.1.2600 Service Pack 2
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
!SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
WgaLogon@DLLName = WgaLogon.dll
HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"
Creative Service for CDROM Access@ = C:\WINDOWS\system32\CTsvcCDA.exe
EraserSvc10910@ = "C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe" /h ccCommon
JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
LiveUpdate Notice Service@ = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /m PifEng.dll
Norton AntiVirus@ = "C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe" /s "Norton AntiVirus" /m "C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll" /prefetch:1
nTuneService@ = C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService /*file not found*/
NVSvc@ = %SystemRoot%\system32\nvsvc32.exe
sdAuxService@ = C:\Program Files\Spyware Doctor\pctsAuxs.exe
sdCoreService@ = C:\Program Files\Spyware Doctor\pctsSvc.exe
Viewpoint Manager Service@ = "C:\Program Files\Viewpoint\Common\ViewpointService.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Symantec PIF AlertEng"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@ISTray"C:\Program Files\Spyware Doctor\pctsTray.exe" = "C:\Program Files\Spyware Doctor\pctsTray.exe"
@Adobe Reader Speed Launcher"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" = "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@SunJavaUpdateSched"C:\Program Files\Java\jre6\bin\jusched.exe" = "C:\Program Files\Java\jre6\bin\jusched.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@RegistryMechanicC:\Program Files\Registry Mechanic\RegMech.exe /H /*file not found*/ = C:\Program Files\Registry Mechanic\RegMech.exe /H /*file not found*/
@CTSyncU.exe"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" = "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
@swgC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
@Aim6 /*file not found*/ = /*file not found*/
@SpybotSD TeaTimerC:\Program Files\Spybot - Search & Destroy\TeaTimer.exe = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\Program Files\Yahoo!\Common\YMMAPI.dll = C:\Program Files\Yahoo!\Common\YMMAPI.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{24849E2F-0A86-40CD-A62A-B12F161882DB} /*ZEN V Series Media Explorer*/C:\Program Files\Creative\Creative ZEN V Series (R2)\ZEN V Series Media Explorer\SHCTMTP.dll = C:\Program Files\Creative\Creative ZEN V Series (R2)\ZEN V Series Media Explorer\SHCTMTP.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL = C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office12\msohevi.dll = C:\Program Files\Microsoft Office\Office12\msohevi.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
CTMTPMediaExplorer@{7895F317-A125-42CC-BD3E-5830765CE577} = C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll
SDContextExt@{70F8E90E-353A-47AB-B297-C576345EE693} = C:\PROGRA~1\SPYWAR~1\SDCONT~1.DLL
Symantec.Norton.Antivirus.IEContextMenu@{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = "C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\NavShExt.dll"
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\YMMAPI.dll
HKLM\Software\Classes\*\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
CTMTPMediaExplorer@{7895F317-A125-42CC-BD3E-5830765CE577} = C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll
MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
SDContextExt@{70F8E90E-353A-47AB-B297-C576345EE693} = C:\PROGRA~1\SPYWAR~1\SDCONT~1.DLL
Symantec.Norton.Antivirus.IEContextMenu@{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = "C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\NavShExt.dll"
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{02478D38-C3F9-4efb-9B51-7695ECA05670}C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll = C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\Program Files\Spybot - Search & Destroy\SDHelper.dll = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
@{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}C:\Program Files\Yahoo!\Common\yiesrvc.dll = C:\Program Files\Yahoo!\Common\yiesrvc.dll
@{6D53EC84-6AAE-4787-AEEE-F4628F01010C}C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL = C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar2.dll = c:\program files\google\googletoolbar2.dll
@{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll = C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
@{b0cda128-b425-4eef-a174-61a11ac5dbf8}C:\Program Files\AIM Toolbar\aimtb.dll = C:\Program Files\AIM Toolbar\aimtb.dll
@{DBC80044-A445-435b-BC74-9C25C1C588A9}C:\Program Files\Java\jre6\bin\jp2ssv.dll = C:\Program Files\Java\jre6\bin\jp2ssv.dll
@{E7E6F031-17CE-4C07-BC86-EABFE594F69C}C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll = C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr
HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://home.microsoft.com/search/search.asp = http://home.microsoft.com/search/search.asp
@Start Pagehttp://www.myspace.com/ = http://www.myspace.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm
HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\ITSS.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-help@CLSID = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = C:\WINDOWS\system32\ITSS.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll
C:\Documents and Settings\Ridiculous Nicholas\Start Menu\Programs\Startup >>>
Adobe Gamma.lnk = Adobe Gamma.lnk
ERUNT AutoBackup.lnk = ERUNT AutoBackup.lnk
Omega ASIO Control Panel.lnk = Omega ASIO Control Panel.lnk
Sprint media monitor.lnk = Sprint media monitor.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
CoreCenter.lnk = CoreCenter.lnk
DigiCell.lnk = DigiCell.lnk
---- EOF - GMER 1.0.15 ----
We will continue with ComboFix. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
sociecide
2009-05-24, 10:40
ComboFix 09-05-23.04 - Ridiculous Nicholas 05/24/2009 0:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1693 [GMT -7:00]
Running from: c:\documents and settings\Ridiculous Nicholas\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\amlxfnwx.ini
c:\windows\system32\drivers\gxvxctjnqsfondrfqbjhdtkluadlduaeqobgn.sys
c:\windows\system32\esidhoji.ini
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcxcwdnusijonrnffbtdsmyqwlhwtpdcka.dll
c:\windows\system32\wl.exe
G:\Autorun.inf
H:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_GXVXCSERV.SYS
((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.
2009-05-23 22:55 . 2009-05-17 21:24 876144 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\NAVEX15.SYS
2009-05-23 22:55 . 2009-05-17 21:24 89104 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\NAVENG.SYS
2009-05-23 22:55 . 2009-05-17 21:24 371248 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\EECTRL.SYS
2009-05-23 22:55 . 2009-05-17 21:24 101936 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\ERASER.SYS
2009-05-23 22:55 . 2009-05-17 21:24 259368 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\ECMSVR32.DLL
2009-05-23 22:55 . 2009-05-17 21:24 177520 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\NAVENG32.DLL
2009-05-23 22:55 . 2009-05-17 21:24 1181040 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\NAVEX32A.DLL
2009-05-23 22:55 . 2009-05-17 21:24 2414128 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090523.020\CCERASER.DLL
2009-05-22 01:04 . 2009-05-22 01:03 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-22 01:03 . 2009-05-22 01:03 152576 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-22 01:00 . 2009-05-22 01:00 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-22 01:00 . 2009-05-22 01:00 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Application Data\SUPERAntiSpyware.com
2009-05-22 00:59 . 2009-05-22 00:59 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-22 00:42 . 2009-05-22 00:43 -------- d-----w c:\program files\CCleaner
2009-05-21 21:13 . 2009-05-21 21:13 -------- d-----w c:\program files\ERUNT
2009-05-21 20:47 . 2009-05-21 22:06 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-21 20:36 . 2009-05-21 20:36 -------- d-----w c:\program files\Safer Networking
2009-05-21 06:20 . 2008-12-11 15:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-21 06:20 . 2009-04-03 18:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-21 06:20 . 2008-12-18 19:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-21 06:20 . 2009-05-24 06:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-21 06:20 . 2009-05-21 06:21 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-21 06:20 . 2008-12-10 18:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-21 06:20 . 2009-05-22 10:01 -------- d-----w c:\program files\Spyware Doctor
2009-05-21 06:20 . 2009-05-21 06:20 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Application Data\PC Tools
2009-05-21 06:20 . 2009-05-21 06:20 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-21 06:18 . 2009-05-21 06:18 -------- d-----w C:\!KillBox
2009-05-20 08:02 . 2009-05-17 21:24 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSviA64.sys
2009-05-20 08:02 . 2009-05-17 21:24 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSvix86.sys
2009-05-20 08:02 . 2009-05-17 21:24 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSXpx86.sys
2009-05-20 08:02 . 2009-05-17 21:24 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSxpx86.dll
2009-05-20 08:02 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\Scxpx86.dll
2009-05-18 04:47 . 2009-05-18 04:47 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-18 03:55 . 2009-05-18 03:55 -------- d-----r c:\program files\Norton Support
2009-05-18 03:55 . 2009-05-18 03:55 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Local Settings\Application Data\Symantec
2009-05-18 01:52 . 2009-05-18 01:52 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Application Data\Uniblue
2009-05-17 23:00 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-17 23:00 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 23:00 . 2009-05-18 02:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-17 21:31 . 2009-05-17 21:24 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSviA64.sys
2009-05-17 21:31 . 2009-05-17 21:24 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSvix86.sys
2009-05-17 21:31 . 2009-05-17 21:24 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSXpx86.sys
2009-05-17 21:31 . 2009-05-17 21:24 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSxpx86.dll
2009-05-17 21:31 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\Scxpx86.dll
2009-05-17 21:25 . 2009-05-17 21:24 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-05-17 21:25 . 2009-05-17 21:25 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-17 21:25 . 2009-05-17 21:25 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-17 21:25 . 2009-05-17 21:25 -------- d-----w c:\program files\Symantec
2009-05-17 21:24 . 2009-05-17 21:24 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvia64.sys
2009-05-17 21:24 . 2009-05-17 21:24 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-05-17 21:24 . 2009-05-17 21:24 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2009-05-17 21:24 . 2009-05-17 21:24 136840 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-05-17 21:24 . 2009-05-17 21:24 1290592 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-05-17 21:24 . 2009-05-17 21:24 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\idsxpx86.dll
2009-05-17 21:24 . 2009-05-17 21:24 796016 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-05-17 21:24 . 2009-05-17 21:24 -------- d-----w c:\windows\system32\drivers\NAV
2009-05-17 21:24 . 2009-05-17 21:24 -------- d-----w c:\program files\Windows Sidebar
2009-05-17 21:24 . 2009-05-17 21:24 -------- d-----w c:\program files\NortonInstaller
2009-05-17 02:59 . 2009-05-17 02:59 -------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft
2009-05-17 02:56 . 2009-05-17 02:56 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-22 08:31 . 2007-12-25 19:34 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Application Data\DNA
2009-05-22 01:03 . 2007-05-17 18:39 -------- d-----w c:\program files\Java
2009-05-22 00:47 . 2007-05-11 16:40 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-21 21:50 . 2007-12-25 19:34 -------- d-----w c:\program files\DNA
2009-05-21 06:11 . 2009-02-01 08:12 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Application Data\U3
2009-05-18 03:12 . 2007-07-02 02:42 -------- d-----w c:\program files\PokerStars
2009-05-17 21:25 . 2009-05-17 21:25 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-17 21:25 . 2009-05-17 21:25 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-17 21:24 . 2008-11-20 02:59 -------- d-----w c:\program files\Norton AntiVirus
2009-05-17 20:57 . 2008-11-19 03:03 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-05-17 20:57 . 2007-05-07 00:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-01 15:44 . 2008-08-24 22:39 -------- d-----w c:\program files\EtherDetect
2009-03-16 20:03 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-09 2828184]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-24 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-22 5898240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-22 148888]
c:\documents and settings\Ridiculous Nicholas\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Omega ASIO Control Panel.lnk - c:\program files\Lexicon\Omega\Driver\ASIOSysTray.exe [2004-8-11 274432]
Sprint media monitor.lnk - c:\windows\RM.exe [2008-7-21 222552]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [2007-5-6 932864]
DigiCell.lnk - c:\program files\MSI\DigiCell\DigiCell.exe [2007-1-2 1376256]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/20/2009 11:20 PM 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [5/17/2009 2:24 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [5/17/2009 2:24 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [5/17/2009 2:24 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSXpx86.sys [5/20/2009 1:02 AM 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/17/2009 2:24 PM 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/18/2009 11:38 AM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/4/2009 12:37 AM 101936]
S2 EraserSvc10910;Symantec Eraser Service;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/17/2009 2:24 PM 115560]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [11/5/2003 11:11 AM 17920]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/14/2007 12:40 PM 34448]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/20/2009 11:20 PM 348752]
.
Contents of the 'Scheduled Tasks' folder
2009-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
SafeBoot-procexp90.Sys
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {4907D5BF-232A-43DC-B306-CCB18BEA07EF} - hxxp://98.109.214.5/WebCamX.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 00:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,26,66,74,03,8f,
77,2f,f5,e2,63,26,f1,3f,c8,ff,68,a6,80,d3,3e,e0,78,82,06,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,a5,8a,19,6e,b7,
9f,04,95,6a,9c,d6,61,af,45,84,18,02,b9,eb,f3,f2,df,9f,e2,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,39,ff,b1,34,d5,
28,4d,48,ff,7c,85,e0,43,d4,0e,fe,a2,08,e6,00,02,b5,9b,8f,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,1b,b7,48,62,3e,
9a,4c,30,86,8c,21,01,be,91,eb,e7,1c,5f,4b,23,3d,c0,58,d2,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,8e,6a,47,c0,b9,
f9,25,ab,f5,1d,4d,73,a8,13,5c,05,e0,f6,fe,fb,8f,36,09,42,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,99,f0,be,7b,d5,
b4,e4,e9,df,20,58,62,78,6b,cf,c8,d5,e0,69,8f,e0,fc,d6,c7,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,29,36,40,33,3e,
ed,1a,7c,fb,a7,78,e6,12,2f,9a,ea,3c,a9,fb,5d,75,6c,08,0a,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,c0,9e,80,e3,87,
e6,85,f5,01,3a,48,fc,e8,04,4a,f1,b8,7a,56,4c,46,bd,68,48,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,9b,45,d6,5a,f4,
04,db,a4,f6,0f,4e,58,98,5b,89,c9,1a,db,d7,2c,95,11,81,eb,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,63,4d,a7,f8,21,
d8,03,9b,3d,ce,ea,26,2d,45,aa,78,0d,64,3d,d3,9d,0e,49,78,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,40,ca,c3,88,82,
4c,2d,25,2a,b7,cc,b5,b9,7f,41,e7,07,86,0c,92,8b,47,fd,d2,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,88,d1,14,84,36,
fa,eb,36,6c,43,2d,1e,aa,22,2f,9c,2c,f2,8d,30,f3,13,d3,23,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1008)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-24 0:34
ComboFix-quarantined-files.txt 2009-05-24 07:34
Pre-Run: 52,481,900,544 bytes free
Post-Run: 53,315,031,040 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
268 --- E O F --- 2008-12-18 11:00
sociecide
2009-05-24, 10:41
I don't think this fixed it because norton antivirus (after the reboot combofix had to to) still came up with a message that there was a backdoor.trojan detected.
sociecide
2009-05-24, 11:03
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:38 AM, on 5/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\MSI\DigiCell\DigiCell.exe
C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-117609710-220523388-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-117609710-220523388-839522115-500\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Administrator')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Omega ASIO Control Panel.lnk = C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: DigiCell.lnk = C:\Program Files\MSI\DigiCell\DigiCell.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4907D5BF-232A-43DC-B306-CCB18BEA07EF} (WebCamX Control) - http://98.109.214.5/WebCamX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1242954296734&h=5c351f3a120b9d1a0cc24a6698335d0f/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec Eraser Service (EraserSvc10910) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 11304 bytes
Well where is backdoor.trojan is according to Norton?
sociecide
2009-05-24, 12:26
I have no idea... I just get a pop up that says norton antivirus has detected backdoor.trojan and it is unable to remove it. I trie to rescan and it fails. when I click on the "help" it points me to a link that pretty much just sends me in a loop. Unable to remove the backdoor.trojan. *sigh* any ideas?
sociecide
2009-05-24, 12:30
however... spybot can finally open... YAY :)
Well if Norton gives popup, it should also tell file path :)
sociecide
2009-05-24, 20:44
Sorry... I was a bit tipsy last night. Anyway... Norton is saying there are 15 infected files and it basically repeats the following 15 times:
globalroot\systemroot\system32\gxvxcxcwdnusijonrnffbtdsmyqwlhwtpdcka.dll
I've tried searching for that file, but can't find it :(
Combofix deleted this one which is the same (globalroot\systemroot\system32 equals to c:\windows\system32):
c:\windows\system32\gxvxcxcwdnusijonrnffbtdsmyqwlhwtpdcka.dll
Please rerun combofix and post back a fresh combofix log and a fresh hijackthis log.
sociecide
2009-05-24, 21:00
I'll bet I just need to clear the unresolved history in Norton or something... it probably just still thinks it's there even when it's not because it was removed by one of those programs you had me run maybe?
Yes it is possible.
But please re-run combofix anyway :)
sociecide
2009-05-24, 21:02
OK I'll rerun combo fix like you said and post the new results to that and hijackthis in a little bit. Thanks again for your help I really appreciate it!
sociecide
2009-05-25, 21:42
ComboFix 09-05-23.04 - Ridiculous Nicholas 05/25/2009 11:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1588 [GMT -7:00]
Running from: c:\documents and settings\Ridiculous Nicholas\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.
((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.
2009-05-24 15:34 . 2009-05-17 21:24 876144 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090524.003\NAVEX15.SYS
2009-05-24 15:34 . 2009-05-17 21:24 89104 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090524.003\NAVENG.SYS
2009-05-24 15:34 . 2009-05-17 21:24 371248 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090524.003\EECTRL.SYS
2009-05-24 15:34 . 2009-05-17 21:24 101936 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090524.003\ERASER.SYS
2009-05-24 15:34 . 2009-05-17 21:24 259368 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090524.003\ECMSVR32.DLL
2009-05-24 15:34 . 2009-05-17 21:24 177520 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090524.003\NAVENG32.DLL
2009-05-24 15:34 . 2009-05-17 21:24 1181040 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090524.003\NAVEX32A.DLL
2009-05-24 15:34 . 2009-05-17 21:24 2414128 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090524.003\CCERASER.DLL
2009-05-24 15:18 . 2009-05-24 15:18 57344 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-329b1447-n\Decora-SSE.dll
2009-05-24 15:18 . 2009-05-24 15:18 315392 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4c863595-n\jogl.dll
2009-05-24 15:18 . 2009-05-24 15:18 24064 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-7ee9ffd7-n\Decora-D3D.dll
2009-05-24 15:18 . 2009-05-24 15:18 20480 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4c863595-n\jogl_awt.dll
2009-05-24 15:18 . 2009-05-24 15:18 114688 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4c863595-n\jogl_cg.dll
2009-05-24 15:18 . 2009-05-24 15:18 499712 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-67923955-n\msvcp71.dll
2009-05-24 15:18 . 2009-05-24 15:18 499712 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-67923955-n\jmc.dll
2009-05-24 15:18 . 2009-05-24 15:18 348160 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-67923955-n\msvcr71.dll
2009-05-24 15:18 . 2009-05-24 15:18 20480 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-6c8b8361-n\gluegen-rt.dll
2009-05-24 09:28 . 2009-05-25 18:25 117760 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-05-24 09:27 . 2009-05-24 09:27 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-24 07:46 . 2009-05-24 07:46 -------- d-sh--w C:\found.000
2009-05-21 21:13 . 2009-05-21 21:13 -------- d-----w c:\program files\ERUNT
2009-05-21 20:47 . 2009-05-24 09:31 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-21 20:36 . 2009-05-21 20:36 -------- d-----w c:\program files\Safer Networking
2009-05-21 06:20 . 2008-12-11 15:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-05-21 06:20 . 2009-04-03 18:18 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-05-21 06:20 . 2008-12-18 19:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-21 06:20 . 2009-05-25 18:27 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-21 06:20 . 2009-05-21 06:21 -------- d-----w c:\program files\Common Files\PC Tools
2009-05-21 06:20 . 2008-12-10 18:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-05-21 06:20 . 2009-05-22 10:01 -------- d-----w c:\program files\Spyware Doctor
2009-05-21 06:20 . 2009-05-21 06:20 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Application Data\PC Tools
2009-05-21 06:20 . 2009-05-21 06:20 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-05-21 06:18 . 2009-05-21 06:18 -------- d-----w C:\!KillBox
2009-05-20 08:02 . 2009-05-17 21:24 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSviA64.sys
2009-05-20 08:02 . 2009-05-17 21:24 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSvix86.sys
2009-05-20 08:02 . 2009-05-17 21:24 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSXpx86.sys
2009-05-20 08:02 . 2009-05-17 21:24 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSxpx86.dll
2009-05-20 08:02 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\Scxpx86.dll
2009-05-18 04:47 . 2009-05-18 04:47 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-18 03:55 . 2009-05-18 03:55 -------- d-----r c:\program files\Norton Support
2009-05-18 03:55 . 2009-05-18 03:55 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Local Settings\Application Data\Symantec
2009-05-18 01:52 . 2009-05-18 01:52 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Application Data\Uniblue
2009-05-17 23:00 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-17 23:00 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 23:00 . 2009-05-18 02:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-17 21:31 . 2009-05-17 21:24 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSviA64.sys
2009-05-17 21:31 . 2009-05-17 21:24 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSvix86.sys
2009-05-17 21:31 . 2009-05-17 21:24 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSXpx86.sys
2009-05-17 21:31 . 2009-05-17 21:24 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSxpx86.dll
2009-05-17 21:31 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\Scxpx86.dll
2009-05-17 21:25 . 2009-05-17 21:24 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-05-17 21:25 . 2009-05-17 21:25 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-17 21:25 . 2009-05-17 21:25 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-17 21:25 . 2009-05-17 21:25 -------- d-----w c:\program files\Symantec
2009-05-17 21:24 . 2009-05-17 21:24 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvia64.sys
2009-05-17 21:24 . 2009-05-17 21:24 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-05-17 21:24 . 2009-05-17 21:24 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2009-05-17 21:24 . 2009-05-17 21:24 136840 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-05-17 21:24 . 2009-05-17 21:24 1290592 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-05-17 21:24 . 2009-05-17 21:24 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\idsxpx86.dll
2009-05-17 21:24 . 2009-05-17 21:24 796016 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-05-17 21:24 . 2009-05-17 21:24 -------- d-----w c:\windows\system32\drivers\NAV
2009-05-17 21:24 . 2009-05-17 21:24 -------- d-----w c:\program files\Windows Sidebar
2009-05-17 21:24 . 2009-05-17 21:24 -------- d-----w c:\program files\NortonInstaller
2009-05-17 02:59 . 2009-05-17 02:59 -------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft
2009-05-17 02:56 . 2009-05-17 02:56 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 17:25 . 2008-06-24 23:05 -------- d-----w c:\program files\Norton Security Scan
2009-05-24 09:31 . 2007-05-11 16:40 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-22 08:31 . 2007-12-25 19:34 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Application Data\DNA
2009-05-22 01:03 . 2009-05-22 01:04 410984 ----a-w c:\windows\system32\deploytk.dll
2009-05-22 01:03 . 2007-05-17 18:39 -------- d-----w c:\program files\Java
2009-05-22 01:03 . 2009-05-22 01:03 152576 ----a-w c:\documents and settings\Ridiculous Nicholas\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-22 01:00 . 2009-05-22 01:00 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-22 01:00 . 2009-05-22 01:00 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Application Data\SUPERAntiSpyware.com
2009-05-22 00:59 . 2009-05-22 00:59 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-22 00:43 . 2009-05-22 00:42 -------- d-----w c:\program files\CCleaner
2009-05-21 21:50 . 2007-12-25 19:34 -------- d-----w c:\program files\DNA
2009-05-21 06:11 . 2009-02-01 08:12 -------- d-----w c:\documents and settings\Ridiculous Nicholas\Application Data\U3
2009-05-18 03:12 . 2007-07-02 02:42 -------- d-----w c:\program files\PokerStars
2009-05-17 21:25 . 2009-05-17 21:25 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-17 21:25 . 2009-05-17 21:25 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-17 21:24 . 2008-11-20 02:59 -------- d-----w c:\program files\Norton AntiVirus
2009-05-17 20:57 . 2008-11-19 03:03 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-05-17 20:57 . 2007-05-07 00:31 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-01 15:44 . 2008-08-24 22:39 -------- d-----w c:\program files\EtherDetect
2009-03-16 20:03 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-24_07.32.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-25 18:24 . 2009-05-25 18:24 16384 c:\windows\Temp\Perflib_Perfdata_fc.dat
+ 2009-05-25 18:23 . 2009-05-25 18:23 16384 c:\windows\Temp\Perflib_Perfdata_c8.dat
- 2006-02-28 12:00 . 2009-05-21 21:51 40196 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-05-24 17:04 40196 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-05-24 17:04 311934 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2009-05-21 21:51 311934 c:\windows\system32\perfh009.dat
+ 2009-05-25 18:24 . 2009-05-25 18:24 188416 c:\windows\ERDNT\AutoBackup\5-25-2009\Users\00000002\UsrClass.dat
+ 2009-05-25 18:24 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-25-2009\ERDNT.EXE
+ 2009-05-24 07:48 . 2009-05-24 07:48 188416 c:\windows\ERDNT\AutoBackup\5-24-2009\Users\00000002\UsrClass.dat
+ 2009-05-24 07:48 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\5-24-2009\ERDNT.EXE
+ 2009-05-25 18:24 . 2009-05-25 18:24 6377472 c:\windows\ERDNT\AutoBackup\5-25-2009\Users\00000001\NTUSER.DAT
+ 2009-05-24 07:48 . 2009-05-24 07:48 4730880 c:\windows\ERDNT\AutoBackup\5-24-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-09 2828184]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-11-24 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-14 1830128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-29 583048]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-22 5898240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-22 148888]
c:\documents and settings\Ridiculous Nicholas\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Omega ASIO Control Panel.lnk - c:\program files\Lexicon\Omega\Driver\ASIOSysTray.exe [2004-8-11 274432]
Sprint media monitor.lnk - c:\windows\RM.exe [2008-7-21 222552]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CoreCenter.lnk - c:\program files\MSI\Core Center\CoreCenter.exe [2007-5-6 932864]
DigiCell.lnk - c:\program files\MSI\DigiCell\DigiCell.exe [2007-1-2 1376256]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/20/2009 11:20 PM 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [5/17/2009 2:24 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [5/17/2009 2:24 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [5/17/2009 2:24 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSXpx86.sys [5/20/2009 1:02 AM 276344]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/14/2009 2:22 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/14/2009 2:22 PM 72944]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/17/2009 2:24 PM 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/18/2009 11:38 AM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/24/2009 8:34 AM 101936]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/14/2009 2:22 PM 7408]
S2 EraserSvc10910;Symantec Eraser Service;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/17/2009 2:24 PM 115560]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [11/5/2003 11:11 AM 17920]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/14/2007 12:40 PM 34448]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/20/2009 11:20 PM 348752]
--- Other Services/Drivers In Memory ---
*Deregistered* - DigiCellDriver
*Deregistered* - PCAlertDriver
*Deregistered* - RushTopDevice
.
Contents of the 'Scheduled Tasks' folder
2009-05-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {4907D5BF-232A-43DC-B306-CCB18BEA07EF} - hxxp://98.109.214.5/WebCamX.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 11:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,26,66,74,03,8f,
77,2f,f5,e2,63,26,f1,3f,c8,ff,68,a6,80,d3,3e,e0,78,82,06,e2,63,26,f1,3f,c8,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:46,47,15,b0,92,4b,c7,ef,a5,8a,19,6e,b7,
9f,04,95,6a,9c,d6,61,af,45,84,18,02,b9,eb,f3,f2,df,9f,e2,6a,9c,d6,61,af,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,39,ff,b1,34,d5,
28,4d,48,ff,7c,85,e0,43,d4,0e,fe,a2,08,e6,00,02,b5,9b,8f,ff,7c,85,e0,43,d4,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,1b,b7,48,62,3e,
9a,4c,30,86,8c,21,01,be,91,eb,e7,1c,5f,4b,23,3d,c0,58,d2,86,8c,21,01,be,91,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,8e,6a,47,c0,b9,
f9,25,ab,f5,1d,4d,73,a8,13,5c,05,e0,f6,fe,fb,8f,36,09,42,f5,1d,4d,73,a8,13,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,99,f0,be,7b,d5,
b4,e4,e9,df,20,58,62,78,6b,cf,c8,d5,e0,69,8f,e0,fc,d6,c7,df,20,58,62,78,6b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,29,36,40,33,3e,
ed,1a,7c,fb,a7,78,e6,12,2f,9a,ea,3c,a9,fb,5d,75,6c,08,0a,fb,a7,78,e6,12,2f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,c0,9e,80,e3,87,
e6,85,f5,01,3a,48,fc,e8,04,4a,f1,b8,7a,56,4c,46,bd,68,48,01,3a,48,fc,e8,04,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,9b,45,d6,5a,f4,
04,db,a4,f6,0f,4e,58,98,5b,89,c9,1a,db,d7,2c,95,11,81,eb,f6,0f,4e,58,98,5b,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,63,4d,a7,f8,21,
d8,03,9b,3d,ce,ea,26,2d,45,aa,78,0d,64,3d,d3,9d,0e,49,78,3d,ce,ea,26,2d,45,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,40,ca,c3,88,82,
4c,2d,25,2a,b7,cc,b5,b9,7f,41,e7,07,86,0c,92,8b,47,fd,d2,2a,b7,cc,b5,b9,7f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,88,d1,14,84,36,
fa,eb,36,6c,43,2d,1e,aa,22,2f,9c,2c,f2,8d,30,f3,13,d3,23,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1024)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(2504)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-25 11:35
ComboFix-quarantined-files.txt 2009-05-25 18:35
ComboFix2.txt 2009-05-24 07:34
Pre-Run: 53,059,440,640 bytes free
Post-Run: 53,049,417,728 bytes free
285 --- E O F --- 2008-12-18 11:00
sociecide
2009-05-25, 21:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:06 AM, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-117609710-220523388-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-117609710-220523388-839522115-500\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Administrator')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Omega ASIO Control Panel.lnk = C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: DigiCell.lnk = C:\Program Files\MSI\DigiCell\DigiCell.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4907D5BF-232A-43DC-B306-CCB18BEA07EF} (WebCamX Control) - http://98.109.214.5/WebCamX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1242954296734&h=5c351f3a120b9d1a0cc24a6698335d0f/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec Eraser Service (EraserSvc10910) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 11230 bytes
.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
sociecide
2009-05-25, 23:50
wow this scan is taking a looooooong time. well it took like an hour to download the updates.... now it's been scanning for 30 min. will post the results soon.
No hurry, take your time :)
sociecide
2009-05-26, 07:56
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:06 AM, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-117609710-220523388-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-117609710-220523388-839522115-500\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Administrator')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Omega ASIO Control Panel.lnk = C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: DigiCell.lnk = C:\Program Files\MSI\DigiCell\DigiCell.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4907D5BF-232A-43DC-B306-CCB18BEA07EF} (WebCamX Control) - http://98.109.214.5/WebCamX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1242954296734&h=5c351f3a120b9d1a0cc24a6698335d0f/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec Eraser Service (EraserSvc10910) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 11230 bytes
sociecide
2009-05-26, 07:57
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:35 PM, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yme/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-117609710-220523388-839522115-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-117609710-220523388-839522115-500\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Administrator')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: Omega ASIO Control Panel.lnk = C:\Program Files\Lexicon\Omega\Driver\ASIOSysTray.exe
O4 - Startup: Sprint media monitor.lnk = C:\WINDOWS\RM.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: DigiCell.lnk = C:\Program Files\MSI\DigiCell\DigiCell.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4907D5BF-232A-43DC-B306-CCB18BEA07EF} (WebCamX Control) - http://98.109.214.5/WebCamX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1242954296734&h=5c351f3a120b9d1a0cc24a6698335d0f/&filename=jinstall-6u13-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec Eraser Service (EraserSvc10910) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 11319 bytes
You posted now HijackThis log twice.
Please post also kaspersky report :)
sociecide
2009-05-26, 09:16
doh! I'm sorry! lol
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 25, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 25, 2009 21:27:39
Records in database: 2244335
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics:
Files scanned: 212132
Threat name: 7
Infected objects: 20
Suspicious objects: 0
Duration of the scan: 05:08:14
File name / Threat name / Threats count
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\CRACKDB[1].0TM.bac_a00552 Infected: Trojan-Downloader.JS.IstBar.u 1
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\install1.exe.bac_a00548 Infected: not-a-virus:AdWare.Win32.Agent.akk 1
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\install1.exe.bac_a00548 Infected: not-a-virus:AdWare.Win32.Agent.ad 2
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\install1.exe.bac_a00552 Infected: not-a-virus:AdWare.Win32.Agent.akk 1
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\install1.exe.bac_a00552 Infected: not-a-virus:AdWare.Win32.Agent.ad 2
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\SEARCH[1].0TM.bac_a00552 Infected: Trojan-Downloader.JS.IstBar.u 1
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\search[1].html.bac_a00552 Infected: Trojan-Downloader.JS.IstBar.u 1
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\SeekmoTBUninstaller.exe.bac_a00552 Infected: not-a-virus:AdWare.Win32.Agent.c 1
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\videoaccess.exe.bac_a00548 Infected: not-a-virus:AdWare.Win32.Agent.akk 1
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\videoaccess.exe.bac_a00548 Infected: not-a-virus:AdWare.Win32.Agent.ad 2
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\videoaccess.exe.bac_a00552 Infected: not-a-virus:AdWare.Win32.Agent.akk 1
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine\videoaccess.exe.bac_a00552 Infected: not-a-virus:AdWare.Win32.Agent.ad 2
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gxvxctjnqsfondrfqbjhdtkluadlduaeqobgn.sys.vir Infected: Rootkit.Win32.Agent.kvr 1
G:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\WD2J4H2Z\STATS[1].0TM Infected: Trojan-Downloader.VBS.Agent.n 1
G:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
H:\Apps\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
The selected area was scanned.
Empty these folders:
C:\Documents and Settings\Ridiculous Nicholas\.housecall6.6\Quarantine
C:\Qoobox\Quarantine
Empty Recycle Bin.
Empty IE temporary internet files.
Still problems?
sociecide
2009-05-26, 20:22
well... I did that and after I reboot my computer Norton Antivirus still tells me I have a Backdoor.Trojan and it can't resolve it. I'm going to reboot into safe mode and run a full system scan to see if it'll finally resolve the issue.
OK, let me know how it went :)
sociecide
2009-05-27, 03:38
well norton didn't find the backdoor.trojan in safe mode, but as soon as I reboot in normal modem norton tells me that my computer has backdoor.trojan and can't remove it. I'm thinking maybe there is just some file with norton that needs to realize that it's actually gone maybe? what do you suggest I should try to stop norton from telling me there is a virus?
Then I suggest that you uninstall and reinstall Norton to see if it helps.
sociecide
2009-05-27, 08:54
I really appreciate all of your help man! I think I'm pretty much clear of the main infection... spybot doesn't detect anything in safe mode or in normal mode; same thing with malwarebytes, superantispyware, and spyware doctor. So I think you're right about reinstalling norton... OR... I found this post:
http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=52169
(this part is what I think I need to do to make norton stop telling me I have backdoor.trojan)
-----
THE FIX:
It is not necesary to erase the complete Qbackup folder, neither you need to boot in safe mode also.QBackup folder (Quarantine Backup) is used by Norton AntiVirus component to store backup recoveries of repaired and removed threats when you fix/remove threats during the scan. It may also contain information about threats detected and retains the remediated data in your computer itself. It will be automatically recreated by Norton program when you run scan next time.
So to FIX this problem. Just open NIS2009 history, GO to "unresolved security risk" Press "Remove*" the item failed to remove, wait for the "failed to remove" status, this will update the "*.qbi" file which have the history of the unresolved items. Then go to NIS2009 settings, go to "miscellaneous setting" and disable the Norton Product Tamper Protection under Miscellanious Settings. Then open your windows explorer and go to
"C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\QBackup"
and erase your most recently (updated, newly) "*.QBI" file. The asteric it a long number as "{DDAB4332-ED04-4898-9C20-D231FDC4B0C5}.qbi" it will be a small file 1-10 KB. Only deleted this file. Close Windows explorer, go to NIS2009 reactived the Norton Product Tamper Protection under Miscellanious Settings and you can enter to the HISTORY and you will find it is empty (clear).
Hope this will help to not erase the hole (complete) "Qbackup folder".
-----
What do you think? Think I should try that or just reinstall norton?
Thanks again for all your help! If you ever come to southern california I'll have to buy you a beer! haha
sociecide
2009-05-27, 09:00
ok so I followed this instructions and it appears to have cleared the "unresolved threats" history that showed "backdoor.trojan." I'm going to run another full norton scan just to make sure I'm clear. oh man I'm so happy... no more virus stress!!!!!!!
OK, post back how it went :)
sociecide
2009-05-27, 11:25
I ran a full scan and just found one little tracking cookie... but no trojan. It's all good now... thanks sooooooooo much!
Great :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.
Then download and install Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp).
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
Next we remove all used tools.
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
or
Windows Vista System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial143.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926)
Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Happy surfing and stay clean! :bigthumb:
sociecide
2009-05-27, 21:22
OK... will follow those steps as soon as I get home from work. Oh and I already installed Zonealarm... got it all setup. Thanks!
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.