PDA

View Full Version : win32.joleee.k (Inactive)



td_drive
2009-07-27, 12:37
My pc is currently infected with a trojan which seems to be called "win32.joleee.k" and as such system performance has been seriously compromised. Any help would be much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:40, on 27/07/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\explorer.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
E:\Program Files\Sports Interactive\Football Manager 2009\fm.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\taskeng.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://join.123cashformula.com/track/NTI4MzEuNy42LjEyLjAuMC4wLjA
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com
O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [do_not_delete] C:\Windows\system32\do_not_delete.exe
O4 - HKLM\..\RunOnce: [eM@] eM@
O4 - HKLM\..\RunOnce: [ N@] N@
O4 - HKLM\..\RunOnce: [X0@] X0@
O4 - HKLM\..\RunOnce: [İN@] İN@
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [DAEMON Tools Lite] "E:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [do_not_delete] C:\Windows\system32\do_not_delete.exe
O4 - HKLM\..\Policies\Explorer\Run: [do_not_delete] C:\Windows\system32\do_not_delete.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [A00F2AC64.exe] C:\Windows\TEMP\_A00F2AC64.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [do_not_delete] C:\Windows\system32\do_not_delete.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [A00F2AC64.exe] C:\Windows\TEMP\_A00F2AC64.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [do_not_delete] C:\Windows\system32\do_not_delete.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9553 bytes

katana
2009-07-28, 12:14
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------



Download and Run RSIT

Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:

log.txt will be opened maximized.
info.txt will be opened minimized.

Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )



Please Download GMER to your desktop

Download GMER (http://www.gmer.net/gmer.zip) and extract it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click Yes.

Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.

GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.


DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

td_drive
2009-07-31, 00:04
I can't access the RSIT download link - the page doesn't appear to be there :s

katana
2009-07-31, 01:33
Please try GMER.



Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open. Click Yes at the next prompt for Optional Scan. Save both reports to your desktop.---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Attach the following report to your post by clicking the Manage Attachments button under Additonal Options>Attach Files on the composition page. Browse to where you saved the file, and click Upload.

Attach.txt

td_drive
2009-08-01, 00:20
GMER 1.0.15.15011 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-07-31 22:11:39
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

INT 0x62 ? 85F32BF8
INT 0x72 ? 8467BBF8
INT 0x82 ? 8467BBF8
INT 0x92 ? 8467BBF8
INT 0x92 ? 8467BBF8
INT 0x92 ? 8467BBF8
INT 0x92 ? 85F32BF8
INT 0x92 ? 8467BBF8
INT 0xA2 ? 85F32BF8
INT 0xB2 ? 85F32BF8
INT 0xB2 ? 85F32BF8
INT 0xB3 ? 85F32BF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spre.sys The system cannot find the path specified. !
PAGE ataport.SYS!DllUnload 87EA6B2E 5 Bytes JMP 8467B1D8
.text USBPORT.SYS!DllUnload 8CAEC46F 5 Bytes JMP 85F321D8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Kontiki\KService.exe[12] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Kontiki\KService.exe[12] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Kontiki\KService.exe[12] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Kontiki\KService.exe[12] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Kontiki\KService.exe[12] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Kontiki\KService.exe[12] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Kontiki\KService.exe[12] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text E:\PROGRA~1\AVG\AVG8\avgrsx.exe[200] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text E:\PROGRA~1\AVG\AVG8\avgrsx.exe[200] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text E:\PROGRA~1\AVG\AVG8\avgrsx.exe[200] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text E:\PROGRA~1\AVG\AVG8\avgrsx.exe[200] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text E:\PROGRA~1\AVG\AVG8\avgrsx.exe[200] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text E:\PROGRA~1\AVG\AVG8\avgrsx.exe[200] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text E:\PROGRA~1\AVG\AVG8\avgrsx.exe[200] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[340] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[340] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[340] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[340] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[340] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[340] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe[340] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[372] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[372] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[372] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[372] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[372] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[372] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe[372] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\csrss.exe[616] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\csrss.exe[616] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\csrss.exe[616] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\csrss.exe[616] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\csrss.exe[616] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\csrss.exe[616] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\csrss.exe[616] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\wininit.exe[624] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\wininit.exe[624] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\wininit.exe[624] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\wininit.exe[624] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\wininit.exe[624] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\wininit.exe[624] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\wininit.exe[624] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\services.exe[672] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\services.exe[672] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\services.exe[672] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\services.exe[672] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\services.exe[672] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\services.exe[672] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\services.exe[672] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\lsass.exe[684] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\lsass.exe[684] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\lsass.exe[684] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\lsass.exe[684] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\lsass.exe[684] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\lsass.exe[684] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\lsass.exe[684] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\lsm.exe[692] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\winlogon.exe[764] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\winlogon.exe[764] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\winlogon.exe[764] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\winlogon.exe[764] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\winlogon.exe[764] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\winlogon.exe[764] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\winlogon.exe[764] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[828] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[828] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[828] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[828] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[828] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[828] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[828] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\svchost.exe[876] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[920] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[920] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[920] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[920] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[920] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[920] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe[920] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[944] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[944] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[944] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[944] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[944] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[944] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[944] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\svchost.exe[1016] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\System32\svchost.exe[1052] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\System32\svchost.exe[1052] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\System32\svchost.exe[1052] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\System32\svchost.exe[1052] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\System32\svchost.exe[1052] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\System32\svchost.exe[1052] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\System32\svchost.exe[1052] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe[1124] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe[1124] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe[1124] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe[1124] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe[1124] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe[1124] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe[1124] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FF9484E
.text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FF948DD
.text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FF948EA
.text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FF94B6E
.text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FF948D3
.text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FF9492B
.text C:\Windows\System32\svchost.exe[1132] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FF948F7
.text C:\Windows\System32\svchost.exe[1208] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\System32\svchost.exe[1208] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\System32\svchost.exe[1208] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\System32\svchost.exe[1208] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\System32\svchost.exe[1208] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\System32\svchost.exe[1208] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\System32\svchost.exe[1208] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\svchost.exe[1244] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\SearchProtocolHost.exe[1272] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\SearchProtocolHost.exe[1272] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\SearchProtocolHost.exe[1272] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\SearchProtocolHost.exe[1272] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\SearchProtocolHost.exe[1272] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\SearchProtocolHost.exe[1272] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\SearchProtocolHost.exe[1272] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\SLsvc.exe[1384] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\SLsvc.exe[1384] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\SLsvc.exe[1384] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\SLsvc.exe[1384] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\SLsvc.exe[1384] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\SLsvc.exe[1384] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\SLsvc.exe[1384] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\svchost.exe[1408] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\svchost.exe[1408] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\svchost.exe[1408] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\svchost.exe[1408] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\svchost.exe[1408] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\svchost.exe[1408] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\svchost.exe[1408] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\svchost.exe[1524] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\svchost.exe[1532] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\svchost.exe[1532] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\svchost.exe[1532] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\svchost.exe[1532] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\svchost.exe[1532] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\svchost.exe[1532] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\svchost.exe[1532] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe[1712] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe[1712] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe[1712] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe[1712] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe[1712] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe[1712] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe[1712] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\System32\spoolsv.exe[1780] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\System32\spoolsv.exe[1780] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\System32\spoolsv.exe[1780] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\System32\spoolsv.exe[1780] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\System32\spoolsv.exe[1780] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\System32\spoolsv.exe[1780] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\System32\spoolsv.exe[1780] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe[1796] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe[1796] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe[1796] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe[1796] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe[1796] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe[1796] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe[1796] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\svchost.exe[1840] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\svchost.exe[1840] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\svchost.exe[1840] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\svchost.exe[1840] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\svchost.exe[1840] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\svchost.exe[1840] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\svchost.exe[1840] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\svchost.exe[1844] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1908] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1908] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1908] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1908] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1908] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1908] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1908] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\TODDSrv.exe[2064] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\TODDSrv.exe[2064] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\TODDSrv.exe[2064] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\TODDSrv.exe[2064] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\TODDSrv.exe[2064] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\TODDSrv.exe[2064] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\TODDSrv.exe[2064] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text E:\PROGRA~1\AVG\AVG8\avgnsx.exe[2092] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text E:\PROGRA~1\AVG\AVG8\avgnsx.exe[2092] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text E:\PROGRA~1\AVG\AVG8\avgnsx.exe[2092] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text E:\PROGRA~1\AVG\AVG8\avgnsx.exe[2092] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text E:\PROGRA~1\AVG\AVG8\avgnsx.exe[2092] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text E:\PROGRA~1\AVG\AVG8\avgnsx.exe[2092] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text E:\PROGRA~1\AVG\AVG8\avgnsx.exe[2092] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2132] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2132] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2132] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2132] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2132] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2132] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe[2132] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text E:\Program Files\AVG\AVG8\avgtray.exe[2280] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text E:\Program Files\AVG\AVG8\avgtray.exe[2280] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text E:\Program Files\AVG\AVG8\avgtray.exe[2280] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text E:\Program Files\AVG\AVG8\avgtray.exe[2280] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text E:\Program Files\AVG\AVG8\avgtray.exe[2280] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text E:\Program Files\AVG\AVG8\avgtray.exe[2280] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text E:\Program Files\AVG\AVG8\avgtray.exe[2280] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2332] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2332] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2332] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2332] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2332] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2332] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2332] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Windows Sidebar\sidebar.exe[2360] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Windows Sidebar\sidebar.exe[2360] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Windows Sidebar\sidebar.exe[2360] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Windows Sidebar\sidebar.exe[2360] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Windows Sidebar\sidebar.exe[2360] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Windows Sidebar\sidebar.exe[2360] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Windows Sidebar\sidebar.exe[2360] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\System32\svchost.exe[2364] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\System32\svchost.exe[2364] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\System32\svchost.exe[2364] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\System32\svchost.exe[2364] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\System32\svchost.exe[2364] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\System32\svchost.exe[2364] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\System32\svchost.exe[2364] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe[2376] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe[2376] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe[2376] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe[2376] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe[2376] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe[2376] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe[2376] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\SearchIndexer.exe[2392] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\SearchIndexer.exe[2392] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\SearchIndexer.exe[2392] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\SearchIndexer.exe[2392] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\SearchIndexer.exe[2392] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\SearchIndexer.exe[2392] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\SearchIndexer.exe[2392] ntdll.dll!NtCreateUserProcess

td_drive
2009-08-01, 00:21
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[2496] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[2496] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[2496] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[2496] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[2496] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[2496] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Synaptics\SynTP\SynToshiba.exe[2496] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\taskeng.exe[2816] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\taskeng.exe[2816] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\taskeng.exe[2816] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\taskeng.exe[2816] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\taskeng.exe[2816] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\taskeng.exe[2816] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\taskeng.exe[2816] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2940] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2940] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2940] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2940] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2940] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2940] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2940] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\taskeng.exe[3268] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\taskeng.exe[3268] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\taskeng.exe[3268] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\taskeng.exe[3268] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\taskeng.exe[3268] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\taskeng.exe[3268] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\taskeng.exe[3268] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\Dwm.exe[3368] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\Dwm.exe[3368] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\Dwm.exe[3368] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\Dwm.exe[3368] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\Dwm.exe[3368] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\Dwm.exe[3368] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\Dwm.exe[3368] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.reloc C:\Windows\Explorer.EXE[3404] C:\Windows\Explorer.EXE section is executable [0x012C7000, 0xAC00, 0xE0000040]
.text C:\Windows\Explorer.EXE[3404] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\Explorer.EXE[3404] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\Explorer.EXE[3404] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\Explorer.EXE[3404] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\Explorer.EXE[3404] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\Explorer.EXE[3404] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\Explorer.EXE[3404] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Windows Defender\MSASCui.exe[3532] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Windows Defender\MSASCui.exe[3532] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Windows Defender\MSASCui.exe[3532] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Windows Defender\MSASCui.exe[3532] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Windows Defender\MSASCui.exe[3532] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Windows Defender\MSASCui.exe[3532] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Windows Defender\MSASCui.exe[3532] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Java\jre6\bin\jusched.exe[3540] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Java\jre6\bin\jusched.exe[3540] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Java\jre6\bin\jusched.exe[3540] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Java\jre6\bin\jusched.exe[3540] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Java\jre6\bin\jusched.exe[3540] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Java\jre6\bin\jusched.exe[3540] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Java\jre6\bin\jusched.exe[3540] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3548] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3548] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3548] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3548] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3548] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3548] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3548] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\System32\hkcmd.exe[3588] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\System32\hkcmd.exe[3588] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\System32\hkcmd.exe[3588] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\System32\hkcmd.exe[3588] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\System32\hkcmd.exe[3588] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\System32\hkcmd.exe[3588] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\System32\hkcmd.exe[3588] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\System32\igfxpers.exe[3608] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\System32\igfxpers.exe[3608] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\System32\igfxpers.exe[3608] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\System32\igfxpers.exe[3608] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\System32\igfxpers.exe[3608] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\System32\igfxpers.exe[3608] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\System32\igfxpers.exe[3608] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[3616] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[3616] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[3616] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[3616] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[3616] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[3616] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Synaptics\SynTP\SynTPStart.exe[3616] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\RtHDVCpl.exe[3652] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\RtHDVCpl.exe[3652] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\RtHDVCpl.exe[3652] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\RtHDVCpl.exe[3652] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\RtHDVCpl.exe[3652] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\RtHDVCpl.exe[3652] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\RtHDVCpl.exe[3652] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3660] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3660] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3660] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3660] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3660] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3660] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe[3660] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3704] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3704] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3704] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3704] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3704] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3704] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe[3704] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3712] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3712] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3712] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3712] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3712] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3712] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe[3712] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3720] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3720] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3720] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3720] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3720] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3720] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe[3720] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\igfxsrvc.exe[3736] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\igfxsrvc.exe[3736] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\igfxsrvc.exe[3736] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\igfxsrvc.exe[3736] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\igfxsrvc.exe[3736] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\igfxsrvc.exe[3736] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\igfxsrvc.exe[3736] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3912] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3912] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3912] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3912] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3912] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3912] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[3912] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Users\Tom\Desktop\gmer.exe[4508] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Users\Tom\Desktop\gmer.exe[4508] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Users\Tom\Desktop\gmer.exe[4508] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Users\Tom\Desktop\gmer.exe[4508] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Users\Tom\Desktop\gmer.exe[4508] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Users\Tom\Desktop\gmer.exe[4508] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Users\Tom\Desktop\gmer.exe[4508] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Windows\system32\wbem\wmiprvse.exe[5036] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Windows\system32\wbem\wmiprvse.exe[5036] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Windows\system32\wbem\wmiprvse.exe[5036] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Windows\system32\wbem\wmiprvse.exe[5036] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Windows\system32\wbem\wmiprvse.exe[5036] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Windows\system32\wbem\wmiprvse.exe[5036] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Windows\system32\wbem\wmiprvse.exe[5036] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7
.text C:\Program Files\Mozilla Firefox\firefox.exe[5496] ntdll.dll!NtCreateFile 77408008 5 Bytes CALL 7FFA484E
.text C:\Program Files\Mozilla Firefox\firefox.exe[5496] ntdll.dll!NtCreateProcess 774080C8 5 Bytes CALL 7FFA48DD
.text C:\Program Files\Mozilla Firefox\firefox.exe[5496] ntdll.dll!NtCreateProcessEx 774080D8 5 Bytes CALL 7FFA48EA
.text C:\Program Files\Mozilla Firefox\firefox.exe[5496] ntdll.dll!NtDeviceIoControlFile 77408438 5 Bytes CALL 7FFA4B6E
.text C:\Program Files\Mozilla Firefox\firefox.exe[5496] ntdll.dll!NtOpenFile 774087E8 5 Bytes CALL 7FFA48D3
.text C:\Program Files\Mozilla Firefox\firefox.exe[5496] ntdll.dll!NtQueryInformationProcess 77408A88 5 Bytes CALL 7FFA492B
.text C:\Program Files\Mozilla Firefox\firefox.exe[5496] ntdll.dll!NtCreateUserProcess 77409438 5 Bytes CALL 7FFA48F7

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [826946D6] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82694042] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82694800] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [826940C0] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8269413E] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [826A3E9C] \SystemRoot\System32\Drivers\spre.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [71967BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [719A98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7196D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7195F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [71967599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7195E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7199B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7196D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7196012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [71960095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [719571F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [719ED802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [719875E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7195DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7195668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [719566BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3404] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [71961E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8500C1F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 8467D1F8
Device \Driver\usbuhci \Device\USBPDO-0 85F761F8
Device \Driver\netbt \Device\NetBT_Tcpip_{DFA1451B-B972-43D9-AD3B-226FD4F23BD4} 864511F8
Device \Driver\usbuhci \Device\USBPDO-1 85F761F8
Device \Driver\usbehci \Device\USBPDO-2 85F491F8
Device \Driver\usbuhci \Device\USBPDO-3 85F761F8
Device \Driver\usbuhci \Device\USBPDO-4 85F761F8

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-5 85F761F8
Device \Driver\usbehci \Device\USBPDO-6 85F491F8
Device \Driver\volmgr \Device\HarddiskVolume1 8467D1F8
Device \Driver\volmgr \Device\HarddiskVolume2 8467D1F8
Device \Driver\cdrom \Device\CdRom0 85F641F8
Device \Driver\volmgr \Device\HarddiskVolume3 8467D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8500A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 8500A1F8
Device \Driver\atapi \Device\Ide\IdePort0 8500A1F8
Device \Driver\atapi \Device\Ide\IdePort1 8500A1F8
Device \Driver\atapi \Device\Ide\IdePort2 8500A1F8
Device \Driver\atapi \Device\Ide\IdePort3 8500A1F8
Device \Driver\atapi \Device\Ide\IdePort4 8500A1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel0 8500B1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel1 8500B1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel2 8500B1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 864511F8
Device \Driver\netbt \Device\NetBT_Tcpip_{E513DDF1-3DCD-497D-A84A-243CEEAD8CB5} 864511F8
Device \Driver\Smb \Device\NetbiosSmb 864971F8
Device \Driver\iScsiPrt \Device\RaidPort0 85FBC1F8

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 85F761F8
Device \Driver\usbuhci \Device\USBFDO-1 85F761F8
Device \Driver\usbehci \Device\USBFDO-2 85F491F8
Device \Driver\usbuhci \Device\USBFDO-3 85F761F8
Device \Driver\usbuhci \Device\USBFDO-4 85F761F8
Device \Driver\usbuhci \Device\USBFDO-5 85F761F8
Device \Driver\usbehci \Device\USBFDO-6 85F491F8
Device \FileSystem\cdfs \Cdfs 869381F8

---- Services - GMER 1.0.15 ----

Service system32\drivers\vsfoceqierjepv.sys (*** hidden *** ) [SYSTEM] vsfocetehciwvv <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0F 0x75 0x75 0xCC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x21 0xB5 0xE1 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4C 0xB4 0x93 0xB5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xC7 0xA1 0xE3 0xED ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xC6 0xD8 0x31 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocetehciwvv@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocetehciwvv@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocetehciwvv@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocetehciwvv@imagepath \systemroot\system32\drivers\vsfoceqierjepv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocetehciwvv\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\vsfocetehciwvv\modules@vsfocerk.sys \systemroot\system32\drivers\vsfoceqierjepv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0F 0x75 0x75 0xCC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x21 0xB5 0xE1 0xA9 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4C 0xB4 0x93 0xB5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xC7 0xA1 0xE3 0xED ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xC6 0xD8 0x31 0xA1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocetehciwvv@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocetehciwvv@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocetehciwvv@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocetehciwvv@imagepath \systemroot\system32\drivers\vsfoceqierjepv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocetehciwvv\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\vsfocetehciwvv\modules@vsfocerk.sys \systemroot\system32\drivers\vsfoceqierjepv.sys
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce@\tN@ 0x09 0x4E 0x40 0x00

---- EOF - GMER 1.0.15 ----

td_drive
2009-08-01, 00:22
DDS (Ver_09-07-30.01) - NTFSx86
Run by Tom at 22:13:08.47 on 31/07/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.668 [GMT 1:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Kontiki\KService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\TODDSrv.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Tom\Desktop\gmer.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
E:\Program Files\AVG\AVG8\avgscanx.exe
E:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tom\Desktop\dds.scr
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://join.123cashsurveys.com/track/NTI4MzEuNS41LjYuMC4wLjAuMA
mDefault_Page_URL = hxxp://www.google.co.uk
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - e:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MJCore class: {d88e1558-7c2d-407a-953a-c044f5607cea} - c:\program files\jcore\Jcore2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [TOSCDSPD] TOSCDSPD.EXE
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [DAEMON Tools Lite] "e:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [Skytel] Skytel.exe
mRun: [AVG8_TRAY] e:\progra~1\avg\avg8\avgtray.exe
mRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
mRunOnce: [eM@] 654d4000
mRunOnce: [ N@] 094e4000
mRunOnce: [X0@] 58304000
mRunOnce: [İN@] dd4e4000
dRun: [A00F2AC64.exe] c:\windows\temp\_A00F2AC64.exe
dRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
dRun: [pridl] "c:\windows\system32\config\systemprofile\appdata\roaming\pridl\pridl.exe" 61A847B5BBF72811329B385672FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
dRun: [GetPrimo] "c:\program files\getprimo\GetPrimo.exe"
mExplorerRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
dExplorerRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4
IE: {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00000130-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/ACELPACM.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.1.4.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - e:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\tom\appdata\roaming\mozilla\firefox\profiles\ufv9vvnl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - component: e:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\users\tom\appdata\roaming\videoegg\loader\4665\npvideoegg-loader.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-12 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-12 108552]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-9-19 7168]

=============== Created Last 30 ================

2009-07-31 11:41 <DIR> --d----- c:\program files\iPrimo
2009-07-31 11:41 <DIR> --d----- c:\program files\GetPrimo
2009-07-31 11:31 <DIR> --d----- c:\program files\Jcore
2009-07-28 14:09 <DIR> --dsh--- C:\found.000
2009-07-28 07:43 66,560 a------- c:\windows\system32\drivers\ppqbpvklmdxunddi.sys
2009-07-27 15:37 164,551,120 a------- c:\windows\MEMORY.DMP
2009-07-27 15:35 41,472 a------- c:\windows\system32\vsfoceorpecari.dll
2009-07-27 15:35 41,472 a------- c:\windows\system32\vsfocefxgptnut.dll
2009-07-27 15:35 66,560 a------- c:\windows\system32\drivers\vsfocevepdvbqb.sys
2009-07-27 15:35 66,560 a------- c:\windows\system32\drivers\vsfocexpyexxcr.sys
2009-07-27 10:05 267,040 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-07-27 10:05 5,696 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-07-27 10:05 3,329 a------- C:\rollback.ini
2009-07-27 09:44 <DIR> --d----- c:\programdata\ParetoLogic Anti-Virus PLUS
2009-07-27 09:44 <DIR> --d----- c:\programdata\ParetoLogic
2009-07-27 09:44 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-07-27 09:44 <DIR> --d----- c:\progra~2\ParetoLogic Anti-Virus PLUS
2009-07-27 09:44 <DIR> --d----- c:\progra~2\ParetoLogic
2009-07-27 09:22 0 a------- c:\windows\sc.exe
2009-07-26 09:49 <DIR> --d----- c:\users\tom\appdata\roaming\SmartDraw
2009-07-25 08:46 0 a------- c:\windows\SC.INS
2009-07-25 08:46 <DIR> --d----- c:\program files\Protection System
2009-07-24 05:04 0 a------- c:\windows\system32\_id.dat
2009-07-21 14:05 2,693 a------- c:\windows\system32\MRT.INI
2009-07-21 13:12 289,792 a------- c:\windows\system32\atmfd.dll
2009-07-21 13:12 156,672 a------- c:\windows\system32\t2embed.dll
2009-07-21 13:12 72,704 a------- c:\windows\system32\fontsub.dll
2009-07-21 13:12 10,240 a------- c:\windows\system32\dciman32.dll
2009-07-13 17:10 <DIR> --d----- c:\programdata\DAEMON Tools Lite
2009-07-13 17:10 <DIR> --d----- c:\progra~2\DAEMON Tools Lite
2009-07-13 17:05 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-13 17:04 <DIR> --d----- c:\users\tom\appdata\roaming\DAEMON Tools Lite
2009-07-12 10:58 442,368 a----r-- c:\windows\system32\vp6vfw.dll

==================== Find3M ====================

2009-07-27 10:07 9,216 a------- c:\windows\winhlp32.exe
2009-06-12 19:28 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-12 19:28 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-12 19:28 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-06 19:10 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-06 19:10 86,016 a------- c:\windows\inf\infstor.dat
2009-04-06 19:10 51,200 a------- c:\windows\inf\infpub.dat
2009-01-11 16:54 174 a--sh--- c:\program files\desktop.ini
2009-01-11 16:42 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:14:42.05 ===============

Thanks :)

katana
2009-08-01, 02:13
Download and Run ComboFix
----------------------------------------------------------------------------------------

Download Combofix from the link below. Save it to your desktop.

> Link Removed <


--------------------------------------------------------------------

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click CleanFix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..

td_drive
2009-08-01, 13:11
I'm getting this message:


!! Alert !! It is NOT SAFE to continue!

The contents of the ComboFix package has been compromised. PLease download a fresh copy from:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: You may be infected with a file patching virus 'Virut'

----------------------------------------------------
I tried downloading again and the same occurred.

katana
2009-08-01, 13:20
That sounds like very bad news.

Please run the following scan.

If any files get flagged as Virut you can stop the scan and let me know.


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

td_drive
2009-08-01, 21:45
site could not be found :(

katana
2009-08-01, 21:54
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
c:\windows\system32\do_not_delete.exe
Click Submit/Send File

When the scan has finished, you can copy the URL from the browser address window and paste it in your reply.

Please do the same for the following file

C:\Windows\system32\wininit.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE

If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)

katana
2009-08-05, 14:12
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.