PDA

View Full Version : Click.giftload problem



Kvitrafn
2011-03-25, 12:29
Hi, I got a problem with Click.giftload. Spybot can't remove it. It seems that I'm not the only one with this problem.

Here is my DDS log, hope you will be able to help me.

Thanks

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tatiana at 11:18:05,89 on 25/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1451 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\TEMP\lryj\setup.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Tatiana\Bureau\dds.com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.fr/
uURLSearchHooks: Search Class: {08c06d61-f1f3-4799-86f8-be1a89362c85} - c:\program files\orange\connexion internet orange\searchurlhook\SearchPageURL.dll
BHO: Aide pour le lien d'Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus DX4400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticae.exe /fu "c:\windows\temp\E_SAB.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Vkonisayik] rundll32.exe "c:\windows\msaptil.dll",Startup
uRun: [Java] c:\docume~1\tatiana\locals~1\temp\KCO2E.exe
uRun: [Java] c:\docume~1\tatiana\locals~1\temp\KCO2E.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NeroFilterCheck] c:\program files\fichiers communs\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ORAHSSSessionManager] "c:\program files\orange\connexion internet orange\sessionmanager\SessionManager.exe"
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AMService] c:\windows\temp\lryj\setup.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\dmarra~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {1062E4BC-2F27-4BDF-9FBB-F7A8150EBCAB} = 212.27.53.252,212.27.54.252
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, maltrcgn.dll, mnrpaitr.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C83439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89c897d0]; MOV EAX, [0x89c8984c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A5C7AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89CAE7B8]
\Driver\iastor[0x8A5EA938] -> IRP_MJ_CREATE -> 0x89C83439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskRAIDHOME1.0.00__#4&674c230&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488275966 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 11:20:14,78 ===============

Blottedisk
2011-03-26, 04:33
Hi Kvitrafn,

Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Unfortunately your machine appears to have been infected by the TDSS rootkit/backdoor infection. These kind of malware is very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.


If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks,
paypal, ebay, etc. You should also change the passwords for any other site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or
credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps

Although the TDSS infection can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that if this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:


When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Where to draw the line? When to recommend a format and reinstall? (http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html)

Note: Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help.


Please read the following for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
What Should I Do If I've Become A Victim Of Identity Theft? (http://www.usdoj.gov/criminal/fraud/websites/idtheft.html#whatifvictim)
Identity Theft Victims Guide - What to do (http://www.privacyrights.org/fs/fs17a.htm)
Internet Crime Complaint Center (IC3): Filing a Complaint (http://www.ic3.gov/default.aspx)
Guarding Against Computer Theft (http://www.microsoft.com/smallbusiness/support/checklist/guard-against-computer-theft.mspx)


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Step 1 | Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe ) to your desktop.

Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png )
Click the image to enlarge it


Step 2 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif


GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it

Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).


Step 3 | Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe ) to your desktop.
Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

Kvitrafn
2011-03-27, 12:12
Thanks for your answer.

If I choose to reformat, can I just reformat the system disc (C:) and not the others dics ? Or do I have to reformat all the discs ?

If it's only C:, I'll do it, if it's evferything, I'll try to celan the pc.

Blottedisk
2011-03-27, 22:05
Hi Kvitrafn,


Unfortunately you'll have to format all your drives. If you only format the system drive, then this drive could become infected from the other drives.

Kvitrafn
2011-03-27, 22:10
All right. then I'll try to celan & remove the malware, since I plan to change my computer soon.
Thanks for your answer, I'll do what you told me to do in the second psot and post my log after.

Blottedisk
2011-03-27, 22:19
Alright :)

Kvitrafn
2011-03-27, 22:32
aswMBR :

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-27 21:12:34
-----------------------------
21:12:34.046 OS Version: Windows 5.1.2600 Service Pack 3
21:12:34.046 Number of processors: 2 586 0x604
21:12:34.046 ComputerName: ROMAIN UserName:
21:12:34.875 Initialize success
21:12:41.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
21:12:41.968 Disk 0 Vendor: Intel___ 1.0. Size: 238416MB BusType: 3
21:12:41.968 Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskRAIDHOME1.0.00__#4&674c230&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
21:12:41.968 Disk 0 MBR read error
21:12:41.968 Disk 0 MBR scan
21:12:41.968 MBR BIOS signature not found 0
21:12:41.968 Disk 0 scanning sectors +488247480
21:12:41.968 Disk 0 scanning C:\WINDOWS\system32\drivers
21:12:46.218 Service scanning
21:12:47.234 Disk 0 trace - called modules:
21:12:47.234 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89c93439]<<
21:12:47.234 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89cc5ab8]
21:12:47.234 3 CLASSPNP.SYS -> nt!IofCallDriver -> [0x89c33ab0]
21:12:47.234 \Driver\iastor[0x89cbd9d0] -> IRP_MJ_CREATE -> 0x89c93439
21:12:47.234 Scan finished successfully


[B]MBRCheck :

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000017fd

Kernel Drivers (total 123):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0x89BFD000 \WINDOWS\system32\KDCOM.DLL
0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
0xB9EA6000 spwc.sys
0xBA5A8000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xB9E8E000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xB9E5F000 ACPI.sys
0xB9E4E000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9E2F000 ftdisk.sys
0xBA5AA000 dmload.sys
0xB9E09000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9D52000 iaStor.sys
0xB9D3A000 atapi.sys
0xBA338000 cercsr6.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9D1A000 fltmgr.sys
0xB9D08000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9CF1000 KSecDD.sys
0xB9C64000 Ntfs.sys
0xB9C37000 NDIS.sys
0xB9C1D000 Mup.sys
0xBA228000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB84B4000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB84A0000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8478000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB844B000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA418000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8427000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA420000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB83E6000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xBA428000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA238000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA248000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB83C3000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA430000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xBA258000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA5E0000 \SystemRoot\system32\DRIVERS\serscan.sys
0xBA6E8000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA268000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB95F1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB83AC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA288000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA298000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA438000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB839B000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA440000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA448000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB836B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA450000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA458000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5E2000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB830D000 \SystemRoot\system32\DRIVERS\update.sys
0xBA57C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8B3E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB0C2B000 \SystemRoot\system32\drivers\sthda.sys
0xB0C07000 \SystemRoot\system32\drivers\portcls.sys
0xB2A01000 \SystemRoot\system32\drivers\drmk.sys
0xB29E1000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA646000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB29D1000 \SystemRoot\system32\drivers\libusb0.sys
0xB1F64000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA648000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB1D18000 \SystemRoot\System32\Drivers\Null.SYS
0xBA64A000 \SystemRoot\System32\Drivers\Beep.SYS
0xB1F54000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB1CBA000 \SystemRoot\System32\drivers\vga.sys
0xBA64C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA64E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB1CB2000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB1CAA000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB259E000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB0BB4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB0B5B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB1EB6000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xB0B35000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB0B0D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB1EA6000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB0AEB000 \SystemRoot\System32\drivers\afd.sys
0xB1E96000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB0AC0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB0A50000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB1E86000 \SystemRoot\System32\Drivers\Fips.SYS
0xB0A29000 \SystemRoot\System32\Drivers\aswSP.SYS
0xB1C9A000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xADE56000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAD930000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAD447000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAD920000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAD43B000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xAC877000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xACA79000 \SystemRoot\System32\drivers\Dxapi.sys
0xADE36000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7FF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xABDBE000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBF596000 \SystemRoot\System32\ATMFD.DLL
0xB9BA8000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xB5761000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xABDA7000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xABC2A000 \SystemRoot\system32\drivers\wdmaud.sys
0xACFD4000 \SystemRoot\system32\drivers\sysaudio.sys
0xAB13E000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAA269000 \SystemRoot\System32\Drivers\HTTP.sys
0xA9718000 \SystemRoot\system32\DRIVERS\srv.sys
0xAD323000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xA848D000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA8384000 \SystemRoot\system32\drivers\kmixer.sys
0xA8C21000 \??\C:\DOCUME~1\Tatiana\LOCALS~1\Temp\aswMBR.sys
0xA836B000 \??\C:\DOCUME~1\Tatiana\LOCALS~1\Temp\pxtdrpoc.sys
0x7C910000 \WINDOWS\system32\ntdll.dll

Processes (total 54):
0 System Idle Process
4 System
812 C:\WINDOWS\system32\smss.exe
868 C:\WINDOWS\system32\csrss.exe
892 C:\WINDOWS\system32\winlogon.exe
940 C:\WINDOWS\system32\services.exe
952 C:\WINDOWS\system32\lsass.exe
1132 C:\WINDOWS\system32\svchost.exe
1212 C:\WINDOWS\system32\svchost.exe
1360 C:\WINDOWS\system32\svchost.exe
1452 C:\WINDOWS\system32\svchost.exe
1636 C:\WINDOWS\system32\svchost.exe
1984 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
300 C:\WINDOWS\explorer.exe
848 C:\WINDOWS\system32\spoolsv.exe
1192 C:\WINDOWS\ehome\ehtray.exe
1276 C:\WINDOWS\stsystra.exe
1304 C:\Program Files\iTunes\iTunesHelper.exe
1320 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
1420 C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
1488 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
1572 C:\WINDOWS\system32\ctfmon.exe
1584 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
1700 C:\WINDOWS\system32\rundll32.exe
352 C:\Program Files\Digital Line Detect\DLG.exe
1536 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
512 C:\WINDOWS\system32\svchost.exe
2064 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
2204 C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
2376 C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
2424 C:\WINDOWS\ehome\ehrecvr.exe
2512 C:\WINDOWS\ehome\ehSched.exe
2668 C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
2796 C:\Program Files\Java\jre6\bin\jqs.exe
2920 C:\WINDOWS\system32\libusbd-nt.exe
3136 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
3148 C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
3200 C:\WINDOWS\system32\nvsvc32.exe
3340 C:\WINDOWS\system32\svchost.exe
3460 C:\WINDOWS\system32\svchost.exe
3600 C:\WINDOWS\ehome\mcrdsvc.exe
2336 C:\Program Files\iPod\bin\iPodService.exe
2612 C:\WINDOWS\system32\dllhost.exe
308 C:\WINDOWS\system32\alg.exe
3240 C:\WINDOWS\ehome\ehmsas.exe
4036 C:\Program Files\Internet Explorer\iexplore.exe
2712 C:\Program Files\Internet Explorer\iexplore.exe
2500 C:\Program Files\Internet Explorer\iexplore.exe
3440 C:\Program Files\Internet Explorer\iexplore.exe
5296 C:\WINDOWS\Temp\lryj\setup.exe
6016 C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe
3784 C:\WINDOWS\system32\wscntfy.exe
3232 C:\WINDOWS\system32\HPZinw12.exe
5228 C:\Documents and Settings\Tatiana\Bureau\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000c`34f34a00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x0000001e`845f7c00 (NTFS)
\\.\M: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number:
PhysicalDrive5 Model Number: SAMSUNGHM160JI, Rev:

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: 8637A6CD1F8DC55758E12C0B860CDE1133CA5719
149 GB \\.\PhysicalDrive5 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Kvitrafn
2011-03-27, 22:34
GMER (pt1) :

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-27 21:33:02
Windows 5.1.2600 Service Pack 3
Running: w1l3bdcc.exe; Driver: C:\DOCUME~1\Tatiana\LOCALS~1\Temp\pxtdrpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xB0A31CF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xB0A31BAC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xB0A32160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xB0A3208A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xB0A31782]
SSDT spwc.sys ZwEnumerateKey [0xB9EC5CA4]
SSDT spwc.sys ZwEnumerateValueKey [0xB9EC6032]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xB0A31C86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xB0A316C2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xB0A31726]
SSDT spwc.sys ZwQueryKey [0xB9EC610A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xB0A31DA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB0A3222E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xB0A31D66]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xB0A31EE6]

INT 0x62 ? 8A620BF8
INT 0x63 ? 8A691BF8
INT 0x84 ? 8A690BF8
INT 0x94 ? 8A690BF8
INT 0xA4 ? 8A690BF8
INT 0xB4 ? 8A690BF8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB0A3EBAE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xB0A3E9D2]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xB0A3EB0C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 80584160 7 Bytes JMP B0A3EB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!NtCreateSection 805AB3C8 7 Bytes JMP B0A3E9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC556 5 Bytes JMP B0A3A5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2FDA 5 Bytes JMP B0A3BFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP B0A3EBB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
? spwc.sys Le fichier spécifié est introuvable. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB84B4360, 0x307AC7, 0xE8000020]
.text USBPORT.SYS!DllUnload B843F8AC 5 Bytes JMP 8A6901D8
? C:\DOCUME~1\Tatiana\LOCALS~1\Temp\aswMBR.sys Le fichier spécifié est introuvable. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
.text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
.text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
.text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
.text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
.text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00D0000A
.text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00CE000C
.text C:\WINDOWS\Explorer.EXE[300] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
.text C:\WINDOWS\Explorer.EXE[300] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
.text C:\WINDOWS\Explorer.EXE[300] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
.text C:\WINDOWS\Explorer.EXE[300] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
.text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\Program Files\Digital Line Detect\DLG.exe[352] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\Program Files\Digital Line Detect\DLG.exe[352] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\Program Files\Digital Line Detect\DLG.exe[352] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\Program Files\Digital Line Detect\DLG.exe[352] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\Program Files\Digital Line Detect\DLG.exe[352] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\svchost.exe[512] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\svchost.exe[512] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\svchost.exe[512] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\svchost.exe[512] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\svchost.exe[512] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\system32\svchost.exe[512] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\spoolsv.exe[848] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\spoolsv.exe[848] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\spoolsv.exe[848] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\spoolsv.exe[848] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\spoolsv.exe[848] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\system32\spoolsv.exe[848] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\winlogon.exe[892] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\system32\winlogon.exe[892] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\winlogon.exe[892] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\winlogon.exe[892] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\lsass.exe[952] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\lsass.exe[952] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\lsass.exe[952] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\lsass.exe[952] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\svchost.exe[1132] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\svchost.exe[1132] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\svchost.exe[1132] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\svchost.exe[1132] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\svchost.exe[1132] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\svchost.exe[1132] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\ehome\ehtray.exe[1192] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\ehome\ehtray.exe[1192] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\ehome\ehtray.exe[1192] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\ehome\ehtray.exe[1192] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\ehome\ehtray.exe[1192] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\ehome\ehtray.exe[1192] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\svchost.exe[1212] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\svchost.exe[1212] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\svchost.exe[1212] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\svchost.exe[1212] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\svchost.exe[1212] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\stsystra.exe[1276] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\stsystra.exe[1276] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\stsystra.exe[1276] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\stsystra.exe[1276] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\stsystra.exe[1276] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\stsystra.exe[1276] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\Program Files\iTunes\iTunesHelper.exe[1304] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[1320] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtProtectVirtualMemory 7C91D6EE 5 Bytes JMP 00E4000A
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!NtWriteVirtualMemory 7C91DFAE 5 Bytes JMP 00E5000A
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!KiUserExceptionDispatcher 7C91E47C 5 Bytes JMP 00E3000C
.text C:\WINDOWS\System32\svchost.exe[1360] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\System32\svchost.exe[1360] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\System32\svchost.exe[1360] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\System32\svchost.exe[1360] USER32.dll!GetCursorPos 7E3A974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1360] ole32.dll!CoCreateInstance 774BF1AC 5 Bytes JMP 00FB000A
.text C:\WINDOWS\System32\svchost.exe[1360] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe[1420] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\svchost.exe[1452] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\svchost.exe[1452] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\svchost.exe[1452] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\svchost.exe[1452] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\svchost.exe[1452] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1536] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299

Kvitrafn
2011-03-27, 22:35
GMER (pt2) :

.text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\ctfmon.exe[1572] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\ctfmon.exe[1572] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\ctfmon.exe[1572] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\ctfmon.exe[1572] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\ctfmon.exe[1572] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\system32\ctfmon.exe[1572] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] wininet.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] crypt32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1584] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\svchost.exe[1636] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\svchost.exe[1636] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\svchost.exe[1636] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\svchost.exe[1636] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\svchost.exe[1636] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\system32\svchost.exe[1636] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\rundll32.exe[1700] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\rundll32.exe[1700] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\rundll32.exe[1700] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\rundll32.exe[1700] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\rundll32.exe[1700] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\system32\rundll32.exe[1700] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1984] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe[2204] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BB7B481
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BB7EAB0
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BB7B7A4
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BB7BCF9
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BB7E9C0
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BB6DD81
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BB7B36C
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BB81B7A
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BB81A1C
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BB7EBCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BB81CD8
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
.text C:\Program Files\Internet Explorer\iexplore.exe[2500] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BB7E299
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BB7B481
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BB7EAB0
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BB7B7A4
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BB7BCF9
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BB7E9C0
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BB6DD81
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BB7B36C
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BB81B7A
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BB81A1C
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BB7EBCA
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BB81CD8
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
.text C:\Program Files\Internet Explorer\iexplore.exe[2712] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BB7E299
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3136] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\eHome\ehmsas.exe[3240] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\eHome\ehmsas.exe[3240] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\eHome\ehmsas.exe[3240] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\eHome\ehmsas.exe[3240] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\eHome\ehmsas.exe[3240] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BB7B481
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BB7EAB0
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BB7B7A4
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BB7BCF9
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BB7E9C0
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BB6DD81
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BB7B36C
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BB81B7A
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BB81A1C
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BB7EBCA
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BB81CD8
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
.text C:\Program Files\Internet Explorer\iexplore.exe[3440] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BB7E299
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BB7B481
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BB7EAB0
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BB7B7A4
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BB7BCF9
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BB7E9C0
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BB6DD81
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BB7B36C
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BB81B7A
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BB81A1C
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BB7EBCA
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BB81CD8
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
.text C:\Program Files\Internet Explorer\iexplore.exe[4036] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BB7E299
.text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BADADE3
.text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BAE66A5
.text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BAF4DEB
.text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BADAB2D
.text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BAE675B
.text C:\WINDOWS\system32\wscntfy.exe[4236] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BAF4A78
.text C:\WINDOWS\system32\wscntfy.exe[4236] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BADCA54
.text C:\WINDOWS\system32\wscntfy.exe[4236] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BAED9C5
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BAEB481
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BAEEAB0
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BAEB7A4
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BAEBCF9
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BAEE9C0
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BADDD81
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BAEB36C
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BAF1B7A
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BAF1A1C
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BAEEBCA
.text C:\WINDOWS\system32\wscntfy.exe[4236] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BAF1CD8
.text C:\WINDOWS\system32\wscntfy.exe[4236] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BAE20ED
.text C:\WINDOWS\system32\wscntfy.exe[4236] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BAEE299
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!NtEnumerateValueKey 7C91D2EE 8 Bytes JMP 0BB6ADE3
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!NtQueryDirectoryFile 7C91D76E 8 Bytes JMP 0BB766A5
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!NtResumeThread 7C91DB3E 8 Bytes JMP 0BB84DEB
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!NtSetInformationFile 7C91DC5E 8 Bytes JMP 0BB6AB2D
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!NtVdmControl 7C91DF1E 8 Bytes JMP 0BB7675B
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ntdll.dll!LdrLoadDll 7C92632D 8 Bytes JMP 0BB84A78
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] ADVAPI32.dll!CryptEncrypt 77DBE360 8 Bytes JMP 0BB7D9C5
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] USER32.dll!TranslateMessage 7E398BF6 8 Bytes JMP 0BB6CA54
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetQueryOptionA 404B0049 8 Bytes JMP 0BB7B481
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetReadFile 404B654B 8 Bytes JMP 0BB7EAB0
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!HttpQueryInfoA 404B878D 8 Bytes JMP 0BB7B7A4
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetCloseHandle 404B9088 8 Bytes JMP 0BB7BCF9
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetQueryDataAvailable 404BBF83 8 Bytes JMP 0BB7E9C0
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!HttpAddRequestHeadersA 404BCF4E 8 Bytes JMP 0BB6DD81
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!HttpOpenRequestA 404BD508 8 Bytes JMP 0BB7B36C
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!HttpSendRequestW 404BFABE 8 Bytes JMP 0BB81B7A
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!HttpSendRequestA 404CEE89 8 Bytes JMP 0BB81A1C
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetReadFileExA 404D3381 8 Bytes JMP 0BB7EBCA
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WININET.dll!InternetWriteFile 4051608E 8 Bytes JMP 0BB81CD8
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] CRYPT32.dll!PFXImportCertStore 77A4FF8F 8 Bytes JMP 0BB720ED
.text C:\Documents and Settings\Tatiana\Bureau\w1l3bdcc.exe[6016] WS2_32.dll!send 719F4C27 8 Bytes JMP 0BB7E299

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Ntfs \Ntfs 8A68F1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Fastfat \FatCdrom 8926F1F8

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbuhci \Device\USBPDO-0 89B861F8
Device \Driver\usbuhci \Device\USBPDO-1 89B861F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6211F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A6211F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A6211F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A6211F8
Device \Driver\usbuhci \Device\USBPDO-2 89B861F8
Device \Driver\usbuhci \Device\USBPDO-3 89B861F8
Device \Driver\usbstor \Device\00000060 899423E8
Device \Driver\usbehci \Device\USBPDO-4 89B591F8
Device \Driver\usbstor \Device\00000061 899423E8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbstor \Device\00000062 899423E8
Device \Driver\usbstor \Device\00000063 899423E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6921F8
Device \Driver\usbstor \Device\00000064 899423E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6921F8
Device \Driver\usbstor \Device\00000065 899423E8
Device \Driver\Cdrom \Device\CdRom0 89B4D1F8
Device \Driver\iastor \Device\Ide\iaStor0 [B9D8A5D0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9D43B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9D43B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9D43B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBT_Tcpip_{1062E4BC-2F27-4BDF-9FBB-F7A8150EBCAB} 892F31F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A6921F8
Device \Driver\usbstor \Device\00000066 899423E8
Device \Driver\Cdrom \Device\CdRom1 89B4D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8A6921F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 892F31F8
Device \Driver\NetBT \Device\NetbiosSmb 892F31F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{FCA1E7DB-D53F-4401-AD4B-2260038C251D} 892F31F8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbuhci \Device\USBFDO-0 89B861F8
Device \Driver\usbuhci \Device\USBFDO-1 89B861F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 892D61F8
Device \Driver\usbuhci \Device\USBFDO-2 89B861F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 892D61F8
Device \Driver\usbuhci \Device\USBFDO-3 89B861F8
Device \Driver\usbehci \Device\USBFDO-4 89B591F8
Device \Driver\Ftdisk \Device\FtControl 8A6921F8
Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
Device \FileSystem\Fastfat \Fat 8926F1F8

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 892931F8
Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskRAIDHOME1.0.00__#4&674c230&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x36 0x43 0x8A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0xDB 0x0B 0xB4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x65 0xC5 0x65 0xF1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x51 0x27 0x05 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x36 0x43 0x8A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0xDB 0x0B 0xB4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x65 0xC5 0x65 0xF1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x51 0x27 0x05 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD6 0x36 0x43 0x8A ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x48 0xDB 0x0B 0xB4 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x65 0xC5 0x65 0xF1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x37 0x51 0x27 0x05 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Recycle.Bin.exe C:\Recycle.Bin\Recycle.Bin.exe

---- EOF - GMER 1.0.15 ----

Blottedisk
2011-03-28, 04:50
Hi Kvitrafn,


Please visit the following and have a look how you can disable your security software.

How to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260 )

After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe )
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe )

--------------------------------------------------------------------

Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )

Kvitrafn
2011-03-28, 10:08
Here it is :

ComboFix 11-03-27.01 - Tatiana 28/03/2011 8:43.1.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1647 [GMT 2:00]
Lancé depuis: c:\documents and settings\Tatiana\Bureau\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Tatiana\Recent\Thumbs.db
C:\Recycle.Bin
c:\recycle.bin\config.bin
c:\recycle.bin\Recycle.Bin.exe
c:\windows\msaptil.dll
c:\windows\system32\tmp.tmp
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-02-28 au 2011-03-28 ))))))))))))))))))))))))))))))))))))
.
.
2011-03-24 13:54 . 2011-03-24 13:54 -------- d-----w- c:\documents and settings\Tatiana\Local Settings\Application Data\Deployment
2011-03-24 07:26 . 2011-03-24 07:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-03-14 21:47 . 2011-03-14 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2011-03-05 14:50 . 2011-03-05 14:54 -------- d-----w- C:\wamp
2011-03-01 09:32 . 2011-03-01 09:32 -------- d-----w- C:\found.001
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 16:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 16:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:59 . 2008-03-18 10:19 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-03-18 10:19 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 441344 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 14:04 . 2004-08-10 12:00 1855104 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"NeroFilterCheck"="c:\program files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-18 24576]
D‚marrage rapide de HP Photosmart Premier.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, maltrcgn.dll, mnrpaitr.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Quake2\\quake2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_12\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.17\\bin\\httpd.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:UDP port 443 ooVoo
"37674:TCP"= 37674:TCP:*:Disabled:TCP port 37674 ooVoo
"37674:UDP"= 37674:UDP:*:Disabled:UDP port 37674 ooVoo
"37675:UDP"= 37675:UDP:*:Disabled:UDP port 37675 ooVoo
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [06/11/2008 17:59 721904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [04/04/2008 14:02 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/04/2008 14:02 17744]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [16/03/2009 14:37 33792]
S2 AMService;AMService;c:\windows\TEMP\lryj\setup.exe run --> c:\windows\TEMP\lryj\setup.exe run [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [16/12/2008 12:09 1527900]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\DRIVERS\xpadfl02.sys --> c:\windows\system32\DRIVERS\xpadfl02.sys [?]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {1062E4BC-2F27-4BDF-9FBB-F7A8150EBCAB} = 212.27.53.252,212.27.54.252
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
.
- - - - ORPHELINS SUPPRIMES - - - -
.
HKCU-Run-Vkonisayik - c:\windows\msaptil.dll
HKCU-Run-Recycle.Bin.exe - c:\recycle.bin\Recycle.Bin.exe
HKLM-Run-ORAHSSSessionManager - c:\program files\Orange\Connexion Internet Orange\SessionManager\SessionManager.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-OpenAL - c:\program files\OpenAL\oalinst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 08:57
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C88439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89c8e7d0]; MOV EAX, [0x89c8e84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89CA7AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A5FF1D0]
\Driver\iastor[0x8A5EDF38] -> IRP_MJ_CREATE -> 0x89C88439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskRAIDHOME1.0.00__#4&674c230&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488275966 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs chargées dans les processus actifs ---------------------
.
- - - - - - - > 'explorer.exe'(2308)
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Autres processus actifs ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Heure de fin: 2011-03-28 09:05:51 - La machine a redémarré
ComboFix-quarantined-files.txt 2011-03-28 07:05
.
Avant-CF: 15*711*535*104 octets libres
Après-CF: 17*337*106*432 octets libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - FE85002D03D34031CCBFBDE1FB398C20

Blottedisk
2011-03-28, 16:53
Hi Kvitrafn,


You are using peer-to-peer programs, specifically uTorrent. These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do. If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix. Please do the following:


ComboFix - CFScript

WARNING !
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System... preventing it from starting again!

You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

Please open Notepad and copy/paste all the text below... into the window:


File::
C:\WINDOWS\SYSTEM32\maltrcgn.dll
C:\WINDOWS\SYSTEM32\mnrpaitr.dll

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Save it to your desktop as CFScript.txt
Please disable any Antivirus or Firewall you have active, as shown in this topic (http://www.bleepingcomputer.com/forums/topic114351.html). Please close all open application windows.
Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:

http://i526.photobucket.com/albums/cc345/MPKwings/ComboFixScriptDrag.gif

This will cause ComboFix to run again.
Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
Do Not touch your computer when ComboFix is running!
When finished... Notepad will open ... ComboFix will produce a log file called "log.txt".
Please copy/paste the contents of log.txt... in your next reply.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **

Kvitrafn
2011-03-28, 20:46
I removed utorrent, I didn't use it anyway.

Here is my log :

ComboFix 11-03-27.01 - Tatiana 28/03/2011 19:27:03.2.2 - x86
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1596 [GMT 2:00]
Lancé depuis: c:\documents and settings\Tatiana\Bureau\ComboFix.exe
Commutateurs utilisés :: c:\documents and settings\Tatiana\Bureau\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\SYSTEM32\maltrcgn.dll"
"c:\windows\SYSTEM32\mnrpaitr.dll"
.
.
(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((( Fichiers créés du 2011-02-28 au 2011-03-28 ))))))))))))))))))))))))))))))))))))
.
.
2011-03-28 13:04 . 2011-03-28 13:04 -------- d-----r- c:\documents and settings\NetworkService\Favoris
2011-03-24 13:54 . 2011-03-24 13:54 -------- d-----w- c:\documents and settings\Tatiana\Local Settings\Application Data\Deployment
2011-03-24 07:26 . 2011-03-24 07:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-03-14 21:47 . 2011-03-14 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2011-03-05 14:50 . 2011-03-05 14:54 -------- d-----w- C:\wamp
2011-03-01 09:32 . 2011-03-01 09:32 -------- d-----w- C:\found.001
.
.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 16:48 . 2004-08-10 12:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 16:48 . 2004-08-10 12:00 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:59 . 2008-03-18 10:19 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-03-18 10:19 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-10 12:00 441344 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 14:04 . 2004-08-10 12:00 1855104 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-28_06.58.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-28 17:23 . 2011-03-28 17:23 16384 c:\windows\Temp\Perflib_Perfdata_2d4.dat
.
((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968]
"NeroFilterCheck"="c:\program files\Fichiers communs\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SunJavaUpdateSched"="c:\program files\Fichiers communs\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Menu D‚marrer\Programmes\D‚marrage\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-3-18 24576]
D‚marrage rapide de HP Photosmart Premier.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Quake2\\quake2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_12\\bin\\java.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.17\\bin\\httpd.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:UDP port 443 ooVoo
"37674:TCP"= 37674:TCP:*:Disabled:TCP port 37674 ooVoo
"37674:UDP"= 37674:UDP:*:Disabled:UDP port 37674 ooVoo
"37675:UDP"= 37675:UDP:*:Disabled:UDP port 37675 ooVoo
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [06/11/2008 17:59 721904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [04/04/2008 14:02 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [04/04/2008 14:02 17744]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [16/03/2009 14:37 33792]
S2 AMService;AMService;c:\windows\TEMP\lryj\setup.exe run --> c:\windows\TEMP\lryj\setup.exe run [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [16/12/2008 12:09 1527900]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\DRIVERS\xpadfl02.sys --> c:\windows\system32\DRIVERS\xpadfl02.sys [?]
.
.
------- Examen supplémentaire -------
.
uStart Page = hxxp://www.google.fr/
IE: E&xporter vers Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {1062E4BC-2F27-4BDF-9FBB-F7A8150EBCAB} = 212.27.53.252,212.27.54.252
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 19:36
Windows 5.1.2600 Service Pack 3 NTFS
.
Recherche de processus cachés ...
.
Recherche d'éléments en démarrage automatique cachés ...
.
Recherche de fichiers cachés ...
.
Scan terminé avec succès
Fichiers cachés: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C82439]<<
c:\docume~1\Tatiana\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89c887d0]; MOV EAX, [0x89c8884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A5C0AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89CA17E8]
\Driver\iastor[0x8A5F35F8] -> IRP_MJ_CREATE -> 0x89C82439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskRAIDHOME1.0.00__#4&674c230&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488275966 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
**************************************************************************
.
--------------------- CLES DE REGISTRE BLOQUEES ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•9~*]
"C040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
Heure de fin: 2011-03-28 19:39:37
ComboFix-quarantined-files.txt 2011-03-28 17:39
ComboFix2.txt 2011-03-28 07:05
.
Avant-CF: 17*137*967*104 octets libres
Après-CF: 17*292*525*568 octets libres
.
- - End Of File - - 92D3C1AE64766689EF110A859F4B7590

Blottedisk
2011-03-28, 21:36
Hi Kvitrafn,


Combofix is removing the infection, but it somehow reappears. Please follow these steps:


Step 1 | Please go to the following site to scan a file: Virus Total (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.virustotal.com)

Click on Browse, and upload the following file for analysis:

C\WINDOWS\system32\FM20ENU.DLL

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

Step 2 | Please download TDSSKiller from one of the following mirrors and save it in your desktop:

This is THE Mirror (http://support.kaspersky.com/downloads/utils/tdsskiller.zip )

Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png


If a suspicious file is detected, the default action will be Skip, click on Continue.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious-1.png


It may ask you to reboot the computer to complete the process. Click on Reboot Now.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png


If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and
paste the contents of that file here.

Step 3 | Please download mbr.exe from one of the following mirrors and save it to your desktop:


This is THE Mirror (http://www2.gmer.net/mbr/mbr.exe)

--------------------------------------------------------------------


Double click on mbr.exe to run it (Vista/Windows 7 users double click the file and choose "Run as administrator").
Please open the file mbr.log and post it's contents in your next reply. You will find this file in the same location as mbr.exe (probably in your desktop)

Kvitrafn
2011-03-28, 22:15
Antivirus Version Last Update Result
AhnLab-V3 2011.03.26.00 2011.03.25 -
AntiVir 7.11.5.79 2011.03.25 -
Antiy-AVL 2.0.3.7 2011.03.26 -
Avast 4.8.1351.0 2011.03.26 -
Avast5 5.0.677.0 2011.03.26 -
AVG 10.0.0.1190 2011.03.26 -
BitDefender 7.2 2011.03.26 -
CAT-QuickHeal 11.00 2011.03.26 -
ClamAV 0.96.4.0 2011.03.26 -
Commtouch 5.2.11.5 2011.03.24 -
Comodo 8111 2011.03.26 -
DrWeb 5.0.2.03300 2011.03.26 -
Emsisoft 5.1.0.4 2011.03.26 -
eSafe 7.0.17.0 2011.03.24 -
eTrust-Vet 36.1.8236 2011.03.25 -
F-Prot 4.6.2.117 2011.03.26 -
F-Secure 9.0.16440.0 2011.03.23 -
Fortinet 4.2.254.0 2011.03.26 -
GData 21 2011.03.26 -
Ikarus T3.1.1.97.0 2011.03.26 -
Jiangmin 13.0.900 2011.03.26 -
K7AntiVirus 9.94.4219 2011.03.26 -
Kaspersky 7.0.0.125 2011.03.26 -
McAfee 5.400.0.1158 2011.03.26 -
McAfee-GW-Edition 2010.1C 2011.03.26 -
Microsoft 1.6702 2011.03.26 -
NOD32 5987 2011.03.26 -
Norman 6.07.03 2011.03.26 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.26 -
PCTools 7.0.3.5 2011.03.26 -
Prevx 3.0 2011.03.28 -
Rising 23.50.05.05 2011.03.26 -
Sophos 4.64.0 2011.03.26 -
SUPERAntiSpyware 4.40.0.1006 2011.03.26 -
Symantec 20101.3.0.103 2011.03.26 -
TheHacker 6.7.0.1.157 2011.03.26 -
TrendMicro 9.200.0.1012 2011.03.26 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.26 -
VBA32 3.12.14.3 2011.03.25 -
VIPRE 8825 2011.03.26 -
ViRobot 2011.3.26.4378 2011.03.26 -
VirusBuster 13.6.270.0 2011.03.25 -

MD5 : 35c4aee0b4742b1ee00a68d9743b818f
SHA1 : d7b2aec3cccb089fb0b1befe2f371255d18137bd
SHA256: 6b207e59186f061232a7adbdc8dfe66d09c05d3f820c2d679943a1cfc7fd9593
ssdeep: 384:veOWJ8Y6WhyYSwyuRjhuFNczJCoWOKguEznhu1jRaeWTFP:WXFyPwyuRjTCoWOKE1u1jRae
qP
File size : 35440 bytes
First seen: 2009-02-11 18:01:02
Last seen : 2011-03-28 19:08:03
TrID:
Win16/32 Executable Delphi generic (33.9%)
Generic Win/DOS Executable (32.7%)
DOS Executable Generic (32.7%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: Copyright(c) Microsoft Corp. 1993-2003
product......: Microsoft_ Forms
description..: Microsoft_ Forms International DLL
original name: fm20enu.DLL
internal name: fm20enu
file version.: 11.0.8161
comments.....: n/a
signers......: Microsoft Corporation
Microsoft Code Signing PCA
Microsoft Root Authority
signing date.: 4:17 AM 3/23/2007
verified.....: -

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x0
timedatestamp....: 0x460082AC (Wed Mar 21 00:56:12 2007)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.rdata, 0x1000, 0x70, 0x200, 0.40, 4ffbc0f3f4f1845d3947234e806199ee
.rsrc, 0x2000, 0x5B18, 0x5C00, 3.75, 4f68301bf8ca5566376f0243aace9a32
.reloc, 0x8000, 0xC, 0x200, 0.02, 2c38765194d27b75f56d0565088a53ee



VT Community

Kvitrafn
2011-03-28, 22:21
TDSSKiller :

2011/03/28 21:16:54.0309 1380 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/28 21:16:54.0559 1380 ================================================================================
2011/03/28 21:16:54.0559 1380 SystemInfo:
2011/03/28 21:16:54.0559 1380
2011/03/28 21:16:54.0559 1380 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/28 21:16:54.0559 1380 Product type: Workstation
2011/03/28 21:16:54.0559 1380 ComputerName: ROMAIN
2011/03/28 21:16:54.0559 1380 UserName: Tatiana
2011/03/28 21:16:54.0559 1380 Windows directory: C:\WINDOWS
2011/03/28 21:16:54.0559 1380 System windows directory: C:\WINDOWS
2011/03/28 21:16:54.0559 1380 Processor architecture: Intel x86
2011/03/28 21:16:54.0559 1380 Number of processors: 2
2011/03/28 21:16:54.0559 1380 Page size: 0x1000
2011/03/28 21:16:54.0559 1380 Boot type: Normal boot
2011/03/28 21:16:54.0559 1380 ================================================================================
2011/03/28 21:16:55.0544 1380 Initialize success
2011/03/28 21:17:43.0626 4000 ================================================================================
2011/03/28 21:17:43.0626 4000 Scan started
2011/03/28 21:17:43.0626 4000 Mode: Manual;
2011/03/28 21:17:43.0626 4000 ================================================================================
2011/03/28 21:17:44.0205 4000 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/03/28 21:17:44.0298 4000 ACPI (e5e6dbfc41ea8aad005cb9a57a96b43b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/28 21:17:44.0330 4000 ACPIEC (e4abc1212b70bb03d35e60681c447210) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/28 21:17:44.0376 4000 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/28 21:17:44.0423 4000 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/28 21:17:44.0705 4000 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/03/28 21:17:44.0751 4000 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/03/28 21:17:44.0783 4000 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/03/28 21:17:44.0814 4000 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys
2011/03/28 21:17:44.0861 4000 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/03/28 21:17:44.0908 4000 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/28 21:17:44.0923 4000 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/28 21:17:44.0986 4000 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/28 21:17:45.0017 4000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/28 21:17:45.0064 4000 BCM43XX (ebf36d658d0da5b1ea667fa403919c26) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/03/28 21:17:45.0095 4000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/28 21:17:45.0205 4000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/28 21:17:45.0283 4000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/28 21:17:45.0314 4000 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/28 21:17:45.0330 4000 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/28 21:17:45.0377 4000 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/03/28 21:17:45.0627 4000 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/28 21:17:45.0673 4000 dmboot (f5deadd42335fb33edca74ecb2f36cba) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/28 21:17:45.0705 4000 dmio (5a7c47c9b3f9fb92a66410a7509f0c71) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/28 21:17:45.0736 4000 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/28 21:17:45.0767 4000 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/28 21:17:45.0814 4000 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/28 21:17:45.0845 4000 e1express (0849eacdc01487573add86f5e470806c) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/03/28 21:17:45.0892 4000 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/28 21:17:45.0923 4000 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/28 21:17:45.0955 4000 Fips (31f923eb2170fc172c81abda0045d18c) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/28 21:17:45.0986 4000 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/28 21:17:46.0002 4000 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/28 21:17:46.0033 4000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/28 21:17:46.0048 4000 Ftdisk (a86859b77b908c18c2657f284aa29fe3) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/28 21:17:46.0095 4000 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/03/28 21:17:46.0127 4000 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/28 21:17:46.0158 4000 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/28 21:17:46.0220 4000 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/28 21:17:46.0314 4000 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/28 21:17:46.0392 4000 i8042prt (a09bdc4ed10e3b2e0ec27bb94af32516) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/03/28 21:17:46.0423 4000 iastor (294110966cedd127629c5be48367c8cf) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/03/28 21:17:46.0439 4000 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/28 21:17:46.0502 4000 intelppm (ad340800c35a42d4de1641a37feea34c) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/28 21:17:46.0533 4000 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/28 21:17:46.0549 4000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/28 21:17:46.0595 4000 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/28 21:17:46.0642 4000 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/28 21:17:46.0674 4000 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/28 21:17:46.0689 4000 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/28 21:17:46.0720 4000 isapnp (355836975a67b6554bca60328cd6cb74) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/28 21:17:46.0736 4000 Kbdclass (16813155807c6881f4bfbf6657424659) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/28 21:17:46.0752 4000 kbdhid (94c59cb884ba010c063687c3a50dce8e) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/28 21:17:46.0783 4000 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/28 21:17:46.0830 4000 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/28 21:17:46.0892 4000 libusb0 (e2f1dcf4a68cc6cf694fbfba1842f4cd) C:\WINDOWS\system32\drivers\libusb0.sys
2011/03/28 21:17:46.0986 4000 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/03/28 21:17:47.0017 4000 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/28 21:17:47.0080 4000 Modem (510ade9327fe84c10254e1902697e25f) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/28 21:17:47.0095 4000 Mouclass (027c01bd7ef3349aaebc883d8a799efb) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/28 21:17:47.0142 4000 mouhid (124d6846040c79b9c997f78ef4b2a4e5) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/28 21:17:47.0174 4000 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/28 21:17:47.0236 4000 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/28 21:17:47.0314 4000 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/28 21:17:47.0345 4000 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/28 21:17:47.0377 4000 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/28 21:17:47.0408 4000 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/28 21:17:47.0424 4000 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/28 21:17:47.0455 4000 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/28 21:17:47.0486 4000 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/28 21:17:47.0517 4000 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/28 21:17:47.0549 4000 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/28 21:17:47.0580 4000 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/28 21:17:47.0595 4000 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/28 21:17:47.0627 4000 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/28 21:17:47.0642 4000 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/28 21:17:47.0658 4000 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/28 21:17:47.0705 4000 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/28 21:17:47.0736 4000 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/28 21:17:47.0767 4000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/28 21:17:47.0924 4000 nv (5950e6cc9fb3fabb61604d395dbc8550) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/28 21:17:48.0111 4000 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/28 21:17:48.0142 4000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/28 21:17:48.0205 4000 Parport (8fd0bdbea875d06ccf6c945ca9abaf75) C:\WINDOWS\system32\drivers\Parport.sys
2011/03/28 21:17:48.0236 4000 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/28 21:17:48.0267 4000 ParVdm (9575c5630db8fb804649a6959737154c) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/28 21:17:48.0299 4000 PCAMPR5 (b670c5d89f0726b7a2a7dfb4e968cdf8) C:\WINDOWS\system32\PCAMPR5.SYS
2011/03/28 21:17:48.0346 4000 PCANDIS5 (ecd2f9d67b06606064daf6961a6d5efe) C:\WINDOWS\system32\PCANDIS5.SYS
2011/03/28 21:17:48.0377 4000 PCI (043410877bda580c528f45165f7125bc) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/28 21:17:48.0424 4000 PCIIde (f4bfde7209c14a07aaa61e4d6ae69eac) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/28 21:17:48.0455 4000 Pcmcia (f0406cbc60bdb0394a0e17ffb04cdd3d) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/28 21:17:48.0642 4000 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/28 21:17:48.0689 4000 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/28 21:17:48.0705 4000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/28 21:17:48.0752 4000 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/28 21:17:48.0924 4000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/28 21:17:48.0955 4000 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/28 21:17:49.0002 4000 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/28 21:17:49.0064 4000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/28 21:17:49.0080 4000 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/28 21:17:49.0111 4000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/28 21:17:49.0158 4000 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/28 21:17:49.0236 4000 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/28 21:17:49.0252 4000 redbook (d8eb2a7904db6c916eb5361878ddcbae) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/28 21:17:49.0330 4000 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/28 21:17:49.0377 4000 Serial (93d313c31f7ad9ea2b75f26075413c7c) C:\WINDOWS\system32\drivers\Serial.sys
2011/03/28 21:17:49.0408 4000 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/28 21:17:49.0486 4000 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/28 21:17:49.0533 4000 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
2011/03/28 21:17:49.0533 4000 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
2011/03/28 21:17:49.0533 4000 sptd - detected Locked file (1)
2011/03/28 21:17:49.0549 4000 sr (39626e6dc1fb39434ec40c42722b660a) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/28 21:17:49.0658 4000 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/28 21:17:49.0752 4000 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
2011/03/28 21:17:49.0783 4000 StillCam (3f669c9fc6411bdbc0155544aa876e46) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/03/28 21:17:49.0814 4000 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/28 21:17:49.0861 4000 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/28 21:17:49.0955 4000 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/28 21:17:50.0018 4000 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/28 21:17:50.0049 4000 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/28 21:17:50.0096 4000 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/28 21:17:50.0143 4000 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/28 21:17:50.0221 4000 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/28 21:17:50.0268 4000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/28 21:17:50.0314 4000 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/28 21:17:50.0346 4000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/28 21:17:50.0377 4000 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/28 21:17:50.0393 4000 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/28 21:17:50.0408 4000 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/28 21:17:50.0439 4000 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/28 21:17:50.0471 4000 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/28 21:17:50.0486 4000 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/28 21:17:50.0518 4000 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/28 21:17:50.0564 4000 VolSnap (46de1126684369bace4849e4fc8c43ca) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/28 21:17:50.0627 4000 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/28 21:17:50.0690 4000 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/28 21:17:50.0799 4000 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/28 21:17:50.0815 4000 ================================================================================
2011/03/28 21:17:50.0815 4000 Scan finished
2011/03/28 21:17:50.0815 4000 ================================================================================
2011/03/28 21:17:50.0815 1236 Detected object count: 2
2011/03/28 21:18:17.0817 1236 Locked file(sptd) - User select action: Skip
2011/03/28 21:18:17.0879 1236 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/28 21:18:17.0879 1236 \HardDisk0 - ok
2011/03/28 21:18:17.0879 1236 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/28 21:18:24.0443 1180 Deinitialize success

Kvitrafn
2011-03-28, 22:22
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Intel___ rev.1.0. -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Blottedisk
2011-03-29, 02:58
Hi,


Good job. How's the machine running?

Please follow these steps:


Step 1 | Please download CCleaner (freeware) (http://www.majorgeeks.com/download4191.html )

Run the installer.
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:


http://i210.photobucket.com/albums/bb164/jedi_030/CCleanerA.png

Next: click Options (in the left panel) and click the Advanced button.
Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.

Step 2 | Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php ) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Step 3 | Let's perform an ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html ).


Please go here (http://www.eset.com/onlinescan/ ) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif (Selecting Uninstall application on close if you so wish)

Kvitrafn
2011-03-29, 09:40
Hi,


Good job. How's the machine running?



Far better ! No more navigator/computer crash since the fix :)

step1 : done

step2 :

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Version de la base de données: 6201

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

29/03/2011 08:39:39
mbam-log-2011-03-29 (08-39-39).txt

Type d'examen: Examen rapide
Elément(s) analysé(s): 151749
Temps écoulé: 5 minute(s), 56 seconde(s)

Processus mémoire infecté(s): 0
Module(s) mémoire infecté(s): 0
Clé(s) du Registre infectée(s): 0
Valeur(s) du Registre infectée(s): 0
Elément(s) de données du Registre infecté(s): 0
Dossier(s) infecté(s): 0
Fichier(s) infecté(s): 0

Processus mémoire infecté(s):
(Aucun élément nuisible détecté)

Module(s) mémoire infecté(s):
(Aucun élément nuisible détecté)

Clé(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Valeur(s) du Registre infectée(s):
(Aucun élément nuisible détecté)

Elément(s) de données du Registre infecté(s):
(Aucun élément nuisible détecté)

Dossier(s) infecté(s):
(Aucun élément nuisible détecté)

Fichier(s) infecté(s):
(Aucun élément nuisible détecté)

Blottedisk
2011-03-29, 15:36
Glad to hear that :bigthumb:


I shall await the ESET scan.

Kvitrafn
2011-03-29, 19:06
step 3 :

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=f86c65659a625c4caf5bcb5a3567e80e
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-29 07:09:41
# local_time=2011-03-29 09:09:41 (+0100, Paris, Madrid (heure d'été))
# country="France"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=770 16774141 100 100 128665 78088408 0 0
# compatibility_mode=8192 67108863 100 0 140 140 0 0
# scanned=8698
# found=0
# cleaned=0
# scan_time=457
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=f86c65659a625c4caf5bcb5a3567e80e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-03-29 04:00:56
# local_time=2011-03-29 06:00:56 (+0100, Paris, Madrid (heure d'été))
# country="France"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=770 16774141 100 100 152644 78112387 0 0
# compatibility_mode=8192 67108863 100 0 24119 24119 0 0
# scanned=148827
# found=6
# cleaned=0
# scan_time=8354
C:\Qoobox\Quarantine\C\WINDOWS\msaptil.dll.vir a variant of Win32/Cimag.GJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DF0593A6-6EDC-406B-9729-E58A03DB95AD}\RP728\A0150353.dll Win32/Agent.OLR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DF0593A6-6EDC-406B-9729-E58A03DB95AD}\RP728\A0150354.dll Win32/Agent.OLR trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DF0593A6-6EDC-406B-9729-E58A03DB95AD}\RP729\A0154353.exe a variant of Win32/Kryptik.LYM trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{DF0593A6-6EDC-406B-9729-E58A03DB95AD}\RP729\A0154425.dll a variant of Win32/Cimag.GJ trojan (unable to clean) 00000000000000000000000000000000 I
M:\System Volume Information\_restore{DF0593A6-6EDC-406B-9729-E58A03DB95AD}\RP729\A0154423.EXE Win32/AutoRun.VB.EF worm (unable to clean) 00000000000000000000000000000000 I

Blottedisk
2011-03-29, 23:07
Well done Kvitrafn, we are done :bigthumb:


Please follow this last procedure (this will also remove threats found by ESET):


Step 1 | Delete ComboFix and Clean Up

The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:

ComboFix /Uninstall

Please advise if this step is missed for any reason as it performs some important actions.


Step 2 | Please download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe ) to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
Also, please delete manually the following files in your desktop (move the files to the bin or right-click the files and choose "Send to recycle bin"):
aswMBR.exe
MBRCheck.exe
aswMBR logfile
The logfile genereted by MBRCheck (MBRCheck_mm.dd.yy_hh.mm.ss.txt)

Step 3 | Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
Download the latest version of Adobe Reader Version X (http://get.adobe.com/reader/?promoid=BUIGO ). and save it to your desktop.
Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered.
Click the download button at the bottom.
If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial: How To Remove An Installed Program From Your Computer (http://www.bleepingcomputer.com/forums/topic42133.html )
Then from your desktop double-click on Adobe Reader to install the newest version.
If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the "Adobe Setup - Welcome" window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
Click on Help and select Check for Updates.
A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
In the window that opens click Install.
Once the update is done click Close.
Your Adobe Reader is updated now.


Step 4 | Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Click on the following link to visit java website: Java Runtime Environment (JRE) 6 (http://www.oracle.com/technetwork/java/javase/downloads/index.html )

Scroll down to where it says "JDK 6 Update 24 (JDK or JRE)".
Click the "Download" button to the right column (JRE).
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue. The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Now go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the recently downloaded java installer icon to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
Applications and AppletsTrace and Log Files
Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.


Step 5 | I don't see any evidence of a 3rd Party Firewall installed on your computer. If you have one installed, make sure it's functioning properly. As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access from the outside world. Firewalls protect against hackers and malicious intruders.

If you do not have a firewall installed...
I strongly recommend you download a free (for personal use) firewall NOW that monitors traffic in both directions... from one of these vendors:

Comodo (http://personalfirewall.comodo.com/download_firewall.html) (Is now bundled with AV software, toolbar and search provider. Opt to install only the firewall software... uncheck the rest)
Online Armor Free (http://www.tallemu.com/downloads.php) (Free version at bottom of page (XP/Vista/W7 (32bit).) 64bit version not available yet. Some reported conflicts with Avira AntiVir.
ZoneAlarm (http://download.cnet.com/ZoneAlarm/3000-10435_4-10039884.html) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)
Ashampoo (http://www.download.com/Ashampoo-FireWall/3000-10435_4-10575187.html)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a very basic firewall. This (XP) firewall is NO replacement for a dedicated software solution. Remember to install and have active, only one firewall at the same time. If you install one of these firewalls, remember to turn off Windows' firewall.


Last Step | Now, in order to avoid future infections, please take time to read the following article:

So how did I get infected in the first place? (http://forums.spybot.info/showthread.php?t=279 )

Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed :)

Kvitrafn
2011-03-29, 23:41
step 1 & 2 : done

I have a spybot alert when I try to instal Adobe.

Blottedisk
2011-03-29, 23:53
step 1 & 2 : done

I have a spybot alert when I try to instal Adobe.


The link I gave you is safe. Can you skip the alert?

Kvitrafn
2011-03-29, 23:57
I don't know, I'll try. But the lin doesn't load the exe anymore :/

Kvitrafn
2011-03-30, 00:14
step 4 : done

last step : done :)

I'll try again step 3 now

Blottedisk
2011-03-30, 00:15
But the lin doesn't load the exe anymore :/

I'm sorry.. What do you mean?

Did Spybot flagged the alert during installation or during the file's download?

Kvitrafn
2011-03-30, 00:37
step 3 is now done. I reboot and try again, and there were no problem this time...

About step 5, seems that I don't have firewall, that's weird, I thought I had one !

Should/can I remove these files :

Attach.txt
log from ComboFix
GMER.exe
MBR.txt
MBR.dat

and unistall these softwares :
CCleaner
Malwarebytes' Anti-Malware

?

Blottedisk
2011-03-30, 00:57
Yes, you can delete those files and uninstall those programs. You can also uninstall ESET Online Scanner, if present :bigthumb:

Kvitrafn
2011-03-30, 01:08
All right.

Thanks A LOT for your time and help:bow:

Blottedisk
2011-03-30, 01:28
You are welcome :)

Since this issue appears to be resolved, this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Blottedisk
2011-04-04, 19:50
Topic reopened due to topic creator's request


Hi Kvitrafn :)


What problems are you experiencing?

Kvitrafn
2011-04-04, 21:23
Hi.

Computer is working fine, but I did a spybot check, and I found - again - the click.giftload.
I did not try to delete it since I understand that sybot could not delete it.
Do you need any log/report ?

Blottedisk
2011-04-04, 22:28
Hi Kvitrafn,


Don't try to remove it with Spybot S&D yet. Please do the following:


Step 1 | Please open SpyBot S&D


Check for problems.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Paste (Ctrl+V) those results in your next reply.


Step 2 | Download DDS from any of the links below:

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr )
Link 2 (http://download.bleepingcomputer.com/sUBs/dds.com )
Link 2 (http://www.forospyware.com/sUBs/dds )

--------------------------------------------------------------------
Save it to your desktop.
Please disable any anti-malware program that will block scripts from running before running DDS.
Double-Click on dds and a command window will appear. This is normal.
Shortly after two logs will appear:
DDS.txt
Attach.txt
A window will open instructing you save & post the logs.
Save the logs to a convenient place such as your desktop.
Post the contents of the DDS.txt report in your next reply.
Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Kvitrafn
2011-04-04, 23:20
Spybot report :

Click.GiftLoad: [SBI $89783858] Réglages utilisateur (Valeur du registre, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Right Media: Cookie traceur (Internet Explorer: Tatiana) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-02 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-03-22 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-22 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-22 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-21 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Kvitrafn
2011-04-04, 23:26
DDS :

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tatiana at 22:20:46,30 on 04/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professionnel 5.1.2600.3.1252.33.1036.18.2046.1332 [GMT 2:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Fichiers communs\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tatiana\Bureau\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.fr/
uURLSearchHooks: Search Class: {08c06d61-f1f3-4799-86f8-be1a89362c85} - c:\program files\orange\connexion internet orange\searchurlhook\SearchPageURL.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\fichiers communs\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {043C5167-00BB-4324-AF7E-62013FAEDACF} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10n_ActiveX.exe -update activex
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [NeroFilterCheck] c:\program files\fichiers communs\ahead\lib\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\fichiers communs\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\fichiers communs\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\dmarra~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {1062E4BC-2F27-4BDF-9FBB-F7A8150EBCAB} = 212.27.53.252,212.27.54.252
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\tatiana\applic~1\mozilla\firefox\profiles\3e9n8sru.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.fr
FF - prefs.js: keyword.URL - hxxp://vshare.toolbarhome.com/search.aspx?srch=ku&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-1 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-4 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-4 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-13 42184]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-3-16 33792]
S2 AMService;AMService;c:\windows\temp\lryj\setup.exe run --> c:\windows\temp\lryj\setup.exe run [?]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2008-12-16 1527900]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xpadfl02.sys --> c:\windows\system32\drivers\xpadfl02.sys [?]
.
=============== Created Last 30 ================
.
2011-04-04 13:24:05 -------- d-----w- C:\wamp
2011-04-01 07:48:27 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-03-29 21:12:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-29 06:31:57 -------- d-----w- c:\docume~1\tatiana\applic~1\Malwarebytes
2011-03-29 06:31:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-29 06:31:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-28 06:34:13 -------- d-sha-r- C:\cmdcons
2011-03-24 13:54:39 -------- d-----w- c:\docume~1\tatiana\locals~1\applic~1\Deployment
2011-03-14 21:47:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\PopCap Games
.
==================== Find3M ====================
.
2011-03-29 21:12:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-23 14:04:21 40648 ----a-w- c:\windows\avastSS.scr
2011-02-04 16:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 16:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:59:09 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:12 441344 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 22:22:35,10 ===============

Blottedisk
2011-04-05, 02:23
Hi Kvitrafn,


Your log looks fine. In my opinion that registry key is the only remnant of the infection, and that's what Spybot flags. Please try to remove it with Spybot S&D. After that, perform a full scan and post the results here.

Kvitrafn
2011-04-05, 15:06
Right Media is still here, but you're right, no more click.giftload, sorry for that !

Blottedisk
2011-04-05, 20:14
Hi Kvitrafn,


No need to apologize :bigthumb:


Can't you remove Right Media with Spybot S&D?

Kvitrafn
2011-04-05, 21:20
I can remove it, but it come back everytime I scan

Blottedisk
2011-04-06, 01:56
Hi Kvitrafn,


Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune and save it to your desktop.


Double-click ATF-Cleaner.exe to run the program.
Note: Vista and Win7 users right click on ATF-Cleaner.exe and choose "Run as administrator"
Under Main choose: Select All
Click the Empty Selected button.
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Click Firefox at the top and choose: Select All
Click the Empty Selected button.


Please run Spybot S&D and check if the problem is solved.

Kvitrafn
2011-04-06, 10:31
yep, still here

Blottedisk
2011-04-06, 19:50
Please download CCleaner (freeware) (http://www.majorgeeks.com/download4191.html )

Run the installer.
Once installed, run CCleaner click the Windows [tab]
In the programs Tab, please check all items regarding to Firefox and Google Chrome.

Next: click Options (in the left panel) and click the Advanced button.
Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.

Kvitrafn
2011-04-07, 13:03
done ! ////

Blottedisk
2011-04-07, 18:51
So? Is Spybot still flagging that RightMedia Cookie?

Kvitrafn
2011-04-07, 20:34
yes, still here