Random FireFox Pop ups and IE blank page pop ups

PaulR · Oct 27, 2007

I have both of these problems and have run SpyBot and Adaware, but no avail

I have Hijack and can produce logs.

Can someone offer me some assistance to diagnose and solve these problems?

pls let me know what I need to do next

thanks

Shaba · Oct 28, 2007

Hi PaulR

Please post HijackThis log next

PaulR · Oct 28, 2007

hopefully this will help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:13:19, on 28/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\Installs and Phone Apps\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160480673648
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160480663320
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10336 bytes

Shaba · Oct 28, 2007

Hi

Do those popups happen on every web site?

PaulR · Oct 28, 2007

re:

not every site when using firefox, just randomly

however with IE its every site and sometimes a blank IE page will pop up when the computer is doing nothing

PaulR · Oct 28, 2007

This is a site address that just popped now

http://em.pc-on-internet.com

Shaba · Oct 29, 2007

Hi

Ok, let's check this next:

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

PaulR · Nov 1, 2007

sorry for the delay - GMER paste

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-01 00:46:11
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT 86BA3FD0 ZwAlertResumeThread
SSDT 86B905F8 ZwAlertThread
SSDT 86D4D0A8 ZwAllocateVirtualMemory
SSDT 86BA0E80 ZwConnectPort
SSDT 86B9DF30 ZwCreateMutant
SSDT 86CA2940 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT 86B912E0 ZwFreeVirtualMemory
SSDT 86B9FF30 ZwImpersonateAnonymousToken
SSDT 86BA3060 ZwImpersonateThread
SSDT 86B83AB8 ZwMapViewOfSection
SSDT 86B9DE58 ZwOpenEvent
SSDT 86B91420 ZwOpenProcessToken
SSDT 86B90E48 ZwOpenThreadToken
SSDT 86B93128 ZwQueryValueKey
SSDT 86B92AC8 ZwResumeThread
SSDT 86B90CB0 ZwSetContextThread
SSDT 86B90FD0 ZwSetInformationProcess
SSDT 86B90B10 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 86B9CCD0 ZwSuspendProcess
SSDT 86B907B0 ZwSuspendThread
SSDT 86B915B0 ZwTerminateProcess
SSDT 86B90970 ZwTerminateThread
SSDT 86B91158 ZwUnmapViewOfSection
SSDT 86841F38 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\Explorer.EXE[488] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0170200E
.text C:\WINDOWS\Explorer.EXE[488] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01701DAF
.text C:\WINDOWS\Explorer.EXE[488] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01701CF2
.text C:\WINDOWS\Explorer.EXE[488] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0170191B
.text C:\WINDOWS\Explorer.EXE[488] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[488] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\Explorer.EXE[488] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[488] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\Explorer.EXE[488] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[488] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[488] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[488] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[488] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\Explorer.EXE[488] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\Explorer.EXE[488] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\Explorer.EXE[488] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[488] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 20, 5F ]
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1D, 5F ]
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F190F5A
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe[528] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[568] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\spoolsv.exe[568] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\spoolsv.exe[568] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\spoolsv.exe[568] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\iPod\bin\iPodService.exe[648] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\iPod\bin\iPodService.exe[648] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\iPod\bin\iPodService.exe[648] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\iPod\bin\iPodService.exe[648] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\csrss.exe[876] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\csrss.exe[876] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\csrss.exe[876] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\csrss.exe[876] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\services.exe[944] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF

PaulR · Nov 1, 2007

ctd

.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\svchost.exe[1112] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\svchost.exe[1248] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\a-squared Anti-Malware\a2service.exe[1276] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\a-squared Anti-Malware\a2service.exe[1276] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\a-squared Anti-Malware\a2service.exe[1276] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\a-squared Anti-Malware\a2service.exe[1276] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1392] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1392] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1392] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1392] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe[1456] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F0200E
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe[1456] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F01DAF
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe[1456] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F01CF2
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe[1456] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F0191B
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe[1468] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe[1468] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe[1468] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe[1468] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1540] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1540] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1540] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1540] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1540] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\System32\svchost.exe[1548] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00FB200E
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00FB1DAF
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00FB1CF2
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00FB191B
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 23, 5F ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 20, 5F ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F160F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2C1 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A030F C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A0290 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A02D4 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A021C C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A0256 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A034A C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F31676 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[1580] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1588] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\svchost.exe[1588] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\svchost.exe[1588] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2

PaulR · Nov 1, 2007

ctd

.text C:\WINDOWS\system32\svchost.exe[1588] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\hkcmd.exe[1640] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00E2200E
.text C:\WINDOWS\system32\hkcmd.exe[1640] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00E21DAF
.text C:\WINDOWS\system32\hkcmd.exe[1640] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E21CF2
.text C:\WINDOWS\system32\hkcmd.exe[1640] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00E2191B
.text C:\WINDOWS\system32\hkcmd.exe[1640] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[1640] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[1640] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[1640] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[1640] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\hkcmd.exe[1640] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\hkcmd.exe[1640] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\hkcmd.exe[1640] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\hkcmd.exe[1640] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[1640] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[1640] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\hkcmd.exe[1640] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\igfxpers.exe[1700] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00E9200E
.text C:\WINDOWS\system32\igfxpers.exe[1700] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00E91DAF
.text C:\WINDOWS\system32\igfxpers.exe[1700] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E91CF2
.text C:\WINDOWS\system32\igfxpers.exe[1700] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00E9191B
.text C:\WINDOWS\system32\igfxpers.exe[1700] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[1700] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[1700] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[1700] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[1700] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\igfxpers.exe[1700] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\igfxpers.exe[1700] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\igfxpers.exe[1700] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\igfxpers.exe[1700] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[1700] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[1700] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\igfxpers.exe[1700] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1716] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1716] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1716] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\System32\WLTRYSVC.EXE[1716] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\System32\bcmwltry.exe[1780] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00CD200E
.text C:\WINDOWS\System32\bcmwltry.exe[1780] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00CD1DAF
.text C:\WINDOWS\System32\bcmwltry.exe[1780] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00CD1CF2
.text C:\WINDOWS\System32\bcmwltry.exe[1780] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00CD191B
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F5200E
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F51DAF
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F51CF2
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F5191B
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\igfxsrvc.exe[1964] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\WLTRAY.exe[1976] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\WLTRAY.exe[1976] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\WLTRAY.exe[1976] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRAY.exe[1976] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\WLTRAY.exe[1976] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\WLTRAY.exe[1976] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\WLTRAY.exe[1976] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\taskswitch.exe[2080] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\taskswitch.exe[2080] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\taskswitch.exe[2080] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\taskswitch.exe[2080] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text

PaulR · Nov 1, 2007

ctd

C:\WINDOWS\system32\taskswitch.exe[2080] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\taskswitch.exe[2080] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\taskswitch.exe[2080] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\taskswitch.exe[2080] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\WINDOWS\system32\taskswitch.exe[2080] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\taskswitch.exe[2080] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\taskswitch.exe[2080] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\taskswitch.exe[2080] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\taskswitch.exe[2080] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\taskswitch.exe[2080] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\taskswitch.exe[2080] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.textC:\WINDOWS\system32\taskswitch.exe[2080] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 025A200E
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 025A1DAF
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 025A1CF2
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 025A191B
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 20, 5F ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2104] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F190F5A
.text C:\Program Files\Apoint\Apoint.exe[2348] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0101200E
.text C:\Program Files\Apoint\Apoint.exe[2348] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01011DAF
.text C:\Program Files\Apoint\Apoint.exe[2348] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01011CF2
.text C:\Program Files\Apoint\Apoint.exe[2348] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0101191B
.text C:\Program Files\Apoint\Apoint.exe[2348] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[2348] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 20, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[2348] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[2348] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[2348] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Apoint\Apoint.exe[2348] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Apoint\Apoint.exe[2348] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\Program Files\Apoint\Apoint.exe[2348] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\Program Files\Apoint\Apoint.exe[2348] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apoint.exe[2348] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\Program Files\Apoint\Apoint.exe[2348] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F190F5A
.text C:\Program Files\Apoint\Apoint.exe[2348] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Apoint\Apoint.exe[2348] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 20, 5F ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F190F5A
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[2376] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F0200E
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F01DAF
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F01CF2
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F0191B
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 20, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1D, 5F ]

PaulR · Nov 1, 2007

ctd

.text C:\Program Files\iTunes\iTunesHelper.exe[2432] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2432] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F190F5A
.text C:\Program Files\a-squared Anti-Malware\a2guard.exe[2452] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\a-squared Anti-Malware\a2guard.exe[2452] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\a-squared Anti-Malware\a2guard.exe[2452] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\a-squared Anti-Malware\a2guard.exe[2452] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\a-squared Anti-Malware\a2guard.exe[2452] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ CF, F1, C3, 83 ]
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 20, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1D, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2476] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[2476] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2476] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[2476] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\ctfmon.exe[2476] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[2476] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[2476] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\ctfmon.exe[2476] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\ctfmon.exe[2476] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Apoint\Apntex.exe[2508] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0098200E
.text C:\Program Files\Apoint\Apntex.exe[2508] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00981DAF
.text C:\Program Files\Apoint\Apntex.exe[2508] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00981CF2
.text C:\Program Files\Apoint\Apntex.exe[2508] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0098191B
.text C:\Program Files\Apoint\Apntex.exe[2508] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apntex.exe[2508] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Apoint\Apntex.exe[2508] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apntex.exe[2508] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Apoint\Apntex.exe[2508] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Apoint\Apntex.exe[2508] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Apoint\Apntex.exe[2508] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\Program Files\Apoint\Apntex.exe[2508] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\Program Files\Apoint\Apntex.exe[2508] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Apoint\Apntex.exe[2508] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\Program Files\Apoint\Apntex.exe[2508] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Apoint\Apntex.exe[2508] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\documents and settings\paul\local settings\application data\dangnhu.exe[2524] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\documents and settings\paul\local settings\application data\dangnhu.exe[2524] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\documents and settings\paul\local settings\application data\dangnhu.exe[2524] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\documents and settings\paul\local settings\application data\dangnhu.exe[2524] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 17, 5F ]
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 14, 5F ]
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] kernel32.dll!FreeLibrary + 15 7C80ABF3 4 Bytes [ 45, 54, EF, F4 ]
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F0D0F5A
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 11, 5F ]
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F1C0F5A
.text C:\DOCUME~1\Paul\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[2644] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F190F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 012F200E
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 012F1DAF
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 012F1CF2
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 012F191B
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 20, 5F ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 1D, 5F ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A

PaulR · Nov 1, 2007

ctd

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F130F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 17, 5F ]
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2748] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F190F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [ 23, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [ 20, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F040F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] kernel32.dll!WriteProcessMemory 7C80220F 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] kernel32.dll!OpenProcess 7C8309E1 6 Bytes JMP 5F100F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ADVAPI32.dll!CreateServiceA 77E37071 6 Bytes JMP 5F160F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ADVAPI32.dll!CreateServiceW 77E37209 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ADVAPI32.dll!CreateServiceW + 4 77E3720D 2 Bytes [ 1A, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] WS2_32.dll!send 71AB428A 5 Bytes JMP 100030E6
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100032CC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] WS2_32.dll!listen 71AB88D3 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 100035BC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] SHELL32.dll!Shell_NotifyIconW 7CA21B6A 6 Bytes JMP 5F1C0F5A

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F730A1DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F730A1DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F730A454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F730A1DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [AADA58A0] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [AADA5900] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [AADA5810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs

PaulR · Nov 1, 2007

ctd

IRP_MJ_SET_QUOTA [AADA5810] SYMEVENT.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [AABF58C0] SYMTDI.SYS

PaulR · Nov 1, 2007

last page

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [AABF58C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [AABF58C0] SYMTDI.SYS

---- Processes - GMER 1.0.13 ----

Process C:\documents and settings\paul\local settings\application data\dangnhu.exe (*** hidden *** ) 2524
Library C:\documents and settings\paul\local settings\application data\dangnhu.exe (*** hidden *** ) @ C:\documents and settings\paul\local settings\application data\dangnhu.exe [2524] 0x00400000

---- Registry - GMER 1.0.13 ----

Reg \Registry\USER\S-1-5-21-1715567821-562591055-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run@dangnhu c:\documents and settings\paul\local settings\application data\dangnhu.exe dangnhu

---- Files - GMER 1.0.13 ----

File C:\Documents and Settings\Paul\Local Settings\Application Data\dangnhu.dat
File C:\Documents and Settings\Paul\Local Settings\Application Data\dangnhu.exe
File C:\Documents and Settings\Paul\Local Settings\Application Data\dangnhu_nav.dat
File C:\Documents and Settings\Paul\Local Settings\Application Data\dangnhu_navps.dat
File C:\WINDOWS\Prefetch\DANGNHU.EXE-02C50F1C.pf

---- EOF - GMER 1.0.13 ----

Shaba · Nov 1, 2007

Hi

Yes, we have navipromo

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\Documents and Settings\Paul\Local Settings\Application Data\dangnhu.exe
Now click Delete
Also do that with these files:

C:\Documents and Settings\Paul\Local Settings\Application Data\dangnhu.dat
C:\Documents and Settings\Paul\Local Settings\Application Data\dangnhu_nav.dat
C:\Documents and Settings\Paul\Local Settings\Application Data\dangnhu_navps.dat
C:\WINDOWS\Prefetch\DANGNHU.EXE-02C50F1C.pf

Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Download BFU.zip from here
Right click on BFU.zip and click Extract all
Extract it to C:\BFU

Right click here and choose Save Link as to download EGDACCESS.bfu by Metallica
Save it to C:\BFU as EGDACCESS.bfu

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Go to C:\BFU and double click BFU.exe to start the Brute Force Uninstaller (BFU) by Merijn
Click on the folder icon
Find and select EGDACCESS.bfu
Click Open
Click Execute
Wait for the script to finish executing
You will get the message Completed script execution.
Click OK
Close BFU

Restart

Re-run gmer

Post:

- a fresh HijackThis log
- gmer log

PaulR · Nov 3, 2007

New HiJack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:11:24, on 03/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;2
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [dangnhu] c:\documents and settings\paul\local settings\application data\dangnhu.exe dangnhu
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus2.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1160480673648
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160480663320
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point VPN-1 Securemote service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point VPN-1 Securemote watchdog (SR_Watchdog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9371 bytes

PaulR · Nov 3, 2007

GMER log

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-11-03 17:31:50
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.13 ----

SSDT 86799350 ZwAlertResumeThread
SSDT 86B86E48 ZwAlertThread
SSDT 86C2AC68 ZwAllocateVirtualMemory
SSDT 86B896B0 ZwConnectPort
SSDT 86BAB8F0 ZwCreateMutant
SSDT 86BB18A8 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwDeleteValueKey
SSDT 86B890E0 ZwFreeVirtualMemory
SSDT 86BAE438 ZwImpersonateAnonymousToken
SSDT 86BAFC88 ZwImpersonateThread
SSDT 86B50180 ZwMapViewOfSection
SSDT 86BA9810 ZwOpenEvent
SSDT 86B895D8 ZwOpenProcessToken
SSDT 86B883B8 ZwOpenThreadToken
SSDT 86C741F8 ZwQueryValueKey
SSDT 86B9B058 ZwResumeThread
SSDT 86B88190 ZwSetContextThread
SSDT 86B88490 ZwSetInformationProcess
SSDT 86B880B8 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS ZwSetValueKey
SSDT 86BA9738 ZwSuspendProcess
SSDT 86B87878 ZwSuspendThread
SSDT 86B8A0B8 ZwTerminateProcess
SSDT 86B87950 ZwTerminateThread
SSDT 86B885D8 ZwUnmapViewOfSection
SSDT 86B8B4D8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.13 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2730 80501600 5 Bytes [ B8, A0, B8, 86, 50 ]
.text ntkrnlpa.exe!ZwCallbackReturn + 2736 80501606 2 Bytes [ B8, 86 ]

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F730A1DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F730A1DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F730A454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F730A1DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F72FDF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [AAF258A0] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [AAF25900] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [AAF25810] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [AAF25810] SYMEVENT.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [AAD758C0] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [AAD758C0] SYMTDI.SYS

---- EOF - GMER 1.0.13 ----

Shaba · Nov 4, 2007

Hi

Open HijackThis, click do a system scan only and checkmark this:

O4 - HKCU\..\Run: [dangnhu] c:\documents and settings\paul\local settings\application data\dangnhu.exe dangnhu

Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

PaulR · Nov 5, 2007

Kapersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 05, 2007 12:25:28 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/11/2007
Kaspersky Anti-Virus database records: 451592
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 45443
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:44:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SavSubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\52C967C1.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\cert8.db Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\foxmarks.log Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\history.dat Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\key3.db Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\parent.lock Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Paul\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Paul\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\dbdam Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\dbdao Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\dbeam Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\dbeao Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\dbm Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\fii.cf1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\hp Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Google Desktop\f8d490e01e97\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Application Data\Mozilla\Firefox\Profiles\ucjo95k3.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temp\~DF6A0A.tmp Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Paul\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Paul\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\default-000000.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\default-000000.logaccount_ptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\default-000000.loginitial_ptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\default-000000.logLuuidDB Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\default-000000.logptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000001.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000001.logaccount_ptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000001.loginitial_ptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000001.logLuuidDB Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\log\SR_Service-000001.logptr Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\sr_gui_tde.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\sr_service_tde.log Object is locked skipped
C:\Program Files\CheckPoint\SecuRemote\sr_watchdog_tde.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\AVMan.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\GUProxy.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\LUMan.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\processlog.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\rawlog.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\seclog.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\syslog.log Object is locked skipped
C:\Program Files\Symantec\Symantec Endpoint Protection\tralog.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5BB6425B-5168-427E-85CA-5EEA76969386}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\ckpNotify.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_100.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Random FireFox Pop ups and IE blank page pop ups

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

New member

New member

New member

New member

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member