Virtumonde infection problem

Shaba · Mar 6, 2008

Hi

If windows own firewall is running with Comodo, please disable
windows own firewall.

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\WINDOWS\inf\qwetab.inf
Now click Delete

Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Re-run gmer

Post:

- a fresh HijackThis log
- gmer log (should be much smaller now)

korg2008 · Mar 6, 2008

Hello Shaba,

Here is the HJT log. Folowing is the Gmer log in 5 consecutive posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:56, on 2008-03-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvgid.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlaz.dll,startup
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O21 - SSODL: DriveRunOnce - {26df807e-b39e-4869-95c8-99227e6ae380} - C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll
O21 - SSODL: zip - {d0c92054-3a74-4c01-8bed-653c9da6f396} - C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8211 bytes

korg2008 · Mar 6, 2008

page 1 of 5

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-03-06 10:59:15
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT 83AE7EF0 ZwConnectPort

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[232] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[272] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\pctspk.exe[368] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[368] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[532] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[532] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\services.exe[576] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[576] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\lsass.exe[588] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[588] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\wdfmgr.exe[696] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[696] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll

korg2008 · Mar 6, 2008

page 2 of 5

.text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[752] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[752] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[800] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[800] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[808] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[808] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\svchost.exe[892] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[892] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[984] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[984] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1004] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1004] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1264] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1312] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll

korg2008 · Mar 6, 2008

page 3 of 5

.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1324] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1380] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\spoolsv.exe[1740] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1740] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1756] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] USER32.DLL!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] USER32.DLL!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] USER32.DLL!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Claude et Francine\Bureau\gmer\gmer.exe[2052] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\alg.exe[2376] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2376] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\wuauclt.exe[2752] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wuauclt.exe[2752] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\Mixer.exe[2888] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2888] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll

korg2008 · Mar 6, 2008

page 4 of 5

.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[2992] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe[3068] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[3096] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 009353E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] ntdll.dll!LdrUnloadDll 7C92718B 3 Bytes JMP 00935310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] ntdll.dll!LdrUnloadDll + 4 7C92718F 1 Byte [ 84 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 00934FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 009316C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 00931540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 00931850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 00931220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 009313B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ A3, 88 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 00934CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[3116] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 00934E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\svchost.exe[3220] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3220] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Messenger\msmsgs.exe[3292] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3292] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[3424] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[3432] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\ctfmon.exe[3432] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll

korg2008 · Mar 6, 2008

page 5 of 5

.text C:\WINDOWS\system32\ctfmon.exe[3432] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [005B3750] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassA] [005B38F0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcA] [005B36B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [005B3750] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [005B3390] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawFrameControl] [005B3A90] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawEdge] [005B2D70] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetScrollInfo] [005B35A0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetScrollInfo] [005B3470] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[3424] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- EOF - GMER 1.0.14 ----

korg2008 · Mar 6, 2008

I hope I did everything correctly since Gmer report is just a little bit smaller (85k vs 96k previously)

The only red entry Gmer gave was «qwetab» which I deleted. Wasn't there after.

Things seem normal on the PC although I dont touch it much besides the present correspondance. What is still out of normal:

1- Two RUNDLL warning windows on the desktop after rebooting: drulaz.dll and drvgid.dll (in ...system32..)

2- The keyboard is missing a lot of keys I hit, so I have to hit them twice sometimes (for instance to write this), or hit them very hard, hmm.. strange..

Shaba · Mar 6, 2008

Hi

"1- Two RUNDLL warning windows on the desktop after rebooting: drulaz.dll and drvgid.dll (in ...system32..)"

It will be corrected next.

"2- The keyboard is missing a lot of keys I hit, so I have to hit them twice sometimes (for instance to write this), or hit them very hard, hmm.. strange.."

I don't think it's related to this.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\Program Files\udefender_setup.exe
C:\Program Files\tmp34768073.exe
C:\Program Files\tmp34768544.exe
C:\Program Files\tmp34770447.exe
C:\Program Files\tmp34770327.exe
C:\Program Files\tmp34768163.exe
C:\Program Files\tmp34767783.exe
C:\Program Files\tmp9833900.exe
C:\Program Files\tmp9641774.exe
C:\mhyvfa.exe2
C:\mmesckoj.exe2

Folder::
C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}
C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"=-
"MSDisp32"=-
"braviax"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DriveRunOnce"=-
"zip"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

korg2008 · Mar 6, 2008

Hello Shaba, here is the HJT report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:00:35, on 2008-03-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7526 bytes

korg2008 · Mar 6, 2008

and here is the new combofix log:

ComboFix 08-03-05.1 - Claude et Francine 2008-03-06 12:54:55.2 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.429 [GMT -5:00]
Endroit: C:\Documents and Settings\Claude et Francine\Bureau\ComboFix.exe
Command switches used :: C:\Documents and Settings\Claude et Francine\Bureau\CFScript.txt
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!

FILE ::
C:\mhyvfa.exe2
C:\mmesckoj.exe2
C:\Program Files\tmp34767783.exe
C:\Program Files\tmp34768073.exe
C:\Program Files\tmp34768163.exe
C:\Program Files\tmp34768544.exe
C:\Program Files\tmp34770327.exe
C:\Program Files\tmp34770447.exe
C:\Program Files\tmp9641774.exe
C:\Program Files\tmp9833900.exe
C:\Program Files\udefender_setup.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll

(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\mhyvfa.exe2
C:\Program Files\udefender_setup.exe
C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}
C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll
C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}
C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll

.
((((((((((((((((((((((((((((( Fichiers créés 2008-02-06 to 2008-03-06 ))))))))))))))))))))))))))))))))))))
.

2008-03-06 07:05 . 2008-03-06 07:05 3,847 --a------ C:\Program Files\tmp32187653.exe
2008-03-06 06:45 . 2008-03-06 10:37 250 --a------ C:\WINDOWS\gmer.ini
2008-03-05 06:32 . 2008-03-05 06:32 <REP> d-------- C:\Program Files\IE Extensions
2008-03-04 19:13 . 2008-03-04 19:13 <REP> d-------- C:\Program Files\COMODO
2008-03-04 19:13 . 2008-03-04 19:13 <REP> d-------- C:\Documents and Settings\Claude et Francine\Application Data\Comodo
2008-03-04 19:13 . 2008-03-04 20:18 <REP> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-04 19:13 . 2008-03-04 19:13 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-03-04 19:13 . 2008-03-04 19:13 84,856 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-04 19:13 . 2008-03-04 19:13 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-04 15:26 . 2008-03-06 10:20 <REP> d-------- C:\Downloads mars 2008
2008-03-03 16:38 . 2008-03-03 16:38 <REP> d-------- C:\Program Files\Trend Micro
2008-03-03 11:19 . 2008-03-03 11:19 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 11:19 . 2008-03-03 11:19 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 08:30 . 2008-03-03 08:30 <REP> d--h----- C:\WINDOWS\PIF
2008-03-02 22:33 . 2008-03-02 22:38 339 --a------ C:\WINDOWS\wininit.ini
2008-03-02 22:04 . 2008-03-02 22:04 <REP> d-------- C:\Program Files\SysCleaner
2008-03-02 21:13 . 2008-03-02 21:12 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-02 21:13 . 2008-03-02 21:13 2,568 --a------ C:\WINDOWS\unins000.dat
2008-03-02 20:48 . 2008-03-02 21:15 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-02 20:48 . 2008-03-02 21:22 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-02 19:07 . 2008-03-02 19:07 145 --a------ C:\WINDOWS\system32\winver.bat2
2008-03-02 18:57 . 2008-03-02 18:57 <REP> dr-h----- C:\~MSSETUP.T
2008-02-26 23:06 . 2008-02-26 23:06 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-12 16:48 . 2008-02-12 16:48 <REP> d-------- C:\Program Files\SunNetPro
2008-02-12 16:46 . 2008-02-12 16:46 <REP> d-------- C:\WINDOWS\Downloaded Installations

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 00:21 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\Skype
2008-03-03 21:30 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\skypePM
2008-03-03 15:12 --------- d-----w C:\Program Files\eMule
2008-03-03 14:12 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2008-03-03 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 00:37 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\Apple Computer
2008-02-06 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-06 00:35 --------- d-----w C:\Program Files\QuickTime
2008-02-05 12:09 --------- d-----w C:\Program Files\DivX
2007-12-20 14:08 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-07 02:08 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-05_19.31.42.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-06 11:45:28 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-01-19 01:31:10 757,760 ----a-w C:\WINDOWS\gmer.exe
+ 2008-03-06 11:45:28 85,713 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [2006-04-04 11:55 71304]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-11-25 11:18 100056]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2006-12-22 20:55 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-13 20:10 409600]
"LVCOMS"="C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 15:16 90112]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-09-11 12:58 155648]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-09-11 12:57 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-05 19:25 385024]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-04 19:13 1502976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 07:00 15360]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-03-26 16:26 54384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\WINDOWS\\system32\\CIMSVR.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-23 12:47]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-19 10:53]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 16:28]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);C:\WINDOWS\system32\DRIVERS\LV551AV.sys [2002-06-10 14:24]

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-25 11:07:26 C:\WINDOWS\Tasks\Norton AntiVirus - Analyser mon ordinateur - Claude et Francine.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-03-01 11:12:53 C:\WINDOWS\Tasks\Norton AntiVirus - Analyser mon ordinateur.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-03-06 15:37:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-06 12:56:53
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************
.
--------------------- DLLs a chargé sous des processus courants ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Temps d'accomplissement: 2008-03-06 12:58:00
ComboFix-quarantined-files.txt 2008-03-06 17:57:44
ComboFix2.txt 2008-03-06 00:39:44
.
2008-02-14 08:04:30 --- E O F ---

Shaba · Mar 6, 2008

Hi

Delete these:

C:\Program Files\tmp32187653.exe
C:\WINDOWS\Installer\{9d864a43-586d-41b6-ab85-431194e5c189}\

Empty this folder:

C:\Program Files\Norton AntiVirus\Quarantine

Empty Recycle Bin.

Delete these mails from Outlook:

C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Thu, 25 Apr 2002 21:28:48 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:48:10 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:51:27 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED/assurance.bat Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx Mail MS Outlook 5: infected - 2, suspicious - 5 skipped

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

korg2008 · Mar 6, 2008

Hello,

By the way, the PC stays online while doing those procedures, I hope it doesn't interfere. Here is the last HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:16:21, on 2008-03-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7468 bytes

korg2008 · Mar 6, 2008

and here the new Kaspersky report, sorry I saved it in html then translated it in txt :

page 1 of 2

KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
Thursday, March 06, 2008 5:13:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build
2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/03/2008
Kaspersky Anti-Virus database records: 604356

Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects94293
Number of viruses found29
Number of infected objects82
Number of suspicious objects0
Duration of the scan process02:48:48

Infected Object NameVirus NameLast Action
C:\Documents and Settings\All Users\Application Data\comodo\Firewall
Pro\cfplogdb.sdb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common
Client\settings.dat Object is locked skipped

C:\Documents and Settings\Claude et Francine\Cookies\index.dat Object is
locked skipped

C:\Documents and Settings\Claude et Francine\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Claude et Francine\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Claude et Francine\Local
Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Claude et Francine\Local
Settings\Historique\History.IE5\MSHist012008030620080307\index.dat Object
is locked skipped

C:\Documents and Settings\Claude et Francine\Local Settings\Temporary
Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro
- Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0002 Infected:
not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro
- Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0003 Infected:
not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro
- Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0006 Infected:
not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro
- Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped

C:\Documents and Settings\Claude et Francine\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\Claude et Francine\NTUSER.DAT.LOG Object is
locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked
skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local
Settings\Historique\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked
skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked
skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\QooBox\Quarantine\C\mhyvfa.exe2.vir Infected:
Trojan-Downloader.Win32.Agent.kgo skipped

C:\QooBox\Quarantine\C\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll.vir
Infected: Trojan.Win32.Agent.feh skipped

C:\QooBox\Quarantine\C\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll.vir
Infected: Trojan-Downloader.Win32.BHO.ct skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\wlqcwpji.dll.vir Infected:
not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-03-05_192706.08.zip/fccbcdb.dll Infected:
not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-03-05_192706.08.zip/rqrqq.dll Infected:
not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-03-05_192706.08.zip ZIP: infected - 2
skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP483\A0039880.dll
Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP484\A0039883.exe
Infected: Trojan-Downloader.Win32.Agent.kgo skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039942.dll
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039943.scr
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039944.EXE
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039945.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039946.EXE
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039947.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039949.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039950.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039951.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039952.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039953.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039954.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039955.SCR
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039956.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039957.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039958.EXE
Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039959.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039960.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039961.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039963.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039964.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039966.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039968.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039969.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

korg2008 · Mar 6, 2008

page 2 of 2

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039970.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039972.EXE
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039973.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039974.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039983.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039984.DLL
Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039994.dll
Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/keygen.exe
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/patch.exe
Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/install.exe
Infected: Trojan-Downloader.Win32.Small.irm skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar
Infected: Trojan-Downloader.Win32.Small.irm skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe
RarSFX: infected - 4 skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040028.exe
Infected: Trojan-Downloader.Win32.Small.irm skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040031.exe
Infected: Trojan-Downloader.Win32.Agent.keu skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040032.exe
Infected: Trojan-Downloader.Win32.Agent.keu skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040033.exe
Infected: Trojan-Dropper.Win32.Agent.eya skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP498\A0043542.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP498\A0043543.exe
Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0043869.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0043870.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0043871.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0043872.dll
Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044231.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044232.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044233.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044234.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044235.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044236.exe
Infected: Trojan-Downloader.Win32.Small.iuq skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044237.exe
Infected: Trojan-Dropper.Win32.Agent.fbe skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044238.exe
Infected: Trojan-Dropper.Win32.Agent.fbe skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044239.dll
Infected: Trojan-Dropper.Win32.Agent.eya skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP499\A0044245.inf
Infected: Trojan-Downloader.Win32.Agent.kgo skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045407.dll
Infected: Trojan.Win32.Agent.feh skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045408.dll
Infected: Trojan-Downloader.Win32.BHO.ct skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045594.exe
Infected: Trojan-Downloader.Win32.Agent.hyy skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045595.sys
Infected: not-a-virus:FraudTool.Win32.UltimateDefender.cm skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045596.exe
Infected: Trojan-Downloader.Win32.Agent.hyy skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045597.dll
Infected: Trojan.Win32.Dialer.yz skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045598.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045599.exe
Infected: Trojan-Downloader.Win32.Adload.ma skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045601.exe
Infected: Trojan-Downloader.Win32.Adload.ma skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045602.exe
Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045603.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045604.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\A0045605.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume
Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP500\change.log
Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{AB8B9527-B429-4943-A46A-EF4E258D03A4}.bin
Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Shaba · Mar 7, 2008

Hi

That's ok

Empty this folder:

C:\QooBox\Quarantine

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

korg2008 · Mar 7, 2008

Good morning !

So far so good Shaba, everything seems to be working as it used to here on the PC. I sure owe you one !!

korg

Shaba · Mar 7, 2008

Hi

Nice to hear

Final question:

Does Norton also have a firewall?

korg2008 · Mar 7, 2008

No Shaba, there is only Norton Anti-virus. As firewall I use Window's and have been told to use Comodo instead. Comodo is quind of partially installed now (the icon is present on the lower right side of the task bas but with no color). When trying to install it a few days ago, it stalled. I plan to have it running and desactivate Windows firewall in the days to come, any advice on that issue ?

Shaba · Mar 7, 2008

Hi

Try to uninstall and re-install Comodo and post back if it helped.

Virtumonde infection problem

Security Expert: Emeritus

New member

New member

New member

New member

New member

New member

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus