Virtumonde infection problem

K

korg2008

New member
Hello, I've been trying to get rid of Virtumonde with Spybot, but it really sticks to my PC. As read in «Before you post» I paste the HJT log and the Kaspersky log report. I hope it fits in the same message.

Thanks in advance for your help, it will be deeply appreciated.


Note: after trying to post here, it appears my message was too long (28,219 characters instead of 20,000). I am cutting away the end part of the Kaspersky log report, and I'll wait for your indications. Thanks again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39:57, on 2008-03-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvgid.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlaz.dll,startup
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Fichiers communs\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Assistant d'Acrobat.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O21 - SSODL: DriveRunOnce - {26df807e-b39e-4869-95c8-99227e6ae380} - C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll
O21 - SSODL: zip - {d0c92054-3a74-4c01-8bed-653c9da6f396} - C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8277 bytes


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 03, 2008 3:28:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 594402
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 116120
Number of viruses found: 31
Number of infected objects: 83
Number of suspicious objects: 5
Duration of the scan process: 03:35:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Thu, 25 Apr 2002 21:28:48 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:48:10 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:51:27 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED/assurance.bat Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx Mail MS Outlook 5: infected - 2, suspicious - 5 skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\FHGYmUtT.exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\gos14F6.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\win14F9.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\6GFF5J12\1204512613[1].exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\6QGMS8MC\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\CQDTKLW0\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\CQESIAS1\1204510679[1].exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\JPQN5ZYK\1204512663[1].exe Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\QGZ6RHJH\reijane[1].htm Infected: Trojan-Downloader.Win32.Agent.kgo skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
C:\Documents and Settings\Claude et Francine\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Claude et Francine\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\mhyvfa.exe2 Infected: Trojan-Downloader.Win32.Agent.kgo skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
 
Complete kaspersky report (emitted 2 days ago)

Hello Shaba and thanks for the reply, I appreciate

Things are still the same: popping ads pages in IExplorer, very slow computer at times, lots of warnings from Skybot and NAV. I clean with spybot 2 to 3 times a day, average 10 to 15 prob detected, always those two coming back: virtumonde and win32.tiny.abk

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 03, 2008 3:28:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/03/2008
Kaspersky Anti-Virus database records: 594402
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 116120
Number of viruses found: 31
Number of infected objects: 83
Number of suspicious objects: 5
Duration of the scan process: 03:35:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Thu, 25 Apr 2002 21:28:48 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:48:10 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sat, 04 May 2002 02:51:27 -0400]/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED/assurance.bat Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?R=E9jean_Couture?= <courej@videotron.ca>][Date Date header was inserted by "TELUS Quebec"]/UNNAMED Infected: Email-Worm.Win32.Magistr.b skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED/html Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx/[From =?iso-8859-1?Q?Fran=E7ois_Gauthier?= <vauquelin@videotron.ca>][Date Sun, 14 Apr 2002 02:34:37 -0400]/UNNAMED Suspicious: not-a-virus:URL.IDFrame skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Identities\{E642F95F-BA10-4F4A-8ABF-BB9DE79BF305}\Microsoft\Outlook Express\Condorcet.dbx Mail MS Outlook 5: infected - 2, suspicious - 5 skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\FHGYmUtT.exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\gos14F6.tmp Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temp\win14F9.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\6GFF5J12\1204512613[1].exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\6QGMS8MC\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\CQDTKLW0\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\CQESIAS1\1204510679[1].exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\JPQN5ZYK\1204512663[1].exe Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\Documents and Settings\Claude et Francine\Local Settings\Temporary Internet Files\Content.IE5\QGZ6RHJH\reijane[1].htm Infected: Trojan-Downloader.Win32.Agent.kgo skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Claude et Francine\Mes documents\Mes images\Véro - Reno\Bienvenue Renaud\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
C:\Documents and Settings\Claude et Francine\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Claude et Francine\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Historique\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\mhyvfa.exe2 Infected: Trojan-Downloader.Win32.Agent.kgo skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\2C1176CD Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Program Files\Norton AntiVirus\Quarantine\5519725A.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Norton AntiVirus\Quarantine\610F2110 Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Program Files\Norton AntiVirus\Quarantine\621671A5 Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Program Files\Norton AntiVirus\Quarantine\627F3132 Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\Program Files\Norton AntiVirus\Quarantine\69FA55AA.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Norton AntiVirus\Quarantine\69FA55AA.tmp Infected: Trojan-Downloader.Win32.Zlob.hts skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B064884.exe Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B064884.sys Infected: not-a-virus:FraudTool.Win32.UltimateDefender.bi skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B097280.txt Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B341451.exe Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Program Files\Norton AntiVirus\Quarantine\6B341451.txt Infected: Trojan-Downloader.Win32.Agent.hyy skipped
C:\Program Files\Norton AntiVirus\Quarantine\6DD7076A.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\Program Files\Norton AntiVirus\Quarantine\6F07481B.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\Program Files\Norton AntiVirus\Quarantine\734855FE Infected: Trojan.Win32.Dialer.yz skipped
C:\Program Files\Norton AntiVirus\Quarantine\734C7FFB Infected: Trojan.Win32.Dialer.yz skipped
C:\Program Files\Norton AntiVirus\Quarantine\7B0248ED Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP483\A0039880.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP484\A0039883.exe Infected: Trojan-Downloader.Win32.Agent.kgo skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039942.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039943.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039944.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039945.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039946.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039947.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039949.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039950.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039951.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039952.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039953.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039954.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039955.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039956.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039957.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039958.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039959.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039960.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039961.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039963.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039964.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039966.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039968.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039969.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039970.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039972.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039973.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039974.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039983.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039984.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP486\A0039994.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/patch.exe Infected: Trojan.Win32.Dialer.yz skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.irm skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe/data.rar Infected: Trojan-Downloader.Win32.Small.irm skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040026.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040028.exe Infected: Trojan-Downloader.Win32.Small.irm skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040031.exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040032.exe Infected: Trojan-Downloader.Win32.Agent.keu skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP487\A0040033.exe Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\System Volume Information\_restore{893DEF6B-24B3-4986-8947-FB66B2C36C7D}\RP494\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\inf\qwetab.inf Object is locked skipped
C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll Infected: Trojan.Win32.Agent.feh skipped
C:\WINDOWS\Installer\{9d864a43-586d-41b6-ab85-431194e5c189}\zip.dll Infected: Trojan-Dropper.Win32.Agent.eya skipped
C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll Infected: Trojan-Downloader.Win32.BHO.ct skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A8CB5819-C464-4D89-866F-5CABCA5BA0A5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\fccbcdb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\tmmudjmv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winivstr.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\WINDOWS\system32\winmbw32.dll Infected: Trojan.Win32.Dialer.yz skipped
C:\WINDOWS\Temp\win22.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Rename HijackThis.exe to korg2008.exe

After that:

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
Confirm instructions

Hello Shaba, just to make sure, do you want me to go all the way with #1 and then set up #2 to #5 ? Or do you want me to do the settings #2 to #5 before #1. Presently spybot is in advance mode but Teatimer is resident.

I am now posting this in WXP Safe mode, normal mode is getting almost impossible to work with since Norton AV and Skybot pop up a continuous flow of warning windows.

I'm standing by for your answer

korg
 
Good morning Shaba,

I went through the process, in numerical order. Worked fine besides Norton AV auto-protect trying to kill combofix during the procedure. I had a chance to desactivate NAV so combofix ended normally.

For a few days now, there are always 3 windows popping up when rebooting:

1- Windows' ID window (about, version, etc..)
2- RUNDLL not finding C:\windows\system32\drvgid.dll
3- RUNDLL not finding C:\windows\system32\drvlaz.dll

I haven't reboot yet (in normal mode) after Combofix procedure.

Following posts contain HJT log and Combofix report

korg
 
ComboFix 08-03-05.1 - Claude et Francine 2008-03-05 19:18:46.1 - NTFSx86
Microsoft Windows XP Professionnel 5.1.2600.2.1252.33.1036.18.426 [GMT -5:00]
Endroit: C:\Documents and Settings\Claude et Francine\Bureau\ComboFix.exe
* Création d'un nouveau point de restauration

AVERTISSEMENT - LA CONSOLE DE RÉCUPÉRATION N'EST PAS INSTALLÉE SUR CETTE MACHINE !!
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ucleaner_setup.exe
C:\WINDOWS\BMf37770d9.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\fccbcdb.dll
C:\WINDOWS\system32\hrjmhybf.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\merrxneu.dll
C:\WINDOWS\system32\qqrqr.ini
C:\WINDOWS\system32\qqrqr.ini2
C:\WINDOWS\system32\rqrqq.dll
C:\WINDOWS\system32\uenxrrem.ini
C:\WINDOWS\system32\winmbw32.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wlqcwpji.dll

.
((((((((((((((((((((((((((((( Fichiers créés 2008-02-06 to 2008-03-06 ))))))))))))))))))))))))))))))))))))
.

2008-03-05 06:37 . 2008-03-05 06:38 76,303 --a------ C:\Program Files\udefender_setup.exe
2008-03-05 06:32 . 2008-03-05 06:32 <REP> d-------- C:\Program Files\IE Extensions
2008-03-05 06:32 . 2008-03-05 06:32 16,520 --a------ C:\Program Files\tmp34768073.exe
2008-03-05 06:32 . 2008-03-05 06:32 16,496 --a------ C:\Program Files\tmp34768544.exe
2008-03-05 06:32 . 2008-03-05 06:32 13,556 --a------ C:\Program Files\tmp34770447.exe
2008-03-05 06:32 . 2008-03-05 06:32 13,472 --a------ C:\Program Files\tmp34770327.exe
2008-03-05 06:31 . 2008-03-05 06:31 16,616 --a------ C:\Program Files\tmp34768163.exe
2008-03-05 06:31 . 2008-03-05 06:31 16,436 --a------ C:\Program Files\tmp34767783.exe
2008-03-04 19:13 . 2008-03-04 19:13 <REP> d-------- C:\Program Files\COMODO
2008-03-04 19:13 . 2008-03-04 19:13 <REP> d-------- C:\Documents and Settings\Claude et Francine\Application Data\Comodo
2008-03-04 19:13 . 2008-03-04 20:18 <REP> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-04 19:13 . 2008-03-04 19:13 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-03-04 19:13 . 2008-03-04 19:13 84,856 --a------ C:\WINDOWS\system32\drivers\cmdguard.sys
2008-03-04 19:13 . 2008-03-04 19:13 23,800 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2008-03-04 15:26 . 2008-03-04 15:27 <REP> d-------- C:\Downloads mars 2008
2008-03-03 22:47 . 2008-03-03 22:47 13,460 --a------ C:\Program Files\tmp9833900.exe
2008-03-03 22:44 . 2008-03-03 22:44 16,468 --a------ C:\Program Files\tmp9641774.exe
2008-03-03 16:38 . 2008-03-03 16:38 <REP> d-------- C:\Program Files\Trend Micro
2008-03-03 11:19 . 2008-03-03 11:19 <REP> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-03 11:19 . 2008-03-03 11:19 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 08:30 . 2008-03-03 08:30 <REP> d--h----- C:\WINDOWS\PIF
2008-03-02 22:33 . 2008-03-02 22:38 339 --a------ C:\WINDOWS\wininit.ini
2008-03-02 22:04 . 2008-03-02 22:04 <REP> d-------- C:\Program Files\SysCleaner
2008-03-02 21:13 . 2008-03-02 21:12 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-02 21:13 . 2008-03-02 21:13 2,568 --a------ C:\WINDOWS\unins000.dat
2008-03-02 20:48 . 2008-03-02 21:15 <REP> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-02 20:48 . 2008-03-02 21:22 <REP> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-02 19:08 . 2008-03-02 19:08 58,368 --a------ C:\mhyvfa.exe2
2008-03-02 19:08 . 2008-03-02 19:08 50,688 --a------ C:\mmesckoj.exe2
2008-03-02 19:07 . 2008-03-02 19:07 145 --a------ C:\WINDOWS\system32\winver.bat2
2008-03-02 18:57 . 2008-03-02 18:57 <REP> dr-h----- C:\~MSSETUP.T
2008-02-26 23:06 . 2008-02-26 23:06 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-12 16:48 . 2008-02-12 16:48 <REP> d-------- C:\Program Files\SunNetPro
2008-02-12 16:46 . 2008-02-12 16:46 <REP> d-------- C:\WINDOWS\Downloaded Installations

.
(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 00:21 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\Skype
2008-03-03 21:30 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\skypePM
2008-03-03 15:12 --------- d-----w C:\Program Files\eMule
2008-03-03 14:12 --------- d-----w C:\Program Files\Fichiers communs\InstallShield
2008-03-03 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-06 00:37 --------- d-----w C:\Documents and Settings\Claude et Francine\Application Data\Apple Computer
2008-02-06 00:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-06 00:35 --------- d-----w C:\Program Files\QuickTime
2008-02-05 12:09 --------- d-----w C:\Program Files\DivX
2007-12-20 14:08 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((( Point de chargement Reg )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 07:00 15360]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]
"ccApp"="C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe" [2006-04-04 11:55 71304]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-11-25 11:18 100056]
"TkBellExe"="C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" [2006-12-22 20:55 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-13 20:10 409600]
"LVCOMS"="C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 15:16 90112]
"LogitechGalleryRepair"="C:\Program Files\Logitech\ImageStudio\ISStart.exe" [2002-09-11 12:58 155648]
"LogitechImageStudioTray"="C:\Program Files\Logitech\ImageStudio\LogiTray.exe" [2002-09-11 12:57 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-05 19:25 385024]
"MSDrive"="C:\WINDOWS\system32\drvgid.dll" [ ]
"MSDisp32"="C:\WINDOWS\system32\drvlaz.dll" [ ]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-04 19:13 1502976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 07:00 15360]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [2004-03-26 16:26 54384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DriveRunOnce"= {26df807e-b39e-4869-95c8-99227e6ae380} - C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll [2008-03-02 19:07 14374]
"zip"= {d0c92054-3a74-4c01-8bed-653c9da6f396} - C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll [2008-03-02 19:07 38438]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\WINDOWS\\system32\\CIMSVR.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-23 12:47]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2004-08-19 10:53]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 16:28]
S2 BulkUsb;USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 22:58]
S3 LVBulk;LVBulk Service;C:\WINDOWS\system32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);C:\WINDOWS\system32\DRIVERS\LV551AV.sys [2002-06-10 14:24]

.
Contenu du dossier 'Scheduled Tasks/Tâches planifiées'
"2008-02-25 11:07:26 C:\WINDOWS\Tasks\Norton AntiVirus - Analyser mon ordinateur - Claude et Francine.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-03-01 11:12:53 C:\WINDOWS\Tasks\Norton AntiVirus - Analyser mon ordinateur.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/task:
"2008-03-06 00:39:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 19:27:45
Windows 5.1.2600 Service Pack 2 NTFS

Balayage processus cachés ...

Balayage caché autostart entries ...

Balayage des fichiers cachés ...

Scan terminé avec succès
Les fichiers cachés: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\qwetab]
"ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf"
.
--------------------- DLLs a chargé sous des processus courants ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll
-> C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Temps d'accomplissement: 2008-03-05 19:39:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-06 00:39:39
.
2008-02-14 08:04:30 --- E O F ---
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:41:57, on 2008-03-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\korg2008.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvgid.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvlaz.dll,startup
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICE RÉSEAU')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJ
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Organise-notes - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164334497897
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHIE~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O21 - SSODL: DriveRunOnce - {26df807e-b39e-4869-95c8-99227e6ae380} - C:\WINDOWS\Installer\{26df807e-b39e-4869-95c8-99227e6ae380}\DriveRunOnce.dll
O21 - SSODL: zip - {d0c92054-3a74-4c01-8bed-653c9da6f396} - C:\WINDOWS\Installer\{d0c92054-3a74-4c01-8bed-653c9da6f396}\zip.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8211 bytes
 
Hi

2. and 3. will go away very soon.

If Norton does that, please deactivate it just before future combofix runs.

Before that:

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
 
Gmer Report

Hello Shaba,

My Gmer report contains approx. 96k characters, what do you propose for me to send it ?
 
Gmer page 1 of 5

I sliced the report. Hope you can work with this.

page 1 of 5

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-03-06 07:08:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 83A1E328 ZwConnectPort
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwCreateKey [0xF7860A58] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwOpenKey [0xF7860B0C] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwTerminateProcess [0xF78627D2] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.14 ----

.text qwetab.inf F78600FD 62 Bytes CALL F7860102 \??\C:\WINDOWS\inf\qwetab.inf
.text qwetab.inf F786013C 102 Bytes [ 00, 00, 8D, B5, 6B, 04, 00, ... ]
.text qwetab.inf F78601A3 557 Bytes [ 00, 00, 00, 00, 81, C7, 1C, ... ]
.text qwetab.inf F78603D1 289 Bytes [ 44, C7, 45, F0, 00, 00, 00, ... ]
.text qwetab.inf F78604F3 143 Bytes [ 7D, FC, 8B, 7F, 1C, 03, 7D, ... ]
.text ...
.text C:\WINDOWS\inf\qwetab.inf section is writeable [0xF7860000, 0x6F78, 0xE8000020]
? C:\WINDOWS\inf\qwetab.inf Le fichier spécifié est introuvable.

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[516] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\services.exe[560] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\lsass.exe[572] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 009353E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!LdrUnloadDll 7C92718B 3 Bytes JMP 00935310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!LdrUnloadDll + 4 7C92718F 1 Byte [ 84 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 00934FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 009316C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 00931540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 00931850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 00931220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 009313B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ A3, 88 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 00934CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 00934E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[732] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[780] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
 
Gmer report re-slice

Part 2 was too big, so I re-sliced the whole report in 6 pieces, here it is:

page 1 of 6

GMER 1.0.14.14116 - http://www.gmer.net
Rootkit scan 2008-03-06 07:08:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 83A1E328 ZwConnectPort
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwCreateKey [0xF7860A58] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwOpenKey [0xF7860B0C] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\inf\qwetab.inf ZwTerminateProcess [0xF78627D2] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.14 ----

.text qwetab.inf F78600FD 62 Bytes CALL F7860102 \??\C:\WINDOWS\inf\qwetab.inf
.text qwetab.inf F786013C 102 Bytes [ 00, 00, 8D, B5, 6B, 04, 00, ... ]
.text qwetab.inf F78601A3 557 Bytes [ 00, 00, 00, 00, 81, C7, 1C, ... ]
.text qwetab.inf F78603D1 289 Bytes [ 44, C7, 45, F0, 00, 00, 00, ... ]
.text qwetab.inf F78604F3 143 Bytes [ 7D, FC, 8B, 7F, 1C, 03, 7D, ... ]
.text ...
.text C:\WINDOWS\inf\qwetab.inf section is writeable [0xF7860000, 0x6F78, 0xE8000020]
? C:\WINDOWS\inf\qwetab.inf Le fichier spécifié est introuvable.

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe[172] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Logitech\QCDriver2\LVCOMS.EXE[452] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[516] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[516] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\services.exe[560] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[560] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\lsass.exe[572] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[572] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 009353E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!LdrUnloadDll 7C92718B 3 Bytes JMP 00935310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ntdll.dll!LdrUnloadDll + 4 7C92718F 1 Byte [ 84 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 00934FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 009316C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 00931540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 00931850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 00931220 C:\WINDOWS\system32\guard32.dll
 
page 2 of 6

.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 009313B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ A3, 88 ]
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 00934CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\ImageStudio\LogiTray.exe[608] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 00934E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[732] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[732] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[780] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[780] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Microsoft Shared\VS7DEBUG\MDM.EXE[856] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\svchost.exe[864] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[864] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[952] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[952] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Norton AntiVirus\navapsvc.exe[976] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[992] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
 
page 3 of 6

.text C:\WINDOWS\system32\pctspk.exe[1036] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\pctspk.exe[1036] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\pctspk.exe[1036] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe[1272] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe[1312] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\Explorer.EXE[1336] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1336] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] USER32.DLL!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] USER32.DLL!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] USER32.DLL!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\DOCUME~1\CLAUDE~1\LOCALS~1\Temp\Rar$EX01.239\gmer.exe[1496] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\spoolsv.exe[1568] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1568] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1684] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1684] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\wdfmgr.exe[1704] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1704] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
 
page 4 of 6

.text C:\WINDOWS\system32\ctfmon.exe[1832] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\ctfmon.exe[1832] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[1832] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Fichiers communs\Symantec Shared\Security Center\SymWSC.exe[1872] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1932] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\Mixer.exe[2044] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Mixer.exe[2044] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\WinRAR\WinRAR.exe[2112] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] OLE32.DLL!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2112] OLE32.DLL!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cfp.exe[2388] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\alg.exe[3020] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[3020] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Messenger\msmsgs.exe[3432] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Messenger\msmsgs.exe[3432] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
 
page 5 of 6

.text C:\Program Files\Outlook Express\msimn.exe[3468] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Outlook Express\msimn.exe[3468] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[3468] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\WINDOWS\System32\svchost.exe[3500] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[3500] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!NtClose 7C91D586 5 Bytes JMP 100053E0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ntdll.dll!LdrUnloadDll 7C92718B 5 Bytes JMP 10005310 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] GDI32.dll!BitBlt 77EF6F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] GDI32.dll!CreateDCA 77EFB221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] GDI32.dll!CreateDCW 77EFBE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] GDI32.dll!CreateDCW + 3 77EFBE64 2 Bytes [ 10, 98 ]
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamW 7E3A555F 5 Bytes JMP 4437F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamW 7E3B2032 5 Bytes JMP 445117EF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectA 7E3BA04A 5 Bytes JMP 44511770 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxParamA 7E3BB10C 5 Bytes JMP 445117B4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExW 7E3D05D8 5 Bytes JMP 445116FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxExA 7E3D05FC 5 Bytes JMP 44511736 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!DialogBoxIndirectParamA 7E3D6B50 5 Bytes JMP 4451182A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!EndTask 7E3D9E75 5 Bytes JMP 10004FB0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!MessageBoxIndirectW 7E3E62AB 5 Bytes JMP 443A16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!mouse_event 7E3E6515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] USER32.dll!keybd_event 7E3E6559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ole32.dll!CoCreateInstanceEx 774BFA6B 5 Bytes JMP 10004CE0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[4040] ole32.dll!CoGetClassObject 774D5DB2 5 Bytes JMP 10004E50 C:\WINDOWS\system32\guard32.dll

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [005B3750] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassA] [005B38F0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!CallWindowProcA] [005B36B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [005B3750] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [005B3390] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawFrameControl] [005B3A90] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DrawEdge] [005B2D70] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetScrollInfo] [005B35A0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
 
page 6 of 6

IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetScrollInfo] [005B3470] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SystemParametersInfoW] [005B39B0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetSysColor] [005B3350] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CallWindowProcW] [005B3610] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!RegisterClassW] [005B3950] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DefWindowProcW] [005B37E0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [005B3BA0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [005B3BF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetModuleHandleA] [005B3C40] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [005B3870] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [005B3AF0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [005B3B60] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)
IAT C:\Program Files\COMODO\Firewall\cfp.exe[2388] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [005B3CD0] C:\Program Files\COMODO\Firewall\cfp.exe (COMODO Firewall Pro/COMODO)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs qwetab.inf

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip qwetab.inf

Device \Driver\NAVEX15 \Device\NAVEX15 F1BB88CE

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp qwetab.inf

Device \Driver\NAVENG \Device\NAVENG F1B5E2A9

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp qwetab.inf
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp qwetab.inf

Device \Driver\SYMTDI \Device\SymTDI qwetab.inf

AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\inf\qwetab.inf (*** hidden *** ) [SYSTEM] qwetab <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet002\Services\qwetab@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\qwetab@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\qwetab@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\qwetab@ImagePath \??\C:\WINDOWS\inf\qwetab.inf
Reg HKLM\SYSTEM\ControlSet002\Services\qwetab\Security
Reg HKLM\SYSTEM\ControlSet002\Services\qwetab\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab@ImagePath \??\C:\WINDOWS\inf\qwetab.inf
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\qwetab\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab@Start 1
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab@ImagePath \??\C:\WINDOWS\inf\qwetab.inf
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab\Security
Reg HKLM\SYSTEM\ControlSet004\Services\qwetab\Security@Security 0x01 0x00 0x14 0x80 ...

---- EOF - GMER 1.0.14 ----
 
Comodo

Comodo firewall seems to take a lot of room in the forwarded report, please note it was installed after the infection began. I'm not really sure if I must desactivate Windows own firewall to have it running, but this is a smaller problem..

Thanks again

korg
 
By the way Shaba, things have smoothened a lot here on the PC: pop-ups and IE re-routing to unwanted pages seems to have dropped quite a bit.
 
You must log in or register to reply here.
Back
Top