Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware wont let me run software to get rid of it [Moved]


  • Please log in to reply
17 replies to this topic

#1 duneglow

duneglow

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 August 2009 - 05:20 AM

I don't know what else to do. I have this malware that generates pop ups that has killed my spybot S&D and malwarebytes.
It wont let me do system restore and crippled the anti virus that i installed to get rid of it.
It wont let me run Hijackthis.
it basically detects anything that is about to kill it and stops it in it tracks.
When i try to run any antispyware application it gives me this message:

"Windows cannot access the specified devise,path, or file. You may not have the appropriate permissions to access the item."

I have also tried running malwarebytes in safe mode and that dint work either

I'm running windows vista and both expired Norton antivirus and kaspersky

Please help

Thank you

Edited by duneglow, 08 August 2009 - 05:24 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 33,217 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:33 AM

Posted 08 August 2009 - 10:49 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript


#3 duneglow

duneglow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 August 2009 - 11:52 AM

Can somebody help me please?

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:33 AM

Posted 08 August 2009 - 12:19 PM

Let's get a good look at what's running on that computer.

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Chewy

No. Try not. Do... or do not. There is no try.

#5 duneglow

duneglow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 August 2009 - 02:25 PM

Hi Dachew

I greatly appreciate your help.

Dachew I did as you posted and couldn't get Gmer to work on normal or on safemode.
The application starts a scan then it prompts for full scan , I said no as advised and then I cliked on the "scan" button. The scan runs but the it just quits.

I did managed to get a log from ProcessExplorer(see bellow)

Process PID CPU Description Company Name
System Idle Process 0 74.84
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 428
csrss.exe 556
wininit.exe 604
services.exe 652
svchost.exe 848
mobsync.exe 4824 Microsoft Sync Center Microsoft Corporation
svchost.exe 904
svchost.exe 936
svchost.exe 1028
audiodg.exe 1208
svchost.exe 1052
WUDFHost.exe 2508
dwm.exe 4024 Desktop Window Manager Microsoft Corporation
svchost.exe 1088
taskeng.exe 2532
taskeng.exe 4016 Task Scheduler Engine Microsoft Corporation
taskeng.exe 712
OrbTray.exe 2088
Orb.exe 4692
msa.exe 2328 2.31
wuauclt.exe 1108 Windows Update Automatic Updates Microsoft Corporation
taskeng.exe 516
SLsvc.exe 1252
svchost.exe 1296
svchost.exe 1456
spoolsv.exe 1640
svchost.exe 1664
apache.exe 1960
apache.exe 2416
AppleMobileDeviceService.exe 2000
ASTSRV.EXE 2012
AdskScSrv.exe 2024
avp.exe 2040
mDNSResponder.exe 268
LSSrvc.exe 420
mysqld-nt.exe 1196
svchost.exe 1424
svchost.exe 1552
StarWindServiceAE.exe 1816
svchost.exe 2116
svchost.exe 2156
SearchIndexer.exe 2180
SearchProtocolHost.exe 4176
SearchFilterHost.exe 4796
XAudio.exe 2344
SDWinSec.exe 2500
wmpnetwk.exe 824
iPodService.exe 5720
TrustedInstaller.exe 6076
lsass.exe 664
lsm.exe 672
csrss.exe 616
winlogon.exe 740
GoogleUpdate.exe 1448
GoogleCrashHandler.exe 2036
explorer.exe 2240 0.77 Windows Explorer Microsoft Corporation
MSASCui.exe 4188 Windows Defender User Interface Microsoft Corporation
hpsysdrv.exe 4204 hpsysdrv Hewlett-Packard Company
OSD.exe 4224 OsdMaestro main program OsdMaestro
RtHDVCpl.exe 4236 HD Audio Control Panel Realtek Semiconductor
hpwuSchd2.exe 4244 Hewlett-Packard Product Assistant Hewlett-Packard Co.
rundll32.exe 4288 Windows host process (Rundll32) Microsoft Corporation
Wm24Pan.exe 4296
loadwzco.exe 4304 WinZip E-Mail Companion OE launcher Nektra S.A./WinZip Computing, S.L.
issch.exe 4312 InstallShield Update Service Scheduler InstallShield Software Corporation
iTunesHelper.exe 4340 iTunesHelper Module Apple Inc.
avp.exe 4352 Kaspersky Anti-Virus Kaspersky Lab
realsched.exe 4368 RealNetworks Scheduler RealNetworks, Inc.
googletalk.exe 4384 Google Talk Google
sidebar.exe 4392 Windows Sidebar Microsoft Corporation
Skype.exe 4460 Skype Skype Technologies S.A.
msnmsgr.exe 4492 Windows Live Messenger Microsoft Corporation
wmpnscfg.exe 4636 Windows Media Player Network Sharing Service Configuration Application Microsoft Corporation
TeaTimer.exe 5244 System settings protector Safer Networking Limited
HP Connections.exe 5372 HP Connections Hewlett Packard
firefox.exe 5016 14.66 Firefox Mozilla Corporation
notepad.exe 468 Notepad Microsoft Corporation
procexp.exe 5636 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
b.exe 3968 2.31
ctfmon.exe 5688
rundll32.exe 5228 Windows host process (Rundll32) Microsoft Corporation
Ymsgr_tray.exe 4152 Yahoo! Messenger Tray Yahoo! Inc.
kbd.exe 6140 KBD EXE Hewlett-Packard Company





please advise as to what to do next.

thank you Dachew

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:33 AM

Posted 08 August 2009 - 02:37 PM

Try to get defender, kasp and teatimer turned off/disabled

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Will spybot even open?

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Edited by DaChew, 08 August 2009 - 02:37 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 duneglow

duneglow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 August 2009 - 03:10 PM

Dachew

I'm in the process of running Sophos anti root. and while deleting temp files as suggested by you. I noticed a file in there that wont let me delete it its named "b.exe"
isn't that a virus?

#8 duneglow

duneglow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 August 2009 - 03:19 PM

and by the way this I was able to copy a potion of the GMER Log before it stopped and quit(see bellow).I don't know if that will help. I'm going to run sophos now:




GMER 1.0.15.15020 [2qczuz5g.exe] - http://www.gmer.net
Rootkit scan 2009-08-08 15:48:50
Windows 6.0.6000


---- System - GMER 1.0.15 ----

INT 0x72 ? 8643ADF0
INT 0x82 ? 84576BF8
INT 0x92 ? 84576BF8
INT 0xA2 ? 84576BF8
INT 0xA2 ? 84576BF8
INT 0xA2 ? 8643ADF0
INT 0xA2 ? 84576BF8
INT 0xB2 ? 84576BF8
INT 0xB2 ? 84576BF8
INT 0xB2 ? 84576BF8

---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\spps.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 8C272FEB 5 Bytes JMP 8643A3D0
.text a1xjx9pz.SYS 8CE64000 22 Bytes [8E, 71, FA, 82, 78, 70, FA, ...]
.text a1xjx9pz.SYS 8CE64017 74 Bytes [00, 99, 07, 24, 80, A4, 05, ...]
.text a1xjx9pz.SYS 8CE64062 84 Bytes [C8, 82, 58, 68, C5, 82, 8C, ...]
.text a1xjx9pz.SYS 8CE640B7 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a1xjx9pz.SYS 8CE640CE 80 Bytes [00, 00, 27, 00, 00, 00, E0, ...]
.text ...
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\msa.exe[1004] USER32.DLL!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Windows\msa.exe[1004] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Windows\msa.exe[1004] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Winamp Remote\bin\Orb.exe[1252] kernel32.dll!SetUnhandledExceptionFilter 76B6D177 5 Bytes JMP 00402CA0 C:\Program Files\Winamp Remote\bin\Orb.exe (Orb Application/Orb Networks, Inc.)
.text C:\Program Files\Winamp Remote\bin\Orb.exe[1252] USER32.dll!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Winamp Remote\bin\Orb.exe[1252] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Winamp Remote\bin\Orb.exe[1252] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Winamp Remote\bin\orbtray.exe[1672] kernel32.dll!SetUnhandledExceptionFilter 76B6D177 5 Bytes JMP 00413A70 C:\Program Files\Winamp Remote\bin\orbtray.exe (Orb/Orb Networks)
.text C:\Program Files\Winamp Remote\bin\orbtray.exe[1672] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Winamp Remote\bin\orbtray.exe[1672] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Winamp Remote\bin\orbtray.exe[1672] USER32.dll!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] USER32.DLL!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[4156] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[4156] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\iTunes\iTunesHelper.exe[4156] USER32.dll!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Google\Google Talk\googletalk.exe[4292] USER32.dll!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Google\Google Talk\googletalk.exe[4292] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Google\Google Talk\googletalk.exe[4292] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Windows Sidebar\sidebar.exe[4324] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Windows Sidebar\sidebar.exe[4324] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Windows Sidebar\sidebar.exe[4324] USER32.dll!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Skype\Phone\Skype.exe[4532] user32.dll!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Skype\Phone\Skype.exe[4532] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Skype\Phone\Skype.exe[4532] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4604] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4604] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4604] USER32.dll!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4776] USER32.dll!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4776] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[4776] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\HP Connections\6811507\Program\HP Connections.exe[4852] USER32.dll!IsThreadDesktopComposited + 3FD 7681BEB9 7 Bytes CALL 35672DB0 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\HP Connections\6811507\Program\HP Connections.exe[4852] GDI32.dll!SetROP2 + 90 768A89E7 7 Bytes CALL 35672DF8 \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
.text C:\Program Files\HP Connections\6811507\Program\HP Connections.exe[4852] GDI32.dll!CreateFontA + 9E 768B154B 7 Bytes CALL 35672DDC \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [807056D2] \SystemRoot\System32\Drivers\spps.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80705040] \SystemRoot\System32\Drivers\spps.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [807057FC] \SystemRoot\System32\Drivers\spps.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [807050BE] \SystemRoot\System32\Drivers\spps.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8070513C] \SystemRoot\System32\Drivers\spps.sys
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortNotification] F73BFF33
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortWritePortUchar] B85F0B75
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortWritePortUlong] FFFFFFFE
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 08C25D5E
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 5D8B5300
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortGetScatterGatherList] 74DF3B0C
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortReadPortUchar] 01FB8311
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortStallExecution] 5F5B0C74
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortGetParentBusType] FFFFFEB8
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortRequestCallback] C25D5EFF
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 7E390008
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortGetUnCachedExtension] C7077524
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortCompleteRequest] 21642446
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 7E398CE7
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] C7077528
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortMoveMemory] 21902846
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortReadPortUshort] 468B8CE7
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 244E8B2C
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7468016A
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortInitialize] 500000FA
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortGetDeviceBase] C73BD1FF
IAT \SystemRoot\System32\Drivers\a1xjx9pz.SYS[ataport.SYS!AtaPortDeviceStateChange] 5F5B0C75

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\ole32.dll [USER32.dll!CreateWindowExW] [0041831F] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\ole32.dll [USER32.dll!DialogBoxParamW] [004184A9] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\ole32.dll [USER32.dll!MessageBoxW] [004184B5] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\ole32.dll [USER32.dll!ShowWindow] [00418395] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\wininet.dll [USER32.dll!CreateWindowExW] [0041831F] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\wininet.dll [USER32.dll!MessageBoxW] [004184B5] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\wininet.dll [USER32.dll!SetWindowPos] [0041843F] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\wininet.dll [USER32.dll!DialogBoxParamW] [004184A9] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [004182A9] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [0041831F] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamA] [004184A9] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DialogBoxParamW] [004184A9] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!MessageBoxW] [004184B5] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\shell32.dll [USER32.dll!MessageBoxW] [004184B5] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\shell32.dll [USER32.dll!CreateWindowExW] [0041831F] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\shell32.dll [USER32.dll!SetWindowPos] [0041843F] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\shell32.dll [USER32.dll!DialogBoxParamW] [004184A9] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\shell32.dll [USER32.dll!ShowWindow] [00418395] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\shell32.dll [USER32.dll!MessageBoxIndirectW] [004184A3] C:\Windows\msa.exe
IAT C:\Windows\msa.exe[1004] @ C:\Windows\system32\CRYPT32.dll [USER32.dll!MessageBoxW] [004184B5] C:\Windows\msa.exe
IAT C:\Program Files\Winamp Remote\bin\Orb.exe[1252] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Winamp Remote\bin\Orb.exe[1252] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Winamp Remote\bin\orbtray.exe[1672] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Winamp Remote\bin\orbtray.exe[1672] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74D9FD78] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74D6BBF1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74D5A31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74D5CBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74D58AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74D6D168] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74D57D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74D57CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74D56A54] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74DEC1BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74D780FE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74D590CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74D6223C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74D62267] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74D6771C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74D6753E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3972] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74D98585] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16683_none_9ea0f08ac96e2537\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\ole32.dll [USER32.dll!CreateWindowExW] [00416AB4] C:\Users\duneglow\AppData\Local\Temp\b.exe
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\ole32.dll [USER32.dll!ShowWindow] [00416B2E] C:\Users\duneglow\AppData\Local\Temp\b.exe
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\WININET.dll [USER32.dll!CreateWindowExW] [00416AB4] C:\Users\duneglow\AppData\Local\Temp\b.exe
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\WININET.dll [USER32.dll!SetWindowPos] [00416BE0] C:\Users\duneglow\AppData\Local\Temp\b.exe
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!CreateWindowExA] [00416A3A] C:\Users\duneglow\AppData\Local\Temp\b.exe
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!CreateWindowExW] [00416AB4] C:\Users\duneglow\AppData\Local\Temp\b.exe
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\shell32.dll [USER32.dll!CreateWindowExW] [00416AB4] C:\Users\duneglow\AppData\Local\Temp\b.exe
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\shell32.dll [USER32.dll!SetWindowPos] [00416BE0] C:\Users\duneglow\AppData\Local\Temp\b.exe
IAT C:\Users\duneglow\AppData\Local\Temp\b.exe[4076] @ C:\Windows\system32\shell32.dll [USER32.dll!ShowWindow] [00416B2E] C:\Users\duneglow\AppData\Local\Temp\b.exe
IAT C:\Program Files\iTunes\iTunesHelper.exe[4156] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\iTunes\iTunesHelper.exe[4156] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Google\Google Talk\googletalk.exe[4292] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Google\Google Talk\googletalk.exe[4292] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Windows Sidebar\sidebar.exe[4324] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Windows Sidebar\sidebar.exe[4324] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Skype\Phone\Skype.exe[4532] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Skype\Phone\Skype.exe[4532] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4604] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[4604] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[4776] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[4776] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\HP Connections\6811507\Program\HP Connections.exe[4852] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\HP Connections\6811507\Program\HP Connections.exe[4852] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\8E80CDE8.x86.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[6032] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 853361F8

#9 duneglow

duneglow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 August 2009 - 05:26 PM

Hi Dachew

I followed the directions and ran sopho's and it is not working it just get stuck there doing nothing. at first I thought that it was working and doing its thing but after an hour or so the progress bar was just not moving.
please advise as to what to do next. Again thank you very much for help.

thank you

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:33 AM

Posted 08 August 2009 - 05:39 PM

I think we need to cut our losses

http://www.prevx.com/filenames/21333905906...X1/MSA.EXE.html

This is just the tip of the iceberg

You have so many processes running the computer is too unstable for safe malware removal.


One or more of the identified infections is a rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
Chewy

No. Try not. Do... or do not. There is no try.

#11 duneglow

duneglow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 August 2009 - 06:41 PM

Hi Dachew

I'd still like to try to clean it even if there is no guarantees. maybe clean it to the point to where I can install a good antivirus/maware software to prevent remote access.
I downloaded the software from that link and ran it and unfortunately it started scanning then it disappeared and I'm not able to open it again. please advise.

thank you Dachew.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:33 AM

Posted 08 August 2009 - 07:06 PM

Let's try one last scan, if you can't shut off enough processes to get this to run then I am out of ideas

It's going to need your help

Use process explorer

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • Click on the Files tab at the bottom of the window, then click the Scan button.
  • In the Select Drives, dialog Please select drives to scan: select your main drive(usually C), then click OK.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".
Chewy

No. Try not. Do... or do not. There is no try.

#13 duneglow

duneglow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 08 August 2009 - 07:47 PM

Dachew

While deleting programs that I can do with out in windows program to free procecess I cam across a "Windows Antivirus Pro" installation is this a Vista software or malware and is it safe to just delete it through control panel?

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:33 AM

Posted 08 August 2009 - 07:52 PM

That's part of this infection

http://www.bleepingcomputer.com/virus-remo...s-antivirus-pro
Chewy

No. Try not. Do... or do not. There is no try.

#15 duneglow

duneglow
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:33 AM

Posted 09 August 2009 - 11:43 AM

Hi Dachew

Again thank you for taking the time to help me. it took a long time yesterday but I was able to generate a report from sophos last night. I couldn't use that last software that you gave me, it gives some type of error on opening. But here is the sophos report:
some of the .exe files that it reported as you will recognize are files that I tried to install to fight the malware but for some reason I can't delete those files now.
all of the files that it reported are: removable: yes (but cleanup not recommended)

this is the only file that was removable: no ----> Hidden: registry item \HKEY_USERS\.DEFAULT


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/8/2009 at 22:44:09 PM
User "duneglow" on computer "HOME"
Windows version 6.0 SP 0.0 build 6000 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Warning: Failed to query live registry key \HKEY_USERS.
You may not have access rights to the whole registry.
Incorrect function.
Hidden: registry item \HKEY_USERS\.DEFAULT
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\ht\HiJackThis\HijackThis.exe
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7SRJF44O\ews;adlocation=site_below_header;campaign=;page=category;kw=blinkx;pid=10;sz=728x90,728x91;dclu5=93f0b4bdbb6fff3;source=site;t=1;tile=1;ord=3057725653659520[1].5
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7SRJF44O\ws;adlocation=site_below_player;campaign=;page=category;kw=blinkx;pid=10;sz=468x62,300x251;dclu5=93f0b4bdbb6fff3;source=site;t=1;tile=2;ord=3057725653659520[1].5
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YCYEAXT\ews;adlocation=site_below_header;campaign=;page=category;kw=blinkx;pid=10;sz=728x90,728x91;dclu5=93f0b4bdbb6fff3;source=site;t=1;tile=1;ord=3722496927764138[1].5
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WVQO67X1\ws;adlocation=site_below_player;campaign=;page=category;kw=blinkx;pid=10;sz=468x62,300x251;dclu5=93f0b4bdbb6fff3;source=site;t=1;tile=2;ord=3722496927764138[1].5
Hidden: file C:\Program Files\Prevx\prevx.exe
Hidden: file C:\WINDOWS\System32\mrt.exe
Hidden: file C:\WINDOWS\winsxs\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_6.0.6000.16386_none_6dd05aa63fde4065\WerFault.exe
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WVQO67X1\=0;page=category;playlisteverythree=false;playtimes=0;pid=10;kw=blinkx;fc_utarget_ok=true;t=1;sz=125x30,234x60,300x250,980x610,468x60,728x90;tile=1;~cs=l[2].gif
Hidden: file C:\autoruns\Autoruns\autoruns.exe
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7SRJF44O\;playtimes=0;preroll_adid=216129164;pid=10;kw=blinkx;fc_utarget_ok=true;t=1;dc_seed=216129164;sz=125x30,234x60,300x250,980x610,468x60,728x90;tile=3;~cs=z[1].gif
Hidden: file C:\Users\duneglow\Documents\RSIT.exe
Hidden: file C:\Users\duneglow\Documents\clients\Back up files\joomla sitebuilder earlier versions\Joomla 1013 and sitebuilder bridged without email confirmation and subdomain backup 1 - 23- 2008\administrator\components\com_virtuemart\classes\payment\ps_echeck.cfg.php
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7SRJF44O\DodQQAAAAAAAIAAwAAAAAAc9P3.CIBAAAAAQAAAGE0MzUxMGIyLTg0OGItMTFkZS05NDhlLTAwMWIyNDkzNjM5OAAAAAAAAAA=QWNIAA==,,http%3A%2F%2Fwww-news-today[1].com%2F,;ord=1249784615
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WVQO67X1\ews;adlocation=site_below_header;campaign=;page=category;kw=blinkx;pid=10;sz=728x90,728x91;dclu5=93f0b4bdbb6fff3;source=site;t=1;tile=1;ord=2217843971801566[1].2
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WVQO67X1\ws;adlocation=site_below_player;campaign=;page=category;kw=blinkx;pid=10;sz=468x62,300x251;dclu5=93f0b4bdbb6fff3;source=site;t=1;tile=2;ord=2217843971801566[1].2
Hidden: file C:\Users\duneglow\Desktop\downloads\flash\Flashden\utilities\flashden_full-screen-picture-and-banner-background-template-rotator_16428\flashden_full-screen-picture-and-banner-background-template-rotator_16428\sale\full screen pictures background_v1_sale.fla
Hidden: file C:\Users\duneglow\Desktop\downloads\flash\Flashden\utilities\flashden_full-screen-picture-and-banner-background-template-rotator_16428\flashden_full-screen-picture-and-banner-background-template-rotator_16428\sale\full screen pictures background_v1_sale.swf
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IGRGAFB2\5gQAAAAAAAIAAwAAAAAAYGX1-iIBAAAAAQAAADI1NDk1MTI2LTg0M2QtMTFkZS1hNmNmLTAwMzA0ODYzMmFmMAAAAAAAAAA=YXA-AA==,,http%3A%2F%2Fbollywoodhungama[1].com%2F,;ord=1249750902
Hidden: file C:\Program Files\Trend Micro\duneglow.exe
Hidden: file C:\Users\duneglow\Desktop\downloads\joomla\templates\commercial\estore_plazza_mobilevodoo_com\estore_plazza_mobilevodoo_com\estore_plazza_quickstart\administrator\components\com_virtuemart\sql\UPDATE-SCRIPT_mambo-phpshop_1.2_stable-pl3_to_VirtueMart_1.0.sql
Hidden: file C:\Users\duneglow\Desktop\downloads\joomla\templates\commercial\estore_plazza_mobilevodoo_com\estore_plazza_mobilevodoo_com\estore_plazza_quickstart\administrator\components\com_extplorer\scripts\extjs\images\vista\tabs\tab-btm-inactive-right-bg.gif0000644
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IGRGAFB2\YzY3LTAwMzA0ODYzNDg4YwAAAAAAAAA=YXA-AA==,,http%3A%2F%2Fserved.antventure.com%2Fcreatives%2Ffox%2Fent%2F72890ad[1].html,;dcopt=rcl;mtfIFPath=nofile;ord=1249750892
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WVQO67X1\s=1;page=category;playlisteverythree=true;playtimes=0;pid=10;kw=blinkx;fc_utarget_ok=true;t=1;sz=125x30,234x60,300x250,980x610,468x60,728x90;tile=2;~cs=k[1].gif
Hidden: file C:\Users\duneglow\Documents\clients\Back up files\joomla sitebuilder earlier versions\Joomla 1013 and sitebuilder bridged without email confirmation and subdomain backup 1 - 23- 2008 - Copy\mambots\editors\tinymce\jscripts\tiny_mce\themes\advanced\css\index.html
Hidden: file C:\Users\duneglow\Desktop\downloads\flash\Flashden\scrollers\flashden_fullscreen-vertical-and-horizontal-scrollbar_7866\full screen scroller SALE\com\pixelbreaker\swfmacmousewheel DEMO\__MACOSX\swfmacmousewheel\as\com\pixelbreaker\event\._EventBroadcaster.as
Hidden: file C:\WINDOWS\System32\drivers\sptd.sys
Hidden: file C:\Program Files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe
Hidden: file C:\WINDOWS\System32\scecli.dll
Hidden: file C:\Users\duneglow\Desktop\downloads\flash\Flashden\templates\AS3\flashden_advanced-xml-website-perfect-for-musician_33084\flashden_advanced-xml-website-perfect-for-musician_33084\source\com\dogeroski\controls\gallery\GalleryVideoPlayerControlsSeekBarThumb.as
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7SRJF44O\iIBAAAAAQAAADdiMzlkZjdjLTgzODYtMTFkZS05OGIyLTAwMWU2ODU3Mzc0NwBi3yoAAAA=odZHAA==,,http%3A%2F%2Fwww-news-today[1].com%2F,;dcopt=rcl;mtfIFPath=nofile;ord=1249672448
Hidden: file C:\Users\duneglow\Desktop\downloads\flash\Flashden\templates\AS3\flashden_advanced-xml-website-perfect-for-musician_33084\flashden_advanced-xml-website-perfect-for-musician_33084\source\com\pixelbreaker\ui\osx\.svn\text-base\MacMouseWheelControl.as.svn-base
Hidden: file C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7SRJF44O\=3;page=category;playlisteverythree=false;playtimes=0;pid=10;kw=blinkx;fc_utarget_ok=true;t=1;sz=125x30,234x60,300x250,980x610,468x60,728x90;tile=2;~cs=i[1].gif
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IGRGAFB2\=0;page=category;playlisteverythree=false;playtimes=0;pid=10;kw=blinkx;fc_utarget_ok=true;t=1;sz=125x30,234x60,300x250,980x610,468x60,728x90;tile=2;~cs=q[1].gif
Hidden: file C:\Users\Sobefabuchic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\91IOU4EE\8812;cfp=1;noaddonpl=y;artexc=all;artinc=art_image%2Cart_img1x1%2Cart_3pimg%2Cart_text;kvmn=93238812;target=_blank;aduho=240;grp=645227362;misc=645227362[1]
Hidden: file C:\Users\Sobefabuchic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\91IOU4EE\3963;cfp=1;noaddonpl=y;artexc=all;artinc=art_image%2Cart_img1x1%2Cart_3pimg%2Cart_text;kvmn=93233963;target=_blank;aduho=240;grp=645227362;misc=645227362[1]
Hidden: file C:\Users\Sobefabuchic\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JNX3L356\5257;cfp=1;noaddonpl=y;artexc=all;artinc=art_image%2Cart_img1x1%2Cart_3pimg%2Cart_text;kvmn=93245257;target=_blank;aduho=240;grp=645227362;misc=645227362[1]
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YCYEAXT\s=4;page=category;playlisteverythree=true;playtimes=0;pid=10;kw=blinkx;fc_utarget_ok=true;t=1;sz=125x30,234x60,300x250,980x610,468x60,728x90;tile=2;~cs=k[1].gif
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7SRJF44O\AAAAAIAAwAAAAAANhpE9iIBAAAAAQAAAGQ3YzEyMzUwLTgzODUtMTFkZS1hZWUyLTAwMWU2ODU3MzhlZAAAAAAAAAA=9RtPAA==,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;ord=1249672174
Hidden: file C:\WINDOWS\Temp\TMP00000053E93C42C339CE6218
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YCYEAXT\ews;adlocation=site_below_header;campaign=;page=category;kw=blinkx;pid=10;sz=728x90,728x91;dclu5=93f0b4bdbb6fff3;source=site;t=1;tile=1;ord=1607253580909949[1].2
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YCYEAXT\DodQQAAAAAAAIAAwAAAAAAMFxK9iIBAAAAAQAAAGNjMzI3NmRjLTgzODYtMTFkZS1iNDEyLTAwMjM3ZDA2NDRhNQDgQQAAAAA=QWNIAA==,,http%3A%2F%2Fwww-news-today[1].com%2F,;ord=1249672584
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YCYEAXT\AAAAAAAAAAAAAAAAAAAABRAwQAAAAAAAMAAwAAAAAAbL5M9iIBAAAAAAAAAAB.SpYEaTc7AAAA4JbUQCsAAABgQmJYAAAAANiW1EArAAAAAAAAAAAAAAA=,,http%3A%2F%2Fad.harrenmedianetwork[1].htm
Hidden: file C:\Program Files\Safer Networking\RunAlyzer\RunAlyzer.exe
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YCYEAXT\AA6jgMAAAAAAAIAAwAAAAAAnSFI9iIBAAAAAAAAAAAAAJYEqU84AAAA8HIBnyoAAABgguBGAAAAAOhyAZ8qAAAAAAAAAAAAAAA=,,http%3A%2F%2Fad.harrenmedianetwork[1].com%2F,;ord=1249672438
Hidden: file C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YCYEAXT\ws;adlocation=site_below_player;campaign=;page=category;kw=blinkx;pid=10;sz=468x62,300x251;dclu5=93f0b4bdbb6fff3;source=site;t=1;tile=2;ord=1607253580909949[1].2
Hidden: file C:\Users\duneglow\Desktop\hijackthis_sfx\hey.exe
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IGRGAFB2\AAAAAAAAAAAAAAAAAAAAAAAALnAQAAAAAAAIAAwAAAAAAO1rx-iIBAAAAAAAAAAAAAJYEKSM3AAAA4I3psSoAAABgwmNnAAAAANiN6bEqAAAAAAAAAAAAAAA=,,http%3A%2F%2Fwww-news-today[1].com%2F,
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7SRJF44O\news;adlocation=site_below_header;campaign=;page=category;kw=blinkx;pid=10;sz=728x90,728x91;dclu5=93f0b4bdbb6fff3;source=site;t=1;tile=1;ord=7169759344155052[1]
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IGRGAFB2\ews;adlocation=site_below_player;campaign=;page=category;kw=blinkx;pid=10;sz=468x62,300x251;dclu5=93f0b4bdbb6fff3;source=site;t=1;tile=2;ord=7169759344155052[1]
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WVQO67X1\=0;page=category;playlisteverythree=false;playtimes=0;pid=10;kw=blinkx;fc_utarget_ok=true;t=1;sz=125x30,234x60,300x250,980x610,468x60,728x90;tile=1;~cs=l[1].gif
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IGRGAFB2\;playtimes=0;preroll_adid=216129164;pid=10;kw=blinkx;fc_utarget_ok=true;t=1;dc_seed=216129164;sz=125x30,234x60,300x250,980x610,468x60,728x90;tile=3;~cs=g[1].gif
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4YCYEAXT\AAAAAAAAAAAAAAAAAAAAAALnAQAAAAAAAIAAwAAAAAAO1rx-iIBAAAAAAAAAAAAAJYEKSM3AAAA4I3psSoAAABgwmNnAAAAANiN6bEqAAAAAAAAAAAAAAA%3D%2C%2Chttp%3A%2F%2Fwww-news-today[1].htm
Hidden: file C:\Users\duneglow\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WVQO67X1\AAAAAAAAAAAAAAAAAAAAAAAAAAAAInAQAAAAAAAIAAwAAAAAAUUD0-iIBAAAAAAAAAAAAAJYESXEzAAAAwGDlCSsAAABgAuFLAAAAAAgYgCsrAAAAGALgsisAAAA=,,http%3A%2F%2Fwww-news-today[1].htm
Info: Starting disk scan of D: (NTFS).
Stopped logging on 8/9/2009 at 2:50:54 AM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users