Help
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
This topic is locked
I'm new to this forum so I might do some things wrong. I have read the Preparation guide and made the logs. Excuse me for my english, wich isn't the best.
My AV ( avg ) detected a trojan horse (generic20.JFZ) in winhelp, located at /users/public/documents/windows/winhelp.exe. Now my AV cant do anything to this and i cannot manually delete the file. There for i made the logs wich were recommended in the guide, hope that you guys can help me out.
DDS log
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by mathieu at 21:38:58,72 on zo 27-03-2011
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.31.1043.18.2815.1458 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Lenovo\System Update\SUService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\mathieu\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathieu\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\mathieu\AppData\Local\Google\Chrome\Application\chrome.exe
D:\Users\Mathieu\Desktop\Defogger.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
D:\Users\Mathieu\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 127.0.0.1:6522
BHO: Adobe PDF Reader Help bij koppelingen: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2C688203-7EB3-4327-9995-1CB417BA23F9} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [NPSStartup]
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
StartupFolder: c:\users\public\documents\windows\winhelp.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Free YouTube to Mp3 Converter - c:\users\mathieu\appdata\roaming\dvdvideosoftiehelpers\youtubetomp3.htm
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - d:\programs\partygaming\partypoker\RunApp.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: europoker.net\www
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.readyforcrysis.com/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - d:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - d:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2011-1-12 222568]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-8-24 185640]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-1-12 42112]
R3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr61.sys [2009-11-11 333824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-10-28 12672]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2011-1-12 18120]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-7 54632]
S3 fsssvc;De service Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-2-12 13352]
S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [2006-1-25 472644]
S3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2010-6-7 5504]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-1-12 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-1-12 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-1-12 121576]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-27 15:27:21 -------- d--h--w- C:\$AVG
2011-03-27 15:26:47 -------- d-----w- c:\users\mathieu\appdata\roaming\AVG10
2011-03-27 15:20:44 -------- d--h--w- c:\progra~2\Common Files
2011-03-27 15:18:17 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-27 15:18:17 -------- d-----w- c:\progra~2\AVG10
2011-03-27 15:17:25 -------- d-----w- c:\program files\AVG
.
==================== Find3M ====================
.
2011-03-07 10:03:10 167348 ----a-w- c:\windows\DUMP9359.tmp
2011-02-13 18:22:45 167348 ----a-w- c:\windows\DUMP0fa9.tmp
2011-02-10 13:20:59 167348 ----a-w- c:\windows\DUMP0f7b.tmp
2011-02-10 13:18:10 167348 ----a-w- c:\windows\DUMP0ff9.tmp
2011-02-10 13:15:20 167348 ----a-w- c:\windows\DUMP114e.tmp
2011-02-10 13:12:31 167348 ----a-w- c:\windows\DUMP0f0d.tmp
2011-02-10 13:09:42 167348 ----a-w- c:\windows\DUMP0ff8.tmp
2011-02-10 13:06:53 167348 ----a-w- c:\windows\DUMP115f.tmp
2011-02-10 13:04:05 167348 ----a-w- c:\windows\DUMP10b2.tmp
2011-02-10 13:01:16 167348 ----a-w- c:\windows\DUMP115e.tmp
2011-02-10 12:58:27 167348 ----a-w- c:\windows\DUMP1094.tmp
2011-02-10 12:55:39 167348 ----a-w- c:\windows\DUMP13dd.tmp
2011-02-10 12:52:49 167348 ----a-w- c:\windows\DUMP1074.tmp
2011-02-10 12:50:00 167348 ----a-w- c:\windows\DUMP0efd.tmp
2011-02-10 12:47:12 167348 ----a-w- c:\windows\DUMP0ff7.tmp
2011-02-10 12:44:24 167348 ----a-w- c:\windows\DUMP1093.tmp
2011-02-10 12:41:35 167348 ----a-w- c:\windows\DUMP0f6a.tmp
2011-02-10 12:38:47 167348 ----a-w- c:\windows\DUMP0ebf.tmp
2011-02-10 12:35:59 167348 ----a-w- c:\windows\DUMP1100.tmp
2011-02-10 12:33:09 167348 ----a-w- c:\windows\DUMP0fc8.tmp
2011-02-10 12:30:22 167348 ----a-w- c:\windows\DUMP1332.tmp
2011-02-10 12:27:34 167348 ----a-w- c:\windows\DUMP1035.tmp
2011-02-10 12:24:45 167348 ----a-w- c:\windows\DUMP1267.tmp
2011-02-10 12:21:56 167348 ----a-w- c:\windows\DUMP11ac.tmp
2011-02-10 12:19:08 167348 ----a-w- c:\windows\DUMP112f.tmp
2011-02-10 12:16:18 167348 ----a-w- c:\windows\DUMP0fe7.tmp
2011-02-10 12:13:30 167348 ----a-w- c:\windows\DUMP0f7a.tmp
2011-02-10 12:10:43 167348 ----a-w- c:\windows\DUMP0ede.tmp
2011-02-10 12:07:54 167348 ----a-w- c:\windows\DUMP0b26.tmp
2011-02-10 12:05:07 167348 ----a-w- c:\windows\DUMP1083.tmp
2011-02-10 12:02:18 167348 ----a-w- c:\windows\DUMP1110.tmp
2011-02-10 11:59:30 167348 ----a-w- c:\windows\DUMP11da.tmp
2011-01-08 03:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-01-08 03:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-01-08 03:27:00 57960 ----a-w- c:\windows\system32\OpenCL.dll
2011-01-08 03:27:00 4941928 ----a-w- c:\windows\system32\nvcuda.dll
2011-01-08 03:27:00 2895976 ----a-w- c:\windows\system32\nvcuvid.dll
2011-01-08 03:27:00 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-01-08 03:27:00 1965672 ----a-w- c:\windows\system32\nvapi.dll
2011-01-08 03:27:00 15047272 ----a-w- c:\windows\system32\nvoglv32.dll
2011-01-08 03:27:00 13011560 ----a-w- c:\windows\system32\nvcompiler.dll
2011-01-08 03:27:00 10078312 ----a-w- c:\windows\system32\nvd3dum.dll
2011-01-07 19:06:28 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-01-07 19:06:22 3597416 ----a-w- c:\windows\system32\nvcpl.dll
2011-01-07 19:06:14 2620520 ----a-w- c:\windows\system32\nvsvc.dll
2011-01-07 19:06:08 66664 ----a-w- c:\windows\system32\nvshext.dll
2011-01-07 19:06:08 608872 ----a-w- c:\windows\system32\nvvsvc.exe
2011-01-07 19:06:08 2558568 ----a-w- c:\windows\system32\nvsvcr.dll
2011-01-07 19:06:08 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-01-05 21:23:48 222568 ----a-w- c:\windows\system32\FsUsbExService.Exe
2011-01-05 21:23:40 42112 ----a-w- c:\windows\system32\FsUsbExDisk.Sys
2011-01-05 21:22:14 177496 ----a-w- c:\windows\system32\muzapp.exe
2011-01-05 21:22:12 30056 ----a-w- c:\windows\system32\MASetupCleaner.exe
2011-01-04 15:11:18 4659712 ----a-w- c:\windows\system32\Redemption.dll
2011-01-04 15:11:18 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
.
============= FINISH: 21:39:42,59 ===============
GMER log
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-28 17:23:01
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 SAMSUNG_HD300LJ rev.ZT100-13
Running: gmer.exe; Driver: C:\Users\mathieu\AppData\Local\Temp\pwldypow.sys
---- System - GMER 1.0.15 ----
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA96D2780]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA96D2830]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA96D28D0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA96D2970]
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!KeInsertQueue + 5E1 86476BD8 4 Bytes [80, 27, 6D, A9]
.text ntoskrnl.exe!KeInsertQueue + 811 86476E08 8 Bytes [30, 28, 6D, A9, D0, 28, 6D, ...] {XOR [EAX], CH; INSD ; TEST EAX, 0xa96d28d0}
.text ntoskrnl.exe!KeInsertQueue + 871 86476E68 4 Bytes [70, 29, 6D, A9]
? C:\Windows\System32\Drivers\sptd.sys Het proces heeft geen toegang tot het bestand omdat het door een ander
proces wordt gebruikt.
? system32\drivers\klbg.sys Het systeem kan het opgegeven pad niet vinden. !
.text USBPORT.SYS!DllUnload 96F2046F 5 Bytes JMP 896A0770
.text a8pi5i45.SYS 8E252000 22 Bytes [26, A2, 7B, 86, 10, A1, 7B, ...]
.text a8pi5i45.SYS 8E252017 181 Bytes [00, 32, A7, B2, 8D, 3D, A5, ...]
.text a8pi5i45.SYS 8E2520CE 73 Bytes [00, 00, 00, 00, 01, C2, 03, ...]
.text a8pi5i45.SYS 8E252118 185 Bytes [3F, 48, 3E, 8A, 3C, CC, 3D, ...]
.text a8pi5i45.SYS 8E2521D2 22 Bytes [E0, C2, E2, 84, E3, 46, E6, ...]
.text ...
? system32\DRIVERS\klif.sys Het systeem kan het opgegeven pad niet vinden. !
? system32\DRIVERS\kl1.sys Het systeem kan het opgegeven pad niet vinden. !
PAGE spsys.sys!?SPVersion@@3PADA + 1A67 9FE1203F 165 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B0D 9FE120E5 74 Bytes [9F, C3, 8B, FF, A1, 18, 00, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 1B58 9FE12130 6 Bytes [0E, 83, 78, 14, 01, 75]
PAGE spsys.sys!?SPVersion@@3PADA + 1B5F 9FE12137 2214 Bytes [83, 78, 18, 37, 75, 02, B3, ...]
PAGE spsys.sys!?SPVersion@@3PADA + 2406 9FE129DE 47 Bytes [04, BB, A8, 01, 00, 00, 8D, ...]
PAGE ...
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xA9483300, 0x3ACC8, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA94CA300, 0x1B7E, 0xE8000020]
? System32\Drivers\Normandy.SYS Het systeem kan het opgegeven pad niet vinden. !
? C:\Users\mathieu\AppData\Local\Temp\mbr.sys Het systeem kan het opgegeven bestand niet vinden. !
.reloc C:\Windows\system32\drivers\PnkBstrK.sys section is executable [0xA9783000, 0x18E38, 0xE0000060]
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Ventrilo\Ventrilo.exe[3560] WS2_32.dll!recv 7613343A 5 Bytes JMP 1006AB01 D:\Program Files\Xfire\xfire_toucan_44036.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Ventrilo\Ventrilo.exe[3560] WS2_32.dll!WSASend 76134496 5 Bytes JMP 1006AEE0 D:\Program Files\Xfire\xfire_toucan_44036.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Ventrilo\Ventrilo.exe[3560] WS2_32.dll!send 7613659B 5 Bytes JMP 1006AC3E D:\Program Files\Xfire\xfire_toucan_44036.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Ventrilo\Ventrilo.exe[3560] WS2_32.dll!sendto 761367C5 5 Bytes JMP 1006ACDF D:\Program Files\Xfire\xfire_toucan_44036.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Ventrilo\Ventrilo.exe[3560] WS2_32.dll!WSARecv 76138400 5 Bytes JMP 1006AD86 D:\Program Files\Xfire\xfire_toucan_44036.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Ventrilo\Ventrilo.exe[3560] WS2_32.dll!recvfrom 76138E15 5 Bytes JMP 1006AB9B D:\Program Files\Xfire\xfire_toucan_44036.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Ventrilo\Ventrilo.exe[3560] WS2_32.dll!WSARecvFrom 76148B38 5 Bytes JMP 1006AE30 D:\Program Files\Xfire\xfire_toucan_44036.dll (Xfire Toucan DLL/Xfire Inc.)
.text C:\Program Files\Ventrilo\Ventrilo.exe[3560] WS2_32.dll!WSASendTo 7614A474 5 Bytes JMP 1006AF8A D:\Program Files\Xfire\xfire_toucan_44036.dll (Xfire Toucan DLL/Xfire Inc.)
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 888F81E8
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
Device \FileSystem\fastfat \FatCdrom 8ABC91E8
Device \Driver\volmgr \Device\VolMgrControl 888F41E8
Device \Driver\usbuhci \Device\USBPDO-0 898D6790
Device \Driver\usbuhci \Device\USBPDO-1 898D6790
Device \Driver\netbt \Device\NetBT_Tcpip_{DC6B479D-613B-4048-B30C-64108F4B2C6A} 8A8DE408
Device \Driver\netbt \Device\NetBT_Tcpip_{CE7FCBE2-4D81-437D-A31F-B64635C9F7BC} 8A8DE408
Device \Driver\usbehci \Device\USBPDO-2 898FE790
Device \Driver\PCI_NTPNP8685 \Device\00000054 sptd.sys
Device \Driver\usbuhci \Device\USBPDO-3 898D6790
Device \Driver\usbuhci \Device\USBPDO-4 898D6790
AttachedDevice \Driver\tdx \Device\Tcp kl1.sys
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-5 898D6790
Device \Driver\usbehci \Device\USBPDO-6 898FE790
Device \Driver\volmgr \Device\HarddiskVolume1 888F41E8
Device \Driver\volmgr \Device\HarddiskVolume2 888F41E8
Device \Driver\cdrom \Device\CdRom0 898C3790
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 888F61E8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 888F61E8
Device \Driver\atapi \Device\Ide\IdePort0 888F61E8
Device \Driver\atapi \Device\Ide\IdePort1 888F61E8
Device \Driver\atapi \Device\Ide\IdePort2 888F61E8
Device \Driver\atapi \Device\Ide\IdePort3 888F61E8
Device \Driver\atapi \Device\Ide\IdePort4 888F61E8
Device \Driver\atapi \Device\Ide\IdePort5 888F61E8
Device \Driver\atapi \Device\Ide\IdePort6 888F61E8
Device \Driver\atapi \Device\Ide\IdePort7 888F61E8
Device \Driver\msahci \Device\Ide\PciIde1Channel0 888F71E8
Device \Driver\msahci \Device\Ide\PciIde1Channel1 888F71E8
Device \Driver\msahci \Device\Ide\PciIde1Channel2 888F71E8
Device \Driver\msahci \Device\Ide\PciIde1Channel3 888F71E8
Device \Driver\msahci \Device\Ide\PciIde1Channel4 888F71E8
Device \Driver\msahci \Device\Ide\PciIde1Channel5 888F71E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 888F61E8
Device \Driver\cdrom \Device\CdRom1 898C3790
Device \Driver\cdrom \Device\CdRom2 898C3790
Device \Driver\cdrom \Device\CdRom3 898C3790
Device \Driver\cdrom \Device\CdRom4 898C3790
Device \Driver\cdrom \Device\CdRom5 898C3790
Device \Driver\netbt \Device\NetBt_Wins_Export 8A8DE408
Device \Driver\iScsiPrt \Device\RaidPort0 89922790
AttachedDevice \Driver\tdx \Device\Udp kl1.sys
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 898D6790
Device \Driver\usbuhci \Device\USBFDO-1 898D6790
Device \Driver\usbehci \Device\USBFDO-2 898FE790
Device \Driver\usbuhci \Device\USBFDO-3 898D6790
Device \Driver\usbuhci \Device\USBFDO-4 898D6790
Device \Driver\usbuhci \Device\USBFDO-5 898D6790
Device \Driver\usbehci \Device\USBFDO-6 898FE790
Device \Driver\a8pi5i45 \Device\Scsi\a8pi5i451Port9Path0Target2Lun0 898AB790
Device \Driver\a8pi5i45 \Device\Scsi\a8pi5i451Port9Path0Target3Lun0 898AB790
Device \Driver\a8pi5i45 \Device\Scsi\a8pi5i451Port9Path0Target1Lun0 898AB790
Device \Driver\a8pi5i45 \Device\Scsi\a8pi5i451 898AB790
Device \Driver\a8pi5i45 \Device\Scsi\a8pi5i451Port9Path0Target0Lun0 898AB790
Device \FileSystem\fastfat \Fat 8ABC91E8
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Bestandssysteemfilterbeheer/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
---- Threads - GMER 1.0.15 ----
Thread SYSTEM [4:408] 8AA01000
Thread SYSTEM [4:416] 8AA01000
Thread SYSTEM [4:420] 8AA367E0
Thread SYSTEM [4:424] 8AA367E0
Thread SYSTEM [4:432] 8AA387D0
Thread SYSTEM [4:436] 8AA387D0
Thread SYSTEM [4:440] 8AA387D0
Thread SYSTEM [4:448] 8AA367E0
---- Processes - GMER 1.0.15 ----
Process (*** hidden *** ) -2041600936
Process (*** hidden *** ) -2002165576
Process (*** hidden *** ) -2001682944
Process (*** hidden *** ) -1995902096
Process (*** hidden *** ) -1994382840
Process (*** hidden *** ) -1990460544
Process (*** hidden *** ) -1990234624
Process (*** hidden *** ) -1989740568
Process (*** hidden *** ) -1989696568
Process (*** hidden *** ) -1989650280
Process (*** hidden *** ) -1989176488
Process (*** hidden *** ) -1989173760
Process (*** hidden *** ) -1989161568
Process (*** hidden *** ) -1989078000
Process (*** hidden *** ) -1988715472
Process (*** hidden *** ) -1988489032
Process (*** hidden *** ) -1988388664
Process (*** hidden *** ) -1988287560
Process (*** hidden *** ) -1988215296
Process (*** hidden *** ) -1987902608
Process (*** hidden *** ) -1986324384
Process (*** hidden *** ) -1978258208
Process (*** hidden *** ) -1977816240
Process (*** hidden *** ) -1977346192
Process (*** hidden *** ) -1976619520
Process (*** hidden *** ) -1976607736
Process (*** hidden *** ) -1976596472
Process (*** hidden *** ) -1976495024
Process (*** hidden *** ) -1976255712
Process (*** hidden *** ) -1976216624
Process (*** hidden *** ) -1976028856
Process (*** hidden *** ) -1975718400
Process (*** hidden *** ) -1975704456
Process (*** hidden *** ) -1975585456
Process (*** hidden *** ) -1975500616
Process (*** hidden *** ) -1975443968
Process (*** hidden *** ) -1975245280
Process (*** hidden *** ) -1975158264
Process (*** hidden *** ) -1974964736
Process (*** hidden *** ) -1974787912
Process (*** hidden *** ) -1974753984
Process (*** hidden *** ) -1974540992
Process (*** hidden *** ) -1974476472
Process (*** hidden *** ) -1974126336
Process (*** hidden *** ) -1974095688
Process (*** hidden *** ) -1973902936
Process (*** hidden *** ) -1973876584
Process (*** hidden *** ) -1973445120
Process (*** hidden *** ) -1973420544
Process (*** hidden *** ) -1973282200
Process (*** hidden *** ) -1972797256
Process (*** hidden *** ) -1972713200
Process (*** hidden *** ) -1972571976
Process (*** hidden *** ) -1972376064
Process (*** hidden *** ) -1972175360
Process (*** hidden *** ) -1972026472
Process (*** hidden *** ) -1971989032
Process (*** hidden *** ) -1971835392
Process (*** hidden *** ) -1971710576
Process (*** hidden *** ) -1971641752
Process (*** hidden *** ) -1971606496
Process (*** hidden *** ) -1971596440
Process (*** hidden *** ) -1971586528
Process (*** hidden *** ) -1971571824
Process (*** hidden *** ) -1971570544
Process (*** hidden *** ) -1971569848
Process (*** hidden *** ) -1971405312
Process (*** hidden *** ) -1971388928
Process (*** hidden *** ) -1971359192
Process (*** hidden *** ) -1971291472
Process (*** hidden *** ) -1971121992
Process (*** hidden *** ) -1970976264
Process (*** hidden *** ) -1970803776
Process (*** hidden *** ) -1970763432
Process (*** hidden *** ) -1970618928
Process (*** hidden *** ) -1970321216
Process (*** hidden *** ) -1970232216
Process (*** hidden *** ) -1970231040
Process (*** hidden *** ) -1970153080
Process (*** hidden *** ) -1970133248
Process (*** hidden *** ) -1970078208
Process (*** hidden *** ) -1969918464
Process (*** hidden *** ) -1969910272
Process (*** hidden *** ) -1969776552
Process (*** hidden *** ) -1969513728
Process (*** hidden *** ) -1969436800
Process (*** hidden *** ) -1968833192
Process (*** hidden *** ) -1967897440
Process (*** hidden *** ) -1967861328
Process (*** hidden *** ) -1967600472
Process (*** hidden *** ) -1967012920
Process (*** hidden *** ) -1966975744
Process (*** hidden *** ) -1966945448
Process (*** hidden *** ) -1966260736
Process (*** hidden *** ) -1966066296
Process (*** hidden *** ) -1965951232
Process (*** hidden *** ) -1965795064
Process (*** hidden *** ) -1965514024
Process (*** hidden *** ) -1965358920
Process (*** hidden *** ) -1965290888
Process (*** hidden *** ) -1965137104
Process (*** hidden *** ) -1964737024
Process (*** hidden *** ) -1964539720
Process (*** hidden *** ) -1964512656
Process (*** hidden *** ) -1964269384
Process (*** hidden *** ) -1964093048
Process (*** hidden *** ) -1963885056
Process (*** hidden *** ) -1963355976
Process (*** hidden *** ) -1963321952
Process (*** hidden *** ) -1962895960
Process (*** hidden *** ) -1962770944
Process (*** hidden *** ) -1962705728
Process (*** hidden *** ) -1962656256
Process (*** hidden *** ) -1962549064
Process (*** hidden *** ) -1962455552
Process (*** hidden *** ) -1962170368
Process (*** hidden *** ) -1961916360
Process (*** hidden *** ) -1961746248
Process (*** hidden *** ) -1961357824
Process (*** hidden *** ) -1960055408
Process (*** hidden *** ) -1959986256
Process (*** hidden *** ) -1959983936
Process (*** hidden *** ) -1959971424
Process (*** hidden *** ) -1959966304
Process (*** hidden *** ) -1959895880
Process (*** hidden *** ) -1959875696
Process (*** hidden *** ) -1959873552
Process (*** hidden *** ) -1959855848
Process (*** hidden *** ) -1959809536
Process (*** hidden *** ) -1959127824
Process (*** hidden *** ) -1958824720
Process (*** hidden *** ) -1958208000
Process (*** hidden *** ) -1957752648
Process (*** hidden *** ) -1951301448
Process (*** hidden *** ) -504155048
Process (*** hidden *** ) -503390024
Process (*** hidden *** ) -455965400
Process (*** hidden *** ) -454652416
Process (*** hidden *** ) -454367672
Process (*** hidden *** ) -454155184
Process (*** hidden *** ) -443063040
Process (*** hidden *** ) -440944384
Process (*** hidden *** ) -440752896
Process (*** hidden *** ) -439392888
Process (*** hidden *** ) -429598624
Process (*** hidden *** ) -416003080
Process (*** hidden *** ) -415102800
Process (*** hidden *** ) -414766072
Process (*** hidden *** ) -414687744
Process (*** hidden *** ) -414410040
Process (*** hidden *** ) -414313224
Process (*** hidden *** ) -411433160
Process (*** hidden *** ) -411297016
Process (*** hidden *** ) -410987168
Process (*** hidden *** ) -410499936
Process (*** hidden *** ) -410329600
Process (*** hidden *** ) -410180472
Process (*** hidden *** ) -410043152
Process (*** hidden *** ) -409794424
Process (*** hidden *** ) -407028392
Process (*** hidden *** ) -406844992
Process (*** hidden *** ) -398054512
Process (*** hidden *** ) -397747840
Process (*** hidden *** ) -394826728
Process (*** hidden *** ) -394183336
Process (*** hidden *** ) -392864256
Process (*** hidden *** ) -392778240
Process (*** hidden *** ) -392581968
Process (*** hidden *** ) -392540672
Process (*** hidden *** ) -392419280
Process (*** hidden *** ) -392415168
Process (*** hidden *** ) -392359752
Process (*** hidden *** ) -392292208
Process (*** hidden *** ) -392291512
Process (*** hidden *** ) -391957832
Process (*** hidden *** ) -391950848
Process (*** hidden *** ) -390759368
Process (*** hidden *** ) -390594376
Process (*** hidden *** ) -390129448
Process (*** hidden *** ) -389776704
Process (*** hidden *** ) -389740584
Process (*** hidden *** ) -389663584
Process (*** hidden *** ) -389607936
Process (*** hidden *** ) -389466088
Process (*** hidden *** ) -389346544
Process (*** hidden *** ) -389266088
Process (*** hidden *** ) -387011240
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00805a46a6f8 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD9 0x2E 0xD2 0x13 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x44 0xAE 0x40 0xB8 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA7 0x8B 0x71 0x48 ...
Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\00805a46a6f8 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD9 0x2E 0xD2 0x13 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF9 0xF6 0x97 0x9D ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0xFD 0x11 0x01 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xD5 0xC5 0x51 0xEB ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x58 0xAB 0xEE 0x86 ...
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x44 0x1D 0x0B 0xE4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00805a46a6f8
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xD9 0x2E 0xD2 0x13 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF9 0xF6 0x97 0x9D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0xFD 0x11 0x01 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xD5 0xC5 0x51 0xEB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x58 0xAB 0xEE 0x86 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x44 0x1D 0x0B 0xE4 ...
Back to top
icon on your desktop.
button.
