Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have a virus and can't find it! Help please!


  • This topic is locked This topic is locked
8 replies to this topic

#1 tammig

tammig

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 17 February 2009 - 10:06 PM

The only way I can go to a webpage is by typing it in or if it is in my favorites. If I search, it goes through several websites and never goes to the one I clicked on. Every time I run Adaware, spybot,hijack this, yahoo antispy or pc tools , they all show different adware and supposedly fixes the problem but it always comes right back. How do I resolve all this? Please help me. Also, I think something is stopping my pc tools from updating. It always fails.
DDS (Ver_09-02-01.01) - NTFSx86
Run by tamrob at 21:03:20.10 on Tue 02/17/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.175 [GMT -5:00]

AV: PC Tools AntiVirus 5.0.1.1 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\WinZip E-Mail Companion\loadwzco.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\tamrob\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\tamrob\Local Settings\Temporary Internet Files\Content.IE5\3OZMK0OP\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Yahoo!
uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn6\yt.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn6\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn6\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn6\yt.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {18B1C48B-5017-4E9B-AE90-336AEB70DFC1} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW4] "c:\program files\the weather channel fw\desktop weather\DesktopWeather.exe"
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DXDllRegExe] dxdllreg.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [WinZip E-Mail Companion OEAPI] "c:\program files\winzip e-mail companion\loadwzco.exe"
mRun: [PCTAVApp] "c:\program files\pc tools antivirus\PCTAV.exe" /MONITORSCAN
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mExplorerRun: [none] c:\program files\video activex object\pmsngr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Hidden%20Expedition%20-%20Titanic/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121757877390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Amazing%20Adventures%20Around%20the%20World/Images/armhelper.ocx
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tamrob\applic~1\mozilla\firefox\profiles\5osnzzbt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 AVFilter;AVFilter;c:\windows\system32\drivers\AVFilter.sys [2009-2-3 21904]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2006-11-2 2560]
R2 PCTAVSvc;PC Tools AntiVirus Engine;c:\program files\pc tools antivirus\PCTAVSvc.exe [2009-2-3 999640]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 AVHook;AVHook;c:\windows\system32\drivers\AVHook.sys [2009-2-3 28568]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\digifilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\drivers\elbyvcd.sys --> c:\windows\system32\drivers\ElbyVCD.sys [?]
S3 SUNPLUS;Micro Webcam Mobile;c:\windows\system32\drivers\sp508hp.sys --> c:\windows\system32\drivers\SP508hp.SYS [?]

=============== Created Last 30 ================

2009-02-17 13:17 <DIR> --d----- c:\program files\Hidden Expedition - Titanic
2009-02-15 19:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\HoverBee Studios
2009-02-15 19:33 <DIR> --d----- C:\users
2009-02-14 00:17 <DIR> --d----- c:\program files\MumboJumbo
2009-02-06 11:42 <DIR> --d----- c:\windows\system32\Adobe
2009-02-04 20:47 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-02-04 20:47 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-04 20:47 <DIR> --d----- c:\program files\iPod
2009-02-04 20:46 <DIR> --d----- c:\program files\iTunes
2009-02-04 20:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-03 16:33 <DIR> --d----- c:\program files\Hide and Secret
2009-02-03 11:11 <DIR> --d----- c:\program files\CA Yahoo! Anti-Spy
2009-02-03 11:10 262,144 a------- C:\ntuser.dat
2009-02-03 10:49 <DIR> --d----- c:\docume~1\tamrob\applic~1\PC Tools
2009-02-03 10:48 28,568 a------- c:\windows\system32\drivers\AVHook.sys
2009-02-03 10:48 21,912 a------- c:\windows\system32\drivers\AVRec.sys
2009-02-03 10:48 21,904 a------- c:\windows\system32\drivers\AVFilter.sys
2009-02-03 10:48 <DIR> --d----- c:\program files\common files\PC Tools
2009-02-03 10:48 <DIR> --d----- c:\program files\PC Tools AntiVirus
2009-02-03 10:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-01-31 23:31 <DIR> --d----- c:\docume~1\tamrob\applic~1\cerasus.media
2009-01-31 21:13 <DIR> --d----- c:\program files\Exterminate It!
2009-01-30 23:50 <DIR> --d----- c:\docume~1\tamrob\applic~1\Artogon
2009-01-30 21:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Redrum
2009-01-29 11:34 <DIR> --d----- c:\docume~1\tamrob\applic~1\Meridian93
2009-01-28 21:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\JollyBear
2009-01-24 11:45 <DIR> --d----- c:\docume~1\tamrob\applic~1\Zylom
2009-01-24 11:44 <DIR> --d----- c:\program files\Zylom Games
2009-01-23 21:32 <DIR> --d----- c:\program files\Hawaiian Explorer Pearl Harbor
2009-01-23 21:31 <DIR> --d----- c:\program files\Hawaiian Explorer Lost Island
2009-01-23 17:46 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-23 17:46 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-23 17:46 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-01-23 17:46 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-18 22:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\GameHouse

==================== Find3M ====================

2009-02-17 16:42 2,169 a--sh--- c:\windows\system32\mmf.sys
2009-02-11 21:40 134 a------- C:\Delme.bat
2009-01-18 02:23 4,574,328 a------- c:\windows\rdwsb8853.exe
2009-01-18 02:23 10,752 a------- c:\windows\qoon32384.exe
2009-01-18 02:23 905,670 a------- c:\windows\hdjo2004.exe
2009-01-18 02:23 32,768 a------- c:\windows\ktlwo87036.exe
2009-01-18 02:23 69,697 a------- c:\windows\ufsvd6044.exe
2009-01-18 02:23 28,672 a------- c:\windows\tjoo50238.exe
2009-01-18 02:23 2,024,488 a------- c:\windows\xhgq5335.exe
2009-01-18 02:23 97,280 a------- c:\windows\tertc6864.exe
2009-01-18 02:23 28,672 a------- c:\windows\sneii3101.exe
2009-01-18 02:18 10,752 a------- c:\windows\dpjqs51628.exe
2009-01-18 02:18 4,574,328 a------- c:\windows\mvrnt6631.exe
2009-01-18 02:18 905,670 a------- c:\windows\mbfkx8360.exe
2009-01-18 02:18 32,768 a------- c:\windows\hpwb2651.exe
2009-01-18 02:18 69,697 a------- c:\windows\kwwl73737.exe
2009-01-18 02:18 28,672 a------- c:\windows\obehv1445.exe
2009-01-18 02:17 2,024,488 a------- c:\windows\hdbhp20265.exe
2009-01-18 02:17 97,280 a------- c:\windows\tbgqw38338.exe
2009-01-18 02:17 28,672 a------- c:\windows\nrrqt34032.exe
2008-12-14 11:47 410,984 a------- c:\windows\system32\deploytk.dll
2008-07-16 17:08 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071620080717\index.dat

============= FINISH: 21:04:44.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 18 February 2009 - 06:36 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 tammig

tammig
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 18 February 2009 - 04:08 PM

here are the results from the scans you wanted. Thank you.


Logfile of random's system information tool 1.05 (written by random/random)
Run by tamrob at 2009-02-18 12:44:55
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 7 GB (10%) free of 73 GB
Total RAM: 510 MB (44% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:57 PM, on 2/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\WinZip E-Mail Companion\loadwzco.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\tamrob\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\trend micro\tamrob.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "C:\Program Files\WinZip E-Mail Companion\loadwzco.exe"
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKLM\..\Policies\Explorer\Run: [none] C:\Program Files\Video ActiveX Object\pmsngr.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Hidden%20Expedition%20-%20Titanic/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121757877390
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Amazing%20Adventures%20Around%20the%20World/Images/armhelper.ocx
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 8443 bytes

#4 tammig

tammig
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 18 February 2009 - 04:11 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

2/18/2009 12:37:07 PM
mbam-log-2009-02-18 (12-37-07).txt

Scan type: Quick Scan
Objects scanned: 71644
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 29
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 24

Memory Processes Infected:
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\alewinsecure.winsecure (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7be6b643-6201-4cf7-b8b1-d79ffae57cba} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1a6d8b8-93c3-4186-9dd1-13983f9f1d9b} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{58696980-c6b3-4ad2-ab53-718f1c3c57ca} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3160f356-e8c3-4de2-a698-92eeeb3d3400} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a93a1ba9-9ee8-469f-a9fe-fd1c26700bda} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a75e294e-c047-4d29-b07e-37b792881bef} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f31b3634-12aa-41ca-b021-0685c3b3e4ca} (Adware.AdRotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d8282e6-bc4f-469b-aaed-7e4ff077ad93} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{733716e1-76d2-4003-ac39-845281c0ef85} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{79f562e5-768c-4494-8e6c-824ada4a9c2c} (Adware.SuperiorAds) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{36a91cec-6c71-4758-b492-397bfc8e96a2} (Adware.Rightonadz) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\BitDownload (Trojan.Lop) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\AleWinSecure.EXE (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dw4 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\runit (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\tbu05139 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Delete on reboot.
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\dpjqs51628.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\hdjo2004.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\hpwb2651.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ktlwo87036.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\kwwl73737.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mbfkx8360.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\qoon32384.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\ufsvd6044.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\runit\config.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\basis.xml (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\ecobar.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\icons.bmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\info.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\tbhelper.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\version.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\your_logo.png (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\tbu05139\ecobar.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\IEToolbar\ECO Bar\tbu05139\uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\tamrob\Application Data\urlredir.cfg (Adware.RightOnAds) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-7BF.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

#5 tammig

tammig
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 18 February 2009 - 04:17 PM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-18 16:12:23
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code 83AB51C0 ZwEnumerateKey
Code 836057F8 ZwFlushInstructionCache
Code 83765180 ZwQueryValueKey
Code F0003C80 pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 5 Bytes JMP 83765184
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 83AB51C4
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 836057FC
? duqzbdf.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\WINDOWS\runservice.exe[252] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 24, 84 ]
.text C:\WINDOWS\runservice.exe[252] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\runservice.exe[252] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\runservice.exe[252] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\cisvc.exe[448] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 35, 84 ]
.text C:\WINDOWS\system32\cisvc.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\cisvc.exe[448] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\cisvc.exe[448] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[480] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 65, 85 ]
.text C:\Program Files\Java\jre6\bin\jqs.exe[480] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[480] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[480] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\csrss.exe[600] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 30, 87 ]
.text C:\WINDOWS\system32\csrss.exe[600] KERNEL32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[600] KERNEL32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[600] KERNEL32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\winlogon.exe[624] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, DB, 84 ]
.text C:\WINDOWS\system32\winlogon.exe[624] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[624] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[624] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 7A, 84 ]
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[668] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 7C, 84 ]
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[680] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 6D, 84 ]
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[724] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 4E, 84 ]
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 6E, 84 ]
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[916] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, A7, 85 ]
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, E4, 83 ]
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[1104] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 20, 84 ]
.text C:\WINDOWS\system32\NOTEPAD.EXE[1104] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[1104] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\NOTEPAD.EXE[1104] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[1104] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1268] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 0F, 84 ]
.text C:\WINDOWS\system32\MsPMSPSv.exe[1268] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1268] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\MsPMSPSv.exe[1268] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 16, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1296] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[1344] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 14, 84 ]
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[1344] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[1344] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[1344] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 1C, 84 ]
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1468] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 7F, 86 ]
.text C:\WINDOWS\Explorer.EXE[1468] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1468] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1468] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 81, 84 ]
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1884] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 7F, 84 ]
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1884] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1884] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1884] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1892] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 58, 84 ]
.text C:\Program Files\Java\jre6\bin\jusched.exe[1892] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1892] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1892] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\hkcmd.exe[1908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, B0, 84 ]
.text C:\WINDOWS\system32\hkcmd.exe[1908] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\hkcmd.exe[1908] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\hkcmd.exe[1908] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\igfxpers.exe[1916] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, B7, 84 ]
.text C:\WINDOWS\system32\igfxpers.exe[1916] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\igfxpers.exe[1916] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\igfxpers.exe[1916] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\WinZip E-Mail Companion\loadwzco.exe[1932] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 3C, 84 ]
.text C:\Program Files\WinZip E-Mail Companion\loadwzco.exe[1932] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\WinZip E-Mail Companion\loadwzco.exe[1932] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\WinZip E-Mail Companion\loadwzco.exe[1932] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[1940] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, B8, 84 ]
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[1940] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[1940] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\PC Tools AntiVirus\PCTAV.exe[1940] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, DE, 84 ]
.text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1952] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1952] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe[1952] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2024] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 3F, 8D ]
.text C:\Program Files\iTunes\iTunesHelper.exe[2024] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2024] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\iTunes\iTunesHelper.exe[2024] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2044] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2C, 84 ]
.text C:\WINDOWS\system32\ctfmon.exe[2044] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2044] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[2044] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2184] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, FC, 83 ]
.text C:\Program Files\iPod\bin\iPodService.exe[2184] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2184] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\iPod\bin\iPodService.exe[2184] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\iPod\bin\iPodService.exe[2184] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\tamrob\My Documents\Unzipped\gmer\gmer.exe[2288] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, BC, 83 ]
.text C:\Documents and Settings\tamrob\My Documents\Unzipped\gmer\gmer.exe[2288] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\tamrob\My Documents\Unzipped\gmer\gmer.exe[2288] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Documents and Settings\tamrob\My Documents\Unzipped\gmer\gmer.exe[2288] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\tamrob\My Documents\Unzipped\gmer\gmer.exe[2288] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\System32\alg.exe[2380] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, E7, 83 ]
.text C:\WINDOWS\System32\alg.exe[2380] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[2380] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\System32\alg.exe[2380] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[2380] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[3080] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 20, 84 ]
.text C:\WINDOWS\system32\NOTEPAD.EXE[3080] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[3080] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\NOTEPAD.EXE[3080] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\NOTEPAD.EXE[3080] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes [ 43, E4, 2A, 84 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] kernel32.dll!GetStartupInfoA 7C801EF2 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] kernel32.dll!CreateMutexA 7C80E9CF 6 Bytes JMP 5F040F5A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] kernel32.dll!GetCommandLineA 7C812FAD 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A16AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A16E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A17DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] WININET.dll!HttpSendRequestA 7806CD40 5 Bytes JMP 00172980
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3792] WININET.dll!HttpSendRequestW 78080825 5 Bytes JMP 001729BD

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Fastfat \Fat EEF22D20

AttachedDevice \FileSystem\Fastfat \Fat AVRec.sys (PC Tools Recognizer Driver for Windows 2000/XP/PC Tools Research Pty Ltd )

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\gaopdxyrgkvdll.sys (*** hidden *** ) F0002000-F002A000 (163840 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\gaopdxyrgkvdll.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxyrgkvdll.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxyrgkvdll.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxtpuhbqvk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxyrgkvdll.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxyrgkvdll.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxtpuhbqvk.dll
Reg HKLM\SOFTWARE\Classes\gaopdxvx
Reg HKLM\SOFTWARE\Classes\gaopdxvx@gaopdxrun 71
Reg HKLM\SOFTWARE\Classes\gaopdxvx@gaopdxpff 8503
Reg HKLM\SOFTWARE\Classes\gaopdxvx@gaopdxaff 3492
Reg HKLM\SOFTWARE\Classes\gaopdxvx@gaopdxsrv -1056770279
Reg HKLM\SOFTWARE\Classes\gaopdxvx@gaopdxpos "xsx{ut|o"deicd`ohy?kflniTXTC

---- EOF - GMER 1.0.14 ----

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 18 February 2009 - 04:26 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 tammig

tammig
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 19 February 2009 - 11:44 AM

This is the combofix report

ComboFix 09-02-18.01 - tamrob 2009-02-19 11:35:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.244 [GMT -5:00]
Running from: c:\documents and settings\tamrob\Desktop\ComboFix.exe
AV: PC Tools AntiVirus 5.0.1.1 *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-18 12:46 . 2009-02-18 16:13 250 --a------ c:\windows\gmer.ini
2009-02-18 12:43 . 2009-02-18 12:43 <DIR> d-------- C:\rsit
2009-02-18 12:43 . 2009-02-18 16:29 <DIR> d-------- c:\program files\trend micro
2009-02-18 12:26 . 2009-02-18 12:26 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 12:26 . 2009-02-18 12:26 <DIR> d-------- c:\documents and settings\tamrob\Application Data\Malwarebytes
2009-02-18 12:26 . 2009-02-18 12:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-18 12:26 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-02-18 12:26 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-02-15 19:37 . 2009-02-15 19:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\HoverBee Studios
2009-02-15 19:33 . 2009-02-15 19:33 <DIR> d-------- C:\users
2009-02-14 00:17 . 2009-02-14 00:17 <DIR> d-------- c:\program files\MumboJumbo
2009-02-12 21:20 . 2009-02-12 21:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\PC Tools
2009-02-06 11:42 . 2009-02-06 11:43 <DIR> d-------- c:\windows\SYSTEM32\Adobe
2009-02-04 20:47 . 2009-02-04 20:47 <DIR> d-------- c:\program files\iPod
2009-02-04 20:47 . 2008-04-17 13:12 107,368 --a------ c:\windows\SYSTEM32\GEARAspi.dll
2009-02-04 20:47 . 2008-04-17 13:12 15,464 --a------ c:\windows\SYSTEM32\DRIVERS\GEARAspiWDM.sys
2009-02-04 20:46 . 2009-02-04 20:47 <DIR> d-------- c:\program files\iTunes
2009-02-04 20:46 . 2009-02-04 20:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-04 20:40 . 2009-02-04 20:41 <DIR> d-------- c:\program files\QuickTime
2009-02-04 20:38 . 2009-02-04 20:38 <DIR> d-------- c:\program files\Apple Software Update
2009-02-03 16:33 . 2009-02-03 16:33 <DIR> d-------- c:\program files\Hide and Secret
2009-02-03 11:11 . 2009-02-03 12:30 <DIR> d-------- c:\program files\CA Yahoo! Anti-Spy
2009-02-03 11:10 . 2009-02-03 11:10 262,144 --a------ C:\ntuser.dat
2009-02-03 10:49 . 2009-02-03 10:49 <DIR> d-------- c:\documents and settings\tamrob\Application Data\PC Tools
2009-02-03 10:48 . 2009-02-19 11:09 <DIR> d-------- c:\program files\PC Tools AntiVirus
2009-02-03 10:48 . 2009-02-03 10:48 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-02-03 10:48 . 2009-02-03 10:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-02-03 10:48 . 2007-12-06 16:51 28,568 --a------ c:\windows\SYSTEM32\DRIVERS\AVHook.sys
2009-02-03 10:48 . 2007-12-06 16:51 21,912 --a------ c:\windows\SYSTEM32\DRIVERS\AVRec.sys
2009-02-03 10:48 . 2008-02-12 11:44 21,904 --a------ c:\windows\SYSTEM32\DRIVERS\AVFilter.sys
2009-02-02 16:29 . 2009-02-02 17:51 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-02-02 16:20 . 2009-02-02 16:20 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-31 23:31 . 2009-01-31 23:31 <DIR> d-------- c:\documents and settings\tamrob\Application Data\cerasus.media
2009-01-31 21:13 . 2009-01-31 22:05 <DIR> d-------- c:\program files\Exterminate It!
2009-01-30 23:50 . 2009-01-30 23:50 <DIR> d-------- c:\documents and settings\tamrob\Application Data\Artogon
2009-01-30 21:02 . 2009-01-30 21:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Redrum
2009-01-29 11:34 . 2009-01-29 11:34 <DIR> d-------- c:\documents and settings\tamrob\Application Data\Meridian93
2009-01-28 21:34 . 2009-01-28 21:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\JollyBear
2009-01-24 11:45 . 2009-02-14 19:42 <DIR> d-------- c:\documents and settings\tamrob\Application Data\Zylom
2009-01-24 11:44 . 2009-02-16 11:58 <DIR> d-------- c:\program files\Zylom Games
2009-01-23 21:32 . 2009-02-03 12:41 <DIR> d-------- c:\program files\Hawaiian Explorer Pearl Harbor
2009-01-23 21:31 . 2009-02-03 12:41 <DIR> d-------- c:\program files\Hawaiian Explorer Lost Island
2009-01-23 17:46 . 2009-01-23 17:46 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-01-23 17:46 . 2009-01-23 17:46 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-01-23 17:46 . 2009-01-23 17:46 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-01-23 17:46 . 2009-01-23 17:46 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 16:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-19 16:09 2,169 --sha-w c:\windows\SYSTEM32\mmf.sys
2009-02-16 19:47 --------- d-----w c:\program files\Yahoo! Games
2009-02-16 05:27 --------- d-----w c:\program files\GameHouse
2009-02-16 05:25 --------- d-----w c:\program files\RealArcade
2009-02-16 00:31 --------- d-----w c:\program files\Oberon Media
2009-02-16 00:27 --------- d-----w c:\program files\Common Files\Apple
2009-02-14 01:35 --------- d-----w c:\program files\Karaoke Song List Creator
2009-02-12 02:40 134 ----a-w C:\Delme.bat
2009-02-12 02:33 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-12 02:31 --------- d-----w c:\documents and settings\tamrob\Application Data\Apple Computer
2009-02-09 16:33 --------- d-----w c:\documents and settings\tamrob\Application Data\GameHouse
2009-02-05 01:40 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-03 18:00 --------- d-----w c:\program files\SanDisk
2009-02-03 17:55 --------- d-----w c:\program files\Little Shop Road Trip
2009-02-03 17:54 --------- d-----w c:\program files\Kodak
2009-02-03 17:40 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-02-03 16:11 --------- d-----w c:\program files\Yahoo!
2009-02-03 16:10 --------- d-----w c:\documents and settings\tamrob\Application Data\Yahoo!
2009-02-03 16:10 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-01 04:02 --------- d-----w c:\program files\PCBugDoctor
2009-01-31 21:14 --------- d-----w c:\documents and settings\tamrob\Application Data\SpinTop Games
2009-01-28 18:19 --------- d-----w c:\documents and settings\tamrob\Application Data\Pogo Games
2009-01-27 15:42 --------- d-----w c:\documents and settings\tamrob\Application Data\Move Networks
2009-01-24 16:45 --------- d-----w c:\documents and settings\All Users\Application Data\Zylom
2009-01-19 03:22 --------- d-----w c:\documents and settings\All Users\Application Data\GameHouse
2009-01-18 08:27 --------- d-----w c:\program files\Eco Setup Wizard
2009-01-18 07:23 97,280 ----a-w c:\windows\tertc6864.exe
2009-01-18 07:23 4,574,328 ----a-w c:\windows\rdwsb8853.exe
2009-01-18 07:23 28,672 ----a-w c:\windows\tjoo50238.exe
2009-01-18 07:23 28,672 ----a-w c:\windows\sneii3101.exe
2009-01-18 07:18 4,574,328 ----a-w c:\windows\mvrnt6631.exe
2009-01-18 07:18 28,672 ----a-w c:\windows\obehv1445.exe
2009-01-18 07:17 97,280 ----a-w c:\windows\tbgqw38338.exe
2009-01-18 07:17 28,672 ----a-w c:\windows\nrrqt34032.exe
2009-01-14 23:51 --------- d-----w c:\documents and settings\tamrob\Application Data\SecretIslandEng
2009-01-14 04:25 --------- d-----w c:\documents and settings\tamrob\Application Data\Go-Go Gourmet Chef of the Year
2009-01-13 23:00 --------- d-----w c:\documents and settings\tamrob\Application Data\Cat's Eye Games
2009-01-13 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\SpinTop Games
2009-01-13 00:40 --------- d-----w c:\documents and settings\tamrob\Application Data\PlayFirst
2009-01-13 00:40 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-01-12 02:51 --------- d-----w c:\documents and settings\All Users\Application Data\NeptunesAdve
2009-01-11 06:08 --------- d-----w c:\documents and settings\All Users\Application Data\Flood Light Games
2009-01-10 16:40 --------- d-----w c:\documents and settings\tamrob\Application Data\Gaijin Ent
2009-01-10 07:05 --------- d-----w c:\documents and settings\All Users\Application Data\HiddenSecretsNightmare
2009-01-10 05:21 --------- d-----w c:\documents and settings\tamrob\Application Data\Mysteryville2
2009-01-08 23:41 --------- d-----w c:\documents and settings\tamrob\Application Data\Flood Light Games
2008-12-23 17:37 --------- d-----w c:\program files\exPressit S.E. 2.2
2008-12-23 17:35 --------- d-----w c:\program files\SlySoft
2008-12-14 16:47 410,984 ----a-w c:\windows\SYSTEM32\deploytk.dll
2008-07-16 22:08 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012008071620080717\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-18_17.06.05.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-19 16:09:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_178.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-14 136600]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"WinZip E-Mail Companion OEAPI"="c:\program files\WinZip E-Mail Companion\loadwzco.exe" [2007-11-19 75136]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2008-12-04 1370000]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2005-01-12 14:54 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
--a------ 2003-07-09 14:06 319488 c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SansaService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\PC Tools AntiVirus\\PCTAV.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware SE Personal\\Ad-Aware.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2006-11-02 2560]
R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
S0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys --> c:\windows\system32\drivers\DigiFilt.sys [?]
S0 ElbyVCD;ElbyVCD;c:\windows\system32\DRIVERS\ElbyVCD.sys --> c:\windows\system32\DRIVERS\ElbyVCD.sys [?]
S3 SUNPLUS;Micro Webcam Mobile;c:\windows\system32\Drivers\SP508hp.SYS --> c:\windows\system32\Drivers\SP508hp.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-18 c:\windows\Tasks\PcbugDoctortamrob.job
- c:\program files\PCBugDoctor\PCBugDoctor.exe [2004-07-13 01:21]

2009-02-19 c:\windows\Tasks\User_Feed_Synchronization-{A7D568C4-56F6-408D-9B1E-554C27D96B55}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
FF - ProfilePath - c:\documents and settings\tamrob\Application Data\Mozilla\Firefox\Profiles\5osnzzbt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2341492263-152593158-388936037-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,42,54,3b,7e,24,3e,19,f8
"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,
5e,d2,5e,7f,21,14,b5,b2,29
"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\F494F8BD7F228D8EFFEAAEF53A8D4504]
"1"=hex:c0,52,20,b1,47,91,30,5f,58,6a,ea,d4,ff,71,4b,c6,a8,87,6f,5a,78,c6,5d,
5b,22,26,64,2f,88,eb,a4,7b
"2"=hex:16,70,75,12,fe,ae,cc,5e
"3"=hex:ad,7d,26,85,ab,c9,b0,24,8a,2b,63,51,07,a7,99,b2,da,cf,c1,42,46,55,91,
83,a8,4e,54,d5,3d,a7,cd,57,79,77,6b,f5,aa,85,97,9e,c2,bc,67,7c,72,79,54,38,\
"4"=hex:98,03,53,e9,da,b8,82,f7
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:9c,0f,26,c5,43,55,e2,9e,79,40,de,a7,ca,bc,f3,99,99,4d,91,38,55,4f,0b,
a5,8f,9b,e5,fc,d6,5f,45,dd,f6,df,ab,53,85,3c,a2,16,6d,58,d5,44,e1,b2,db,fb,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,50,c0,20,2f,ff,27,64,21,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:70,56,26,33,e3,20,f8,ab
"10"=hex:3d,7b,8c,93,7f,aa,3a,8c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(676)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2009-02-19 11:41:35
ComboFix-quarantined-files.txt 2009-02-19 16:41:30
ComboFix2.txt 2009-02-18 22:07:10

Pre-Run: 10,121,617,408 bytes free
Post-Run: 10,114,650,112 bytes free

243 --- E O F --- 2008-12-15 16:23:34

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 19 February 2009 - 12:08 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
gaopdxserv.sys

Rootkit::
C:\WINDOWS\system32\drivers\gaopdxyrgkvdll.sys
C:\WINDOWS\system32\gaopdxtpuhbqvk.dll

File::
C:\WINDOWS\system32\drivers\gaopdxyrgkvdll.sys
C:\WINDOWS\system32\gaopdxtpuhbqvk.dll
c:\windows\tertc6864.exe
c:\windows\rdwsb8853.exe
c:\windows\tjoo50238.exe
c:\windows\sneii3101.exe
c:\windows\mvrnt6631.exe
c:\windows\obehv1445.exe
c:\windows\tbgqw38338.exe
c:\windows\nrrqt34032.exe

Folder::
c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

RegLock::
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\F494F8BD7F228D8EFFEAAEF53A8D4504]
:

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:19 AM

Posted 25 February 2009 - 07:37 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users