Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Olmarik, UACttivkyxu.dll and windowsclick are conspiring to kill my computer


  • This topic is locked This topic is locked
3 replies to this topic

#1 Ostrakon

Ostrakon

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 07 April 2009 - 01:43 AM

Hi,

I am beaten, utterly defeated. I'm a first timer so please forgive any ignorant mistakes.
My problems are many so I'll describe what I can.
I have a great deal of trouble booting up, sometimes it works, sometimes it doesn't. When I do boot up a common file opens with a Helper.DLL file in it.
Adaware seems to be on a perpetual loop, telling me I have the Olmarik Trojan, but it is unable to get rid of it. Malwarebytes and Spybot will not even start up. GMER found UACttivkyxu.dll but was not able to delete. I am running Windows XP, it crashes and runs sporadically.

I was able to run HJT.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:32 PM, on 4/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DriveIcon\DriveIcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner.YOUR-ED0299C6D2\Application Data\U3\0C90D46081B28890\LaunchPad.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner.YOUR-ED0299C6D2\Desktop\HiJackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 207.46.199.60 browser-security.microsoft.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9B37FDBA-1B67-472B-9E9B-4BF680FA3015} - c:\windows\system32\pqkszxh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: BHO - {ABD42510-9B22-41cd-9DCD-8182A2D07C63} - C:\WINDOWS\system32\iehelper.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1217544420\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DriveIcons] C:\Program Files\DriveIcon\DriveIcon.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [svcho] C:\WINDOWS\svcho.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.download.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O18 - Filter hijack: text/html - {4f97981b-b275-48c5-80aa-51e0d478edb0} - C:\WINDOWS\system32\mst123.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: fpamcqvj - C:\WINDOWS\SYSTEM32\pqkszxh.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8651 bytes

Here is the GMER;

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-06 19:48:01
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 856E3838 ZwEnumerateKey
Code 856DEBB0 ZwFlushInstructionCache
Code 857592C6 IofCallDriver
Code 857A9E3E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE136 5 Bytes JMP 857592CB
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C6 5 Bytes JMP 857A9E43
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABA9C 5 Bytes JMP 856DEBB4
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061A694 5 Bytes JMP 856E383C

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B6000A
.text C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B7000A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[208] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AA000A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe[208] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AB000A
.text C:\WINDOWS\eHome\ehRecvr.exe[220] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0066000A
.text C:\WINDOWS\eHome\ehRecvr.exe[220] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0067000A
.text C:\WINDOWS\eHome\ehSched.exe[248] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0064000A
.text C:\WINDOWS\eHome\ehSched.exe[248] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0065000A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[272] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0097000A
.text C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe[272] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0098000A
.text C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe[320] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0062000A
.text C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\NetfxUpdate.exe[320] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0063000A
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[456] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AA000A
.text C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS[456] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\wbem\unsecapp.exe[600] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\wbem\unsecapp.exe[600] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B9000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AE000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AF000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] kernel32.dll!LoadLibraryExW + 36 7C801B27 5 Bytes JMP 02E3E8B4 C:\Program Files\Common\helper.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] USER32.dll!LoadCursorFromFileA + 5F6 7E454061 5 Bytes [39, E0, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] USER32.dll!LoadCursorFromFileA + 8CD 7E454338 7 Bytes [39, E0, 90, 90, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] WININET.dll!HttpAddRequestHeadersA 771C40E2 5 Bytes JMP 00BA000C
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] WININET.dll!HttpAddRequestHeadersW 771CEF14 5 Bytes JMP 00C2000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00C3F9F0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00C408A0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C40780 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00C3FDA0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[608] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C40A60 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[716] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A9000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[716] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AA000A
.text C:\WINDOWS\System32\alg.exe[728] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0073000A
.text C:\WINDOWS\System32\alg.exe[728] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0075000A
.text C:\WINDOWS\system32\winlogon.exe[828] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0069000A
.text C:\WINDOWS\system32\winlogon.exe[828] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\services.exe[872] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0077000A
.text C:\WINDOWS\system32\services.exe[872] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0079000A
.text C:\WINDOWS\system32\lsass.exe[884] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0083000A
.text C:\WINDOWS\system32\lsass.exe[884] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0087000A
.text C:\WINDOWS\ehome\mcrdsvc.exe[1248] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0065000A
.text C:\WINDOWS\ehome\mcrdsvc.exe[1248] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1468] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0083000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1468] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0087000A
.text C:\WINDOWS\ehome\ehtray.exe[1704] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0097000A
.text C:\WINDOWS\ehome\ehtray.exe[1704] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0098000A
.text C:\WINDOWS\system32\spoolsv.exe[1820] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\spoolsv.exe[1820] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AD000A
.text C:\WINDOWS\explorer.exe[2044] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00BF000A
.text C:\WINDOWS\explorer.exe[2044] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00C0000A
.text C:\WINDOWS\eHome\ehmsas.exe[2064] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 008D000A
.text C:\WINDOWS\eHome\ehmsas.exe[2064] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 008E000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[2084] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009F000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[2084] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A0000A
.text C:\WINDOWS\AGRSMMSG.exe[2112] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B4000A
.text C:\WINDOWS\AGRSMMSG.exe[2112] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B5000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe[2208] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B0000A
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe[2208] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B1000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2268] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00BE000A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2268] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00BF000A
.text C:\Program Files\DriveIcon\DriveIcon.exe[2328] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00E5000A
.text C:\Program Files\DriveIcon\DriveIcon.exe[2328] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00E6000A
.text C:\Program Files\QuickTime\qttask.exe[2452] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AB000A
.text C:\Program Files\QuickTime\qttask.exe[2452] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AD000A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2468] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B4000A
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[2468] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0084000A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 0088000A
.text C:\Program Files\Messenger\msmsgs.exe[2628] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0099000A
.text C:\Program Files\Messenger\msmsgs.exe[2628] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\ctfmon.exe[2636] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\ctfmon.exe[2636] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A0000A
.text C:\Program Files\BigFix\bigfix.exe[2920] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00D9000A
.text C:\Program Files\BigFix\bigfix.exe[2920] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00DA000A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3148] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00FC000A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3148] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00FD000A
.text C:\Documents and Settings\Owner.YOUR-ED0299C6D2\Local Settings\Temporary Internet Files\Content.IE5\4YNLCBES\oqin361l[1].exe[3300] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00B3000A
.text C:\Documents and Settings\Owner.YOUR-ED0299C6D2\Local Settings\Temporary Internet Files\Content.IE5\4YNLCBES\oqin361l[1].exe[3300] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00B4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] kernel32.dll!LoadLibraryExW + 36 7C801B27 5 Bytes JMP 02E3E8B4 C:\Program Files\Common\helper.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] kernel32.dll!ExitProcess 7C81CDDA 5 Bytes JMP 03C41088 C:\WINDOWS\system32\mst123.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] USER32.dll!LoadCursorFromFileA + 5F6 7E454061 5 Bytes [39, E0, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] USER32.dll!LoadCursorFromFileA + 8CD 7E454338 7 Bytes [39, E0, 90, 90, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] WININET.dll!HttpAddRequestHeadersA 771C40E2 5 Bytes JMP 00BA000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] WININET.dll!HttpAddRequestHeadersW 771CEF14 5 Bytes JMP 00C2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00C3F9F0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00C408A0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C40780 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00C3FDA0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3360] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C40A60 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] WININET.dll!HttpAddRequestHeadersA 771C40E2 5 Bytes JMP 00BA000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] WININET.dll!HttpAddRequestHeadersW 771CEF14 5 Bytes JMP 00C2000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00C3F9F0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00C408A0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C40780 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00C3FDA0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[3536] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C40A60 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\WINDOWS\system32\conime.exe[3688] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\conime.exe[3688] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AD000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00AE000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00AF000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] kernel32.dll!LoadLibraryExW + 36 7C801B27 5 Bytes JMP 02E3E8B4 C:\Program Files\Common\helper.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] USER32.dll!LoadCursorFromFileA + 5F6 7E454061 5 Bytes [39, E0, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] USER32.dll!LoadCursorFromFileA + 8CD 7E454338 7 Bytes [39, E0, 90, 90, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] WININET.dll!HttpAddRequestHeadersA 771C40E2 5 Bytes JMP 00BA000C
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] WININET.dll!HttpAddRequestHeadersW 771CEF14 5 Bytes JMP 00C2000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00C3F9F0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00C408A0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C40780 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] WS2_32.dll!gethostbyname 71AB4FD4 5 Bytes JMP 00C3FDA0 \\?\globalroot\systemroot\system32\UACttivkyxu.dll
.text C:\Program Files\Internet Explorer\Iexplore.exe[3892] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C40A60 \\?\globalroot\systemroot\system32\UACttivkyxu.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\psapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [00D37D24] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe[196] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [00D37CD1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics Resources/America Online, Inc.)
IAT C:\WINDOWS\system32\svchost.exe[512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00CB5140
IAT C:\WINDOWS\system32\svchost.exe[512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00CB508C
IAT C:\WINDOWS\system32\svchost.exe[512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00CB5027
IAT C:\WINDOWS\system32\svchost.exe[512] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00CB4FF5
IAT C:\WINDOWS\system32\svchost.exe[512] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00CB53F9
IAT C:\WINDOWS\system32\svchost.exe[512] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00CB56AB
IAT C:\WINDOWS\system32\svchost.exe[512] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00CB56AB
IAT C:\WINDOWS\system32\svchost.exe[512] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00CB53F9
IAT C:\WINDOWS\system32\svchost.exe[512] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00CB56AB
IAT C:\WINDOWS\system32\svchost.exe[512] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00CB5140
IAT C:\WINDOWS\System32\alg.exe[728] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00A55140
IAT C:\WINDOWS\System32\alg.exe[728] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00A5508C
IAT C:\WINDOWS\System32\alg.exe[728] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00A55027
IAT C:\WINDOWS\System32\alg.exe[728] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00A54FF5
IAT C:\WINDOWS\System32\alg.exe[728] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00A553F9
IAT C:\WINDOWS\System32\alg.exe[728] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00A556AB
IAT C:\WINDOWS\System32\alg.exe[728] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00A55140
IAT C:\WINDOWS\System32\alg.exe[728] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00A556AB
IAT C:\WINDOWS\System32\alg.exe[728] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00A553F9
IAT C:\WINDOWS\System32\alg.exe[728] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00A556AB
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 00DE5140
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00DE5140
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00DE508C
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00DE5027
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00DE4FF5
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00DE53F9
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00DE56AB
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00DE56AB
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00DE53F9
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00DE56AB
IAT C:\WINDOWS\system32\services.exe[872] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00DE5140
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 01335140
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0133508C
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 01335027
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 01334FF5
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 0133508C
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 01335140
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 0133508C
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 01335027
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 013353F9
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 013356AB
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 013356AB
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 013353F9
IAT C:\WINDOWS\system32\lsass.exe[884] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 013356AB
IAT C:\WINDOWS\system32\svchost.exe[1032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00C34FF5
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00E15140
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00E1508C
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00E15027
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00E14FF5
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00E153F9
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00E156AB
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00E156AB
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00E153F9
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00E156AB
IAT C:\WINDOWS\system32\svchost.exe[1152] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00E15140
IAT C:\WINDOWS\System32\svchost.exe[1292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 03385140
IAT C:\WINDOWS\System32\svchost.exe[1292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0338508C
IAT C:\WINDOWS\System32\svchost.exe[1292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 03385027
IAT C:\WINDOWS\System32\svchost.exe[1292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 03384FF5
IAT C:\WINDOWS\System32\svchost.exe[1292] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 033853F9
IAT C:\WINDOWS\System32\svchost.exe[1292] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 033856AB
IAT C:\WINDOWS\System32\svchost.exe[1292] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 033856AB
IAT C:\WINDOWS\System32\svchost.exe[1292] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 033853F9
IAT C:\WINDOWS\System32\svchost.exe[1292] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 033856AB
IAT C:\WINDOWS\System32\svchost.exe[1292] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 03385140
IAT C:\WINDOWS\eHome\ehmsas.exe[2064] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00085140
IAT C:\WINDOWS\eHome\ehmsas.exe[2064] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0008508C
IAT C:\WINDOWS\eHome\ehmsas.exe[2064] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00085027
IAT C:\WINDOWS\eHome\ehmsas.exe[2064] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00084FF5
IAT C:\WINDOWS\eHome\ehmsas.exe[2064] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 000853F9
IAT C:\WINDOWS\eHome\ehmsas.exe[2064] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 000856AB
IAT C:\WINDOWS\eHome\ehmsas.exe[2064] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 000856AB
IAT C:\WINDOWS\eHome\ehmsas.exe[2064] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00085140
IAT C:\WINDOWS\eHome\ehmsas.exe[2064] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 000856AB
IAT C:\WINDOWS\eHome\ehmsas.exe[2064] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 000853F9
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00405140
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 0040508C
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00405027
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00404FF5
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 004053F9
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 004056AB
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00405140
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 004056AB
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 004053F9
IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[2600] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 004056AB

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\UACttivkyxu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [512] 0x009F0000
Library \\?\globalroot\systemroot\system32\UACttivkyxu.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [608] 0x00C30000
Library \\?\globalroot\systemroot\system32\UACttivkyxu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1032] 0x009F0000
Library \\?\globalroot\systemroot\system32\UACttivkyxu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1152] 0x009F0000
Library \\?\globalroot\systemroot\system32\UACttivkyxu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1292] 0x009F0000
Library \\?\globalroot\systemroot\system32\UACttivkyxu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1368] 0x009F0000
Library \\?\globalroot\systemroot\system32\UACttivkyxu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1552] 0x009F0000
Library \\?\globalroot\systemroot\system32\UACttivkyxu.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3360] 0x00C30000
Library \\?\globalroot\systemroot\system32\UACttivkyxu.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3536] 0x00C30000
Library \\?\globalroot\systemroot\system32\UACttivkyxu.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [3892] 0x00C30000

---- EOF - GMER 1.0.15 ----


I have spent a week trying to fix this. My work and sleep are both suffering greatly. Any help is MUCH appreciated.

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 PM

Posted 11 April 2009 - 11:36 AM

Yikes, you have a nasty infection here.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you wish to continue follow the steps below


Download and Run ComboFix (Rename Before Saving)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Download the appropriate Windows XP setup boot disk and drag it on Combofix like the image below:
    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • After you succusfully install the recovery console, will see this window.
    Posted Image
    Please select No. to skip the ComboFix scan for now.
  • Save all document or windows that are open because when running combofix you won't have internet connection and everything will be closed.
  • Click on your Start Menu, then Run, In the run box type:
    "%userprofile%\desktop\Combo-Fix.exe" /killall
  • Combofix will now run
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 PM

Posted 14 April 2009 - 02:46 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the day I replied, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:22 PM

Posted 16 April 2009 - 03:06 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users