Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32. Backdoor.tssd/ Unknown Malware


  • This topic is locked This topic is locked
4 replies to this topic

#1 surfgal545

surfgal545

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 08 September 2009 - 05:05 PM

Thank you so much in advance for your help. I am not too sure what is infecting my computer but I figure a lot. It will not let me access the internet through Firefox or IE. I deleted all temp files and cookies and tried to run ad-aware and spybot but some sort of malware had control of it. I was able to put an updated ad-aware on a USB drive on my other computer and transfer it. It detected W32.Backdoor but couldn't delete it. Here is my HJThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:10 PM, on 9/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byu.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [MioNet] C:\Program Files\MioNet\MioNetLauncher.exe /p
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Scott Glenn\Application Data\cogad\cogad.exe" 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\SCOTTG~1\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Scott Glenn\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [Installer] C:\WINDOWS\TEMP\rdlD.tmp
O4 - HKCU\..\Run: [andvsjdsb5lj4hdypgk4dncjzm6c48k2dydygh2djq7bgnif] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\q4cmim7mq1c9i.exe
O4 - HKCU\..\Run: [ka8gd94mehovyb6c88bnee9m4ny30ggq9ueardjku2vq3wps8l] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\k890hj1.exe
O4 - HKCU\..\Run: [mixo2zmeewli3kblc5yrcr4prfi6] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\qdwiftkn.exe
O4 - HKCU\..\Run: [y59nnvpnx95t470d4afkijaherq6cdzvypqbtk6bd5et76] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\kaxfrab.exe
O4 - HKCU\..\Run: [mlhk0a50t09x8d1ciyvtkpil] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\c88e71udcc.exe
O4 - HKCU\..\Run: [trykw1x4qo9ch32ohvh3hvdeh5uy4xjvcnjco69ytq7zqv52oy] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\dptrc3zqt8m.exe
O4 - HKCU\..\Run: [vfcdw1gyt4xpf0g0p5rbyihhbxho2fntmq4synmf] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\xqemdtbe1.exe
O4 - HKCU\..\Run: [zixffkwfti] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\hzs7smtw3.exe
O4 - HKCU\..\Run: [z1ymr9bvsjlxtx15poud1i2r59filgfccildspzslf8uu0n] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\a5a6986x.exe
O4 - HKCU\..\Run: [vvue6q96kgdjposvuznb74ocmv] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\tx5ppbmd.exe
O4 - HKCU\..\Run: [z9ex0ug8euw5bol4x3onew8rjl95kuwqd7oe6clj2nqf] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\f9538e2f89l.exe
O4 - HKCU\..\Run: [ei6cboiz9t7vilykme2k834lnz81yw8pqpz2yh] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\ho9clr4zc.exe
O4 - HKCU\..\Run: [jdc4r1ih59a7vcprvb6pgo367yspv17emdudm60] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\bfgiwi35.exe
O4 - HKCU\..\Run: [ycb4svnmn2rjofu2217h6uh3oo4] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\hek96s6ye78.exe
O4 - HKCU\..\Run: [f1zh10hz2sfcbaqd5474jphhxwd8kxa25yhkw1t1b8d] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\hexcsgxg.exe
O4 - HKCU\..\Run: [r8em1j3mal8s] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\ocr8u0gv5d.exe
O4 - HKCU\..\Run: [npn5lts2558fxce472c5zst6lzot1opm9chudypl5q] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\zlfobu1.exe
O4 - HKCU\..\Run: [fp6rsbpbp65e5a3dhg5cmo12xa3owwr287us9se] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\xozon7lv98ei.exe
O4 - HKCU\..\Run: [mbwt9kmkzde65bt48g] C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\i2nodiul.exe
O4 - S-1-5-18 Startup: ChkDisk.dll (User 'SYSTEM')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: dgysim.dll
O20 - Winlogon Notify: rssync - rssync.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\hsari3jndsbfi73.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MioNet - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - http://www.epitaph.com/_lib/stream.php?f=III: Ghost Tigers Rise.jpg&p=/78/370/370_hi.jpg
O24 - Desktop Component 1: (no name) - http://www.againstme.net/images/miamidesk1024.jpg

--
End of file - 8052 bytes

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 10 September 2009 - 12:32 PM

Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 surfgal545

surfgal545
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:58 AM

Posted 11 September 2009 - 08:08 PM

Thank you so much for your help! Here is the scan results.

GMER 1.0.15.15077 [5gv3xw6w.exe] - http://www.gmer.net
Rootkit scan 2009-09-11 18:03:50
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code E1A7C748 ZwEnumerateKey
Code E1A65118 ZwFlushInstructionCache
Code EF893EAB pIofCallDriver
Code EF894853 pIofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 3 Bytes JMP E1A7C74C
PAGE ntoskrnl.exe!ZwEnumerateKey + 4 8056EF34 1 Byte [61]
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP E1A6511C

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\services.exe[708] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\lsass.exe[724] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF93E0E
.text C:\WINDOWS\system32\lsass.exe[724] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF93E9D
.text C:\WINDOWS\system32\lsass.exe[724] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF93EAA
.text C:\WINDOWS\system32\lsass.exe[724] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF93E93
.text C:\WINDOWS\system32\lsass.exe[724] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF93EEB
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\System32\alg.exe[1244] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\System32\alg.exe[1244] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\System32\alg.exe[1244] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\System32\alg.exe[1244] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\System32\alg.exe[1244] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1264] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1264] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1264] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1264] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\wbem\unsecapp.exe[1264] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1296] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1296] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1296] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1296] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1296] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1308] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1308] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1308] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1308] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1308] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1332] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1332] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1332] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1332] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1332] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\spoolsv.exe[1520] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\spoolsv.exe[1520] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\spoolsv.exe[1520] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\spoolsv.exe[1520] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\spoolsv.exe[1520] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1628] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1628] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1628] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1628] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1628] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1648] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1648] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1648] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1648] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1648] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1676] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1676] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1676] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1676] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1676] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\MioNet\MioNetManager.exe[1692] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\MioNet\MioNetManager.exe[1692] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\MioNet\MioNetManager.exe[1692] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\MioNet\MioNetManager.exe[1692] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\MioNet\MioNetManager.exe[1692] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1732] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1732] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1732] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1732] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1732] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[1764] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[1764] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[1764] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[1764] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[1764] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\svchost.exe[1800] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1812] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1812] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1812] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1812] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1812] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\wdfmgr.exe[1944] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\wdfmgr.exe[1944] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\wdfmgr.exe[1944] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\wdfmgr.exe[1944] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\wdfmgr.exe[1944] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.reloc C:\WINDOWS\Explorer.EXE[2696] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE2000060]
.reloc C:\WINDOWS\Explorer.EXE[2696] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x010FE891]
.text C:\WINDOWS\Explorer.EXE[2696] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\Explorer.EXE[2696] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\Explorer.EXE[2696] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\Explorer.EXE[2696] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\Explorer.EXE[2696] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2972] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2972] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2972] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2972] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2972] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3016] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3016] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3016] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3016] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe[3016] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3020] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3020] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3020] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3020] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3020] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[3080] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[3080] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[3080] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[3080] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[3080] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\hkcmd.exe[3112] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\hkcmd.exe[3112] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\hkcmd.exe[3112] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\hkcmd.exe[3112] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\hkcmd.exe[3112] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\igfxpers.exe[3124] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\igfxpers.exe[3124] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\igfxpers.exe[3124] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\igfxpers.exe[3124] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\igfxpers.exe[3124] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\rundll32.exe[3156] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\rundll32.exe[3156] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\rundll32.exe[3156] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\rundll32.exe[3156] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\rundll32.exe[3156] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\taskmgr.exe[3172] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\taskmgr.exe[3172] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\taskmgr.exe[3172] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\taskmgr.exe[3172] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\taskmgr.exe[3172] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\WINDOWS\system32\rundll32.exe[3176] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\WINDOWS\system32\rundll32.exe[3176] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\WINDOWS\system32\rundll32.exe[3176] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\WINDOWS\system32\rundll32.exe[3176] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\WINDOWS\system32\rundll32.exe[3176] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Documents and Settings\Scott Glenn\Application Data\Twain\Twain.exe[3224] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Documents and Settings\Scott Glenn\Application Data\Twain\Twain.exe[3224] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Documents and Settings\Scott Glenn\Application Data\Twain\Twain.exe[3224] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Documents and Settings\Scott Glenn\Application Data\Twain\Twain.exe[3224] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Documents and Settings\Scott Glenn\Application Data\Twain\Twain.exe[3224] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE[3312] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE[3312] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE[3312] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE[3312] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE[3312] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\g8ba87c.exe[3616] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\g8ba87c.exe[3616] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\g8ba87c.exe[3616] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\g8ba87c.exe[3616] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\g8ba87c.exe[3616] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\v6brlx.exe[3624] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\v6brlx.exe[3624] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\v6brlx.exe[3624] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\v6brlx.exe[3624] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\DOCUME~1\SCOTTG~1\LOCALS~1\Temp\v6brlx.exe[3624] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE[3720] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE[3720] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE[3720] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE[3720] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE[3720] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text E:\5gv3xw6w.exe[3888] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text E:\5gv3xw6w.exe[3888] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text E:\5gv3xw6w.exe[3888] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text E:\5gv3xw6w.exe[3888] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text E:\5gv3xw6w.exe[3888] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[3960] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA3E0E
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[3960] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA3E9D
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[3960] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA3EAA
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[3960] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA3E93
.text C:\Program Files\MioNet\jvm\bin\MioNet.exe[3960] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA3EEB

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F8D153FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F8D15458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F8D15684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F8D156B2] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F8D15684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F8D15458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F8D153FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F8D15684] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F8D156B2] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F8D153FC] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F8D15458] \SystemRoot\System32\Drivers\NDISRD.SYS (NDISRD helper driver/NT Kernel Resources)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\TDSSmhxt.sys (*** hidden *** ) EF892000-EF8A4000 (73728 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:356] EF894D66
---- Processes - GMER 1.0.15 ----

Library E:\5gv3xw6w.exe (*** hidden *** ) @ E:\5gv3xw6w.exe [3888] 0x00400000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\TDSSmhxt.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8D 0x09 0x3A 0xE1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmhxt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmhxt.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSofxh.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSmqxt.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSoiqh.log
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8D 0x09 0x3A 0xE1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8D 0x09 0x3A 0xE1 ...
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSmhxt.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSmhxt.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSofxh.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSosvd.dat
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSnrsr.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSriqp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSScfum.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSlxwp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSsihc.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSmqxt.log
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSoiqh.log
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Ole1Class@ Package
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ Package

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 11 September 2009 - 10:07 PM

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)




Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 17 September 2009 - 02:57 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users