Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help to get rid of nasty malware, please!


  • Please log in to reply
12 replies to this topic

#1 oranjeboom

oranjeboom

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 27 October 2009 - 01:39 PM

Hi, I am a newbie and would like to say hello to everyone and ask for a bit of help please. Through my own stupidity I have infected our windows XP pc with some nasty malware. A couple of years ago I purchased some software, but after having to re-format the hard drive last year, I lost the reg key, so when I downloaded the software again, I couldn't register it. As I had already paid for it once, I stupidly tried to obtain a reg key through another site, which has infected our PC. I cannot run Malwarebytes, Hijack This, Adaware or Spybot. I have tried running these in safe-mode but it says access denied. I have downloaded latest version of Malwarebytes straight ont a usb connected pen drive, and tried to run it off there, which started up and then stopped after starting a scan. The malware is redirecting Google search results onto various shopping sites etc, and slowing start-up.
We use I.E. as our browser, use AVG free, and Zone Alarm firewall. Any help would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 27 October 2009 - 11:47 PM

Download this file and save it to your desktop:

http://download.bleepingcomputer.com/grinler/rkill.scr

Double-click the file to run it. A command window will open briefly. Then run a quick scan with Malwarebytes. Post the Malwarebytes log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 oranjeboom

oranjeboom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 28 October 2009 - 05:19 AM

Hi Budapest,
Thanks for your reply. I downloaded the file you asked me to do. The command box appeared, then stopped on the screen with 6 x "This operation has been completed succesfully" in the box. The malwarebyes I already had still said acces denied, so I downloaded latest version and tried that. This opened up, so I tried a quick scan, which stopped after 3 seconds, and now access is denied to that. Don't know if this is relevant or will help in any way, but here is AVG scan results, but it will not remove these.
Posted Image

Edited by oranjeboom, 28 October 2009 - 05:32 AM.


#4 oranjeboom

oranjeboom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 31 October 2009 - 05:46 AM

Hi again, I got rkill to run from one of the other sources I think. The command box appeared with message "stopping all known malware", but it took about 5 minutes to do. I still can't run Malwarebytes though.

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 31 October 2009 - 06:39 AM

Try scanning with the free version of SUPERAntiSpyware:

http://www.superantispyware.com/download.html

Run rkill before installing and/or scanning with SUPERAntiSpyware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 oranjeboom

oranjeboom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 31 October 2009 - 08:16 AM

Hi again Budapest, Thank's for your reply. I really appreciate you people giving up your valuable time to help non experts like me.
I have run superantispyware which picked up quite a few threats, which it then deleted, hopefully. Here is the log before these files were deleted, do I need to run another scan or try Malwarebytes again?
Regards Keith

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/31/2009 at 12:47 PM

Application Version : 4.29.1004

Core Rules Database Version : 4216
Trace Rules Database Version: 2122

Scan type : Quick Scan
Total Scan Time : 00:20:53

Memory items scanned : 702
Memory threats detected : 0
Registry items scanned : 602
Registry threats detected : 23
File items scanned : 7321
File threats detected : 404

Rootkit.NDisProt/Fake
HKLM\System\ControlSet001\Services\Ndisprot.sys
C:\WINDOWS\SYSTEM32\DRIVERS\NDISPROT.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_Ndisprot.sys
HKLM\System\ControlSet002\Services\Ndisprot.sys
HKLM\System\ControlSet002\Enum\Root\LEGACY_Ndisprot.sys
HKLM\System\CurrentControlSet\Services\Ndisprot.sys
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_Ndisprot.sys

Adware.Tracking Cookie
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@bs.serving-sys[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@tracking.summitmedia.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@indexstats[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@atdmt[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@bannersng.yell[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.iad.liveperson[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@revsci[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-ladbrokes.hitbox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@xiti[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@imrworldwide[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.vlaze[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@eas.apm.emediate[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ad2.doublepimp[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.clickxchange[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@johnlewis.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@yadro[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@collective-media[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.allbrowsers[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@stat.aldi[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@tradedoubler[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@viacom.adbureau[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adserver.easyad[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@revsci[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@chitika[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@doubleclick[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@partypoker[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@content.yieldmanager[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@richmedia.yahoo[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads2.net-communities.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@track.adform[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.twenga[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adecn[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.bittorrent[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@stat.dealtime[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@nettexmedia.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@media.ntsserve[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.uknetguide.co[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@e-2dj6wdloqgdzgcq.stats.esomniture[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@haynet.adbureau[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@content.yieldmanager[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@dsupermarked.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@bluestreak[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@tracking.dc-storm[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@dynamic.media.adrevolver[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@thenationaltrust.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@tacoda[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@interclick[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@smartadserver[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@roiservice[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@indextools[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@incentaclick[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@bizrate.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@statse.webtrendslive[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@nextag[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.techguy[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@nextag.co[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@apmebf[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@valueclick[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.iad.liveperson[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@myroitracking[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@dealtime.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@specificclick[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.pointroll[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@media.adrevolver[4].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@statcounter[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@fasttrackwatcher[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@hitbox[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@imediablast[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.addynamix[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@media6degrees[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-bbc.hitbox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.ad4game[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@kontera[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@livesexasian[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@int.sitestat[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@secure.partyaccount[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adinterax[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.bootcampmedia[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.incentaclick[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@servedby.onlinemediadiva[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@at.atwola[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adfarm1.adition[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@serif.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.livesport[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@virginmedia[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@trafficmp[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@propertyfinderltd.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.petmedia.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adserver.adreactor[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@serw.clicksor[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adserver.adtechus[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adserver.iampariah[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@buycom.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@fr.sitestat[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@enhance[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@technologyquestions[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@specificmedia[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.technologyquestions[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@eb.adbureau[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@windowsmedia[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@clickbank[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.widgetbucks[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@247realmedia[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@traffic.buyservices[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@fr.sitestat[4].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@w00tpublishers.wootmedia[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@socialmedia[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@fr.sitestat[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@casalemedia[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.telegraph.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@realmedia[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@pro-market[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@serv.clicksor[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-totalsystemsservices.hitbox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.foodbuzz[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@weborama[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.iad.liveperson[5].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@yieldmanager[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@tribalfusion[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.burstbeacon[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.adtrak[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ad1.king[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@insightexpressai[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@men.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@m1.webstats.motigo[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@saletrack.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@web-stat[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-rodale.hitbox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@web4.realtracker[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@nextstat[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@bizrate[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@stat.onestat[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.lucidmedia[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@snap9.advertserve[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[6].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@clicktorrent[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@int.sitestat[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@readersdigest.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www8.addfreestats[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@stats.eonenergy[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@divx.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[5].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[4].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-seagate.hitbox[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-twi.hitbox[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@shopica[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@parkresorts.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adstats.cdfreaks[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@counter.hitslink[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.socialtrack[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-wilkinson.hitbox[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@fastclick[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@fr.sitestat[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adserver.artempireindustries[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@partyaccount[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.etracker[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.tcmdb[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.countryliving.co[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ad-mart.co[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.mininova[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@int.sitestat[4].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@discountedheating.co[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adultadworld[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@videoegg.adbureau[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@e2.emediate[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@mediatraffic[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www2.addfreestats[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@azjmp[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@hg1.hitbox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.googleadservices[9].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@w121.hitbox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[7].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@msnportal.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.lon.liveperson[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.stats.tso.co[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adopt.specificclick[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@dmtracker[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.iad.liveperson[6].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.securitysoftwarezone[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@008.free-counter.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@tdpg.adbureau[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@kaboose.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ice.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@e-2dj6wgkokjdjmgo.stats.esomniture[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.nebuadserving[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@linuxquestions[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@int.sitestat[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.associatedcontent[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@xpsolutions.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@jiscdigitalmedia.ac[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.lon.liveperson[4].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[8].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@keygens[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.findmeplants.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@findmeplants.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adserver.aol[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@pluckit.demandmedia[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@counter2.hitslink[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads1.mumsnet[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@advertising.marketnetwork[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.vr-zone[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.iad.liveperson[7].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.findaproperty[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@tracking.the7thchamber[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.datingadnetwork[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@handpickedmedia.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.us.e-planning[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ad.zanox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@e-2dj6wfliwid5kkp.stats.esomniture[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@mediaonenetwork[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@blacklettermedia[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@parkresorts.yuccamedia[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.lon.liveperson[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.fastclick24[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@premiumtv.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@findaproperty[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@iacas.adbureau[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@snapfish.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@gardenersclick[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@findmysoft[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adviva[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@stats4.clicktracks[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@inkandmedialtd.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.mediamayhemcorp[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@amznmothercare.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.iad.liveperson[4].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@192com.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ad3.clickhype[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.shopica[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.contactmusic[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.iad.liveperson[8].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adultfriendfinder[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.clicksor[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@208.122.40[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@servedby.adxpower[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@e-2dj6wfkisic5kbp.stats.esomniture[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@nielsen.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-debenhams.hitbox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.at.atwola[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.funadvice[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.itoot[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@walmartinternational.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.jiscdigitalmedia.ac[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.fulldls[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@questionmarket[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.w3counter[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@crack[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@spylog[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.torrentreactor[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@sixapart.adbureau[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@hearstdigital.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@content.yieldmanager[5].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.lon.liveperson[6].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.cdiscount.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@stats.matraxis[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@cdiscount.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@steelhousemedia[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@burstnet[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adserver.3digit[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@bravenet[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@sales.liveperson[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@findarticles[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@media.sensis.com[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.googleadservices[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.discountofficeproducts.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@invitemedia[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.gardenersclick[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-techtarget.hitbox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-nokiafin.hitbox[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@advertising[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adtech[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ad.caradisiac[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adv.bewebmedia[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@stats.matraxis[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@sonyeurope.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.crackserialcodes[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@stats.zmags[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.ad4game[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.greatcracks[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@toplist[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.lucidmedia[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-centaur.hitbox[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@mediaplex[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@media.photobucket[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.aol.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.lon.liveperson[5].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.googleadservices[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adviva[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@find-me-a-gift.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-boschsiemens.hitbox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@creview.adbureau[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www3.smartadserver[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@trvlnet.adbureau[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.latestdiscountvouchers.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.iad.liveperson[11].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@burstbeacon[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.iad.liveperson[10].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ww57.smartadserver[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.googleadservices[10].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@tripod[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www7.addfreestats[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.bahamasnet[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@clicksor[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adbrite[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@zedo[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@findextrawork.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@data.coremetrics[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.iad.liveperson[9].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.anm.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@bluestreak[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@click.cashengines[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@overture[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@e-2dj6whliahcjwko.stats.esomniture[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith hollis@CAZP50PE.txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.burstnet[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.googleadservices[5].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@findology[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@profiles.hitslink[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@findanyfilm[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www6.addfreestats[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@cnetaustralia.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@turneruk.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ad.yieldmanager[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@calumetphoto.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.shoppydoo[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@server.cpmstar[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-bskyb.hitbox[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@trinitymirror.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@serving-sys[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@latestdiscountvouchers.co[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@mediaplayer.srswowcast[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@cdiscount[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@cdn5.specificclick[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.googleadservices[8].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@media.adrevolver[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.qksrv[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.inteletrack[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@discountofficeproducts.co[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@2o7[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www3.addfreestats[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.googleadservices[6].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.googleadservices[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@hearstmagazines.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[11].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@exoclick[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@advertising[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@dealtime[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.googleadservices[4].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@bridge2.admarketplace[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@cmpi.122.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@s4.shinystat[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@rhs.adservinginternational[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@bs.serving-sys[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.smartadserver[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@richmedia.yahoo[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@rotator.adjuggler[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.findanyfilm[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@swapit.adbureau[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.glispa[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@irishtimesgroup.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@nickelodeonuk.112.2o7[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.oddschecker[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.usenext[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@sales.liveperson[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[9].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@xml.trafficengine[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.googleadservices[11].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@stats.rbftpnetworks[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@zanox[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.usenext[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith hollis@CAHP6IWR.txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@mediastorehouse[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.virginmedia[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@uk.sitestat[10].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ehg-nestlepurinapetcare.hitbox[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@media.adrevolver[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@clicklog[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@care2.112.2o7[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@click.mediadome[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@tracker.roitesting[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@partypoker[3].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@pointroll[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www5.addfreestats[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@admarketplace[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@www.stopzilla[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@stopzilla[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@cdn4.specificclick[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@parentingteens.about[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@wsclick.infospace[1].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@adrevolver[2].txt
C:\Documents and Settings\Keith hollis\Cookies\keith_hollis@keygenguru[2].txt

Trojan.Unknown Origin
HKU\.DEFAULT\Software\ColdWare
HKU\S-1-5-18\Software\ColdWare
HKU\S-1-5-21-2355909145-1085806099-568186159-1006\Software\Microsoft\Windows\CurrentVersion\Run#PopRock [ C:\DOCUME~1\KEITHH~1\LOCALS~1\Temp\a.exe ]

Rogue.Component/Trace
HKLM\Software\Classes\MSQPDXVX
HKLM\Software\Classes\MSQPDXVX#msqpdxrun
HKLM\Software\Classes\MSQPDXVX#msqpdxpff
HKLM\Software\Classes\MSQPDXVX#msqpdxaff
HKLM\Software\Classes\MSQPDXVX#msqpdxinfo
HKLM\Software\Classes\MSQPDXVX#msqpdxid
HKLM\Software\Classes\MSQPDXVX#msqpdxsrv
HKLM\Software\Classes\MSQPDXVX#msqpdxpos

Rootkit.Agent/Gen
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#start
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#type
HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys#imagepath

Trojan.Agent/Gen
HKU\S-1-5-21-2355909145-1085806099-568186159-1006\Software\NordBull
HKU\S-1-5-21-2355909145-1085806099-568186159-1006\Software\PopRock

Trojan.VXGame-Variant/D
C:\DOCUMENTS AND SETTINGS\KEITH HOLLIS\DESKTOP\RUNTIME.GETDATABACK.FOR.FAT.AND.NTFS.V3.64\RUNTIME.GETDATABACK.FOR.FAT.AND.NTFS.V3.64\RUNTIME.GETDATABACK.FOR.FAT.V3.64\~\KEYGEN.EXE
C:\DOCUMENTS AND SETTINGS\KEITH HOLLIS\DESKTOP\RUNTIME.GETDATABACK.FOR.FAT.AND.NTFS.V3.64\RUNTIME.GETDATABACK.FOR.FAT.AND.NTFS.V3.64\RUNTIME.GETDATABACK.FOR.NTFS.V3.64\~\KEYGEN.EXE

Adware.CouponBar
C:\WINDOWS\SYSTEM32\CPNPRT2.CID

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 31 October 2009 - 05:28 PM

Now please run rkill again and then try a quick scan with Malwarebytes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 oranjeboom

oranjeboom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 01 November 2009 - 05:18 AM

I tried that but Malwarebytes will still not run, I tried renaming the mbam but will still not run.

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 01 November 2009 - 03:45 PM

Run the latest version of rkill:

http://download.bleepingcomputer.com/grinler/rkill.scr

Then try renaming the mbam.exe file to explorer.exe. See if it will run.

Edited by Budapest, 01 November 2009 - 03:46 PM.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 oranjeboom

oranjeboom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 01 November 2009 - 05:19 PM

Hi again, Ive done what you've suggested. Malwarebytes opened, then I tried the quick scan, but it stopped after about 4 seconds.

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 01 November 2009 - 09:19 PM

Try this scan:

http://live.sunbeltsoftware.com/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 oranjeboom

oranjeboom
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:31 PM

Posted 03 November 2009 - 05:49 AM

Try this scan:

http://live.sunbeltsoftware.com/


Hi again, first I must apologise for the delay in replying to your last post. I run the above programme, which did a really deep scan of our pc, which took about 3 hours. I don't know if it managed to clear the infections, but as it found some Rootkit infections, we are a bit concerned having read the info on these types of malware. Do you think we should cut our losses and re-format, and will doing this clear all the malware? I have posted the log from the Vipre programme, plus the log it saved as a XML file.
Kind Regards Keith

C:\WINDOWS\Temp\GoogleToolbarInstaller1.log
C:\WINDOWS\Temp\ImageDebug
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\41MZ85AB\061-6720.English[1
].dist
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C927W5IF
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C927W5IF\061-6273.English[1
].dist
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C927W5IF\061-6728.English[1
].dist
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C927W5IF\061-6804.English[1
].dist
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C927W5IF\desktop.ini
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G1MNWT6Z\061-5849.English[1
].dist
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\G1MNWT6Z\desktop.ini
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SX2NWHY3\061-6310.English[1
].dist
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\SX2NWHY3\061-7194.English[1
].dist
C:\WINDOWS\twain.dll
C:\WINDOWS\twain_32\wiatwain.ds
C:\WINDOWS\twunk_16.exe
C:\WINDOWS\vb.ini
C:\WINDOWS\WEB\printers\ipp_0001.asp
C:\WINDOWS\WEB\printers\ipp_0007.asp
C:\WINDOWS\WEB\safemode.htt
C:\WINDOWS\WEB\Wallpaper\Radiance.jpg
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe
C:\WINDOWS\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17
e7c1e\msvcp90.dll
C:\WINDOWS\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17
e7c1e\msvcr90.dll
C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b
319d8da.Manifest
C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.76
2_x-ww_cbb27474.manifest
C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727
.91_x-ww_341af80a.cat
C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91
_x-ww_decbdf0c.manifest
C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf
1df_7.0.0.0_x-ww_2726e76a.cat
C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144cc
f1df_5.2.2.3_x-ww_468466a7.cat
C:\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144cc
f1df_x-ww_4e8510ac\1.0.2600.2180.Policy
C:\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_659
5b64144ccf1df_x-ww_a0111510\5.1.2600.2000.cat
C:\WINDOWS\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_659
5b64144ccf1df_x-ww_a317e4b3
C:\WINDOWS\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-
ww_5f0bbcff\8.0.50727.762.policy
C:\WINDOWS\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b
_x-ww_caeee150\8.0.50727.42.policy
C:\WINDOWS\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-
ww_b7353f75
C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da\ms
xml4.dll
C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74c
f\msxml4.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b641
44ccf1df_6.0.0.0_x-ww_ff9986d7\mfc42.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b641
44ccf1df_6.0.0.0_x-ww_ff9986d7\msvcp60.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b641
44ccf1df_6.0.9792.0_x-ww_08a6620a\mfc42u.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb
27474
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b8
0fa8ca\msvcm80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de0
6acd\msvcp80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de0
6acd\msvcr80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b1
28700\msvcr80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de5
6c07\msvcp80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de5
6c07\msvcr80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3
415f6d0\mfc80CHS.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3
415f6d0\mfc80ITA.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_
91481303\mfc80ITA.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_3
41af80a\mfc80CHT.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_3
41af80a\mfc80FRA.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_3
41af80a\mfc80KOR.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6
ddd2\mfc80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_dec6
ddd2\mfc80u.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf
8fa05\mfcm80u.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decb
df0c\mfc80u.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decb
df0c\mfcm80.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_
6c18549a\vcomp.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0
375\msvcp90.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0
375\msvcr90.dll
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f749
63e
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f749
63e\msvcp90.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.260
0.2180_x-ww_a84f1ff9
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.
0_x-ww_2726e76a
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.26
00.2180_x-ww_b2505ed9\msvcirt.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d
353f13\GdiPlus.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x
-ww_dfb54e0c\GdiPlus.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2
.3_x-ww_468466a7
C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d
5f3790\System.EnterpriseServices.dll
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\zllsputility.exe
Scanning registry...
HKEY_USERS\S-1-5-19_Classes\
HKEY_USERS\S-1-5-21-2355909145-1085806099-568186159-1006_Classes\
HKEY_LOCAL_MACHINE\Software\Classes\.aax\
HKEY_LOCAL_MACHINE\Software\Classes\.ppm\
HKEY_LOCAL_MACHINE\Software\Classes\Download.SwInstaller.1\
HKEY_LOCAL_MACHINE\Software\Classes\HPCUE.AiOModules\
HKEY_LOCAL_MACHINE\Software\Classes\JobObjSecLimitInfoProv.JobObjSecLimitInfoPro
v\
HKEY_LOCAL_MACHINE\Software\Classes\NODEMGR.ComCacheCleanup.1\
[THREAT] Item: HKEY_LOCAL_MACHINE\Software\Classes\videoshow\CLSID 1, ID: 147963
, Name: Trojan.DNSChanger.Gen, Category: Trojan
[THREAT] Item: HKEY_LOCAL_MACHINE\Software\Classes\videoshow\CLSID -1, ID: 14796
3, Name: Trojan.DNSChanger.Gen, Category: Trojan
[THREAT] Item: HKEY_LOCAL_MACHINE\Software\Classes\videoshow -1, ID: 147963, Nam
e: Trojan.DNSChanger.Gen, Category: Trojan
HKEY_LOCAL_MACHINE\Software\Classes\VisioViewer.Viewer\
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2AFA62E2-5548-11D1-A6E1-006097C4E476}
\
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7D8AA343-6E63-4663-BE90-6B80F66540A3}
\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00000001-0000-0000-C000-000000000
046}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00024444-0000-0000-C000-000000000
046}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{01E23105-096D-11D3-8A72-00C04FB98
98D}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{053BBEFB-B3BA-11D2-9358-0000F875A
E17}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{0963C000-7B19-42BD-80D2-E805087AA
FC3}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{0C9FB851-E5C9-43EB-A370-F0677B138
74C}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{104A1471-2363-11D3-80A6-005004878
78E}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{14442572-2292-11D4-818D-0050DA5F0
829}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{18F6EF4F-D782-4F29-8AD9-7973F8FC1
D9B}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{1F1ABEE7-FEDB-45AF-A01B-0B4DE6887
573}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{248EBEB9-C688-42B8-9CF9-D8ED02211
DD8}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{2A75C1FD-06B0-3CBB-B467-2545D4D6C
865}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3050F29C-98B5-11CF-BB82-00AA00BDC
E0B}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{331FDD00-CF31-11CD-8701-00AA003F0
F07}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{38E7B856-11D4-4B5C-8277-9495D119D
532}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{3BDB28CF-DBD2-4D24-AF03-01072B67E
B9E}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{427B1865-CA3F-479A-83A9-0F420F2A0
073}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{496B0ABF-CDEE-11D3-88E8-00902754C
43A}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{53230329-172B-11D0-AD40-00A0C90DC
8D9}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{5C010951-33FE-11D5-94A1-0001025FA
AEF}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{673425BF-C082-4C7C-BDFD-569464B8E
0CE}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{72380D55-8D2B-43A3-8513-2B6EF3143
4E9}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{7B5F38A4-BDF6-419D-A81B-88AD895F3
E43}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{86EB31D1-A46F-11D6-9500-00065B874
123}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{8F402A89-F4DA-44FA-95D3-B0DD2B624
13E}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{9637D3C9-D1C1-4871-AC69-9220E199C
CE3}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A3C15451-5B92-11D1-8F4E-00C04FB68
09F}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{B4BB0323-13BA-4E3F-937C-0C15FF475
142}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C08956A1-1CD3-11D1-B1C5-00805FC12
70E}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{C4C5EA30-EF7E-4B7D-9427-5A6220533
ED5}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{D053A996-2652-41DA-95F4-225493F33
8F1}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{D7613DB1-D4DB-11D4-81A4-0050DA5F0
829}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{DB27523C-5AD3-4A7C-9B46-3A488E796
FC0}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{DD662187-DFC2-11D1-A2CF-00805FC79
235}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E0498C93-4EFE-11D1-9971-00C04FBBB
345}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E2ADA14A-9411-4903-B02C-FA08B1244
D7C}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E3B0B797-A72E-46DB-A0D7-6C9EBA8E9
BBC}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E6DDDDA5-A6D3-48FF-8737-D32FC4D95
477}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E95D352A-4C9A-4B9C-A06A-1D8519A1D
61D}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{E9E92380-9ECD-4982-A0EB-6815A56CC
F27}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EB41E8C2-4442-11D1-8906-00A0C9110
049}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{ED2879CF-CED9-4EE6-A534-DE0191D54
68D}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EDCEE21A-3E3A-331E-A86D-274028BE6
716}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{EEB5F207-2135-40D5-99D3-6611EA191
502}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{F2474B3B-20D0-4BAB-9633-E7A548C9A
57F}\
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{F617DFCB-0045-4024-837B-7ACAD8F4D
67B}\
HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{0F6D3808-7974-4B1A-94C2-3200767EACE
8}\
HKEY_LOCAL_MACHINE\Software\Classes\MIME\Database\Content Type\application/x-com
pressed\
[THREAT] Item: HKEY_USERS\S-1-5-21-2355909145-1085806099-568186159-1006\Software
\XML -1, ID: 2719, Name: Explorer32.Hijacker, Category: Hijacker
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RealJukeb
ox 1.0\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000
-001A-0409-0000-0000000FF1CE}\
HKEY_USERS\S-1-5-21-2355909145-1085806099-568186159-1006\software\microsoft\inte
rnet explorer\main\Default Feeds\
HKEY_LOCAL_MACHINE\software\classes\mp3file\shell\open\command\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Apple Mobile Device\Securit
y\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avg8emc\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmuda\Security\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\crypt3
2\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\ODiag\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\rtl8139\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InCDFs\Security\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces
\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose\Security\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Parport\Enum\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PerfProc\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ql1240\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Accounting\Pro
viders\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\symc8xx\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tablet\Parameters\Fkeys05\A
ction01\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\viaagp\Security\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WLTRYSVC\
Scan completed.
Scan time: 02:53:05
Rootkits: 5667 scanned, 33 found
Processes: 65 scanned, 0 found
Modules: 3241 scanned, 18 found
Folders: 15134 scanned, 0 found
Files: 162514 scanned, 13 found
Registry: 30374 scanned, 4 found
Total: 216995 scanned, 68 found
68 threat traces were detected.
Starting clean.
Quarantine {DEEBD85E-FCEB-4460-AF6A-8FAF06C98F0D} completed.
Quarantine {328CC1C8-5638-453E-8B29-0B3E22D9D56F} completed.
Quarantine {5143FE46-9B34-43E1-8850-CC229CBBEB50} completed.

C:\VIPRERESCUE>
Saved XMLFile

- <SBCSThreatEngineResults version="3.1.2837">
- <summary scanGUID="{890040B9-31BC-4A6A-AFB7-1E788DCC4B4E}" scanDescription="" threatDefinitionVersion="5482">
- <scannerResults>
<numThreats found="9" ignored="0" />
<numTracesScanned cookies="0" registry="35065" files="162514" folders="15134" processes="65" archives="0" procModule="3241" procMemory="0" threads="0" sysModules="183" ssdt="284" ntdllExport="1316" ntosExport="1487" hookIAT="1155" scanSysEnter="1" hookDevice="937" hookCodeSectionRing0="14" hookCodeSectionRing3="44" MBR="2" total="221442" />
<numTracesFound cookies="0" registry="4" files="13" folders="0" processes="0" archives="0" procModule="18" procMemory="0" threads="0" sysModules="2" ssdt="0" ntdllExport="0" ntosExport="0" hookIAT="10" scanSysEnter="0" hookDevice="0" hookCodeSectionRing0="0" hookCodeSectionRing3="21" MBR="0" total="68" />
<dateTimeStampUTC start="2009-11-02T10:58:48" end="2009-11-02T13:51:54" />
<errors />
</scannerResults>
- <cleanerResults>
<numThreats deleted="0" quarantined="0" ignored="0" reportonly="0" total="0" />
<dateTimeStampUTC start="" end="" />
<errors />
</cleanerResults>
</summary>
- <scannerOptions scanAllLocalDrives="true" excludeRemovableDrives="true" scanCookies="false" scanProcesses="true" scanProcessThread="true" scanRegistry="true" scanProcessesDeep="true" suspendActiveThreats="true" scanAllUsers="true" useFileNameAndCRC8="true" dontCalcCRC8="false" scanCommonTactics="true" scanArchives="false" scanKnownFileTypes="false" recursiveFileScan="true" findLowRiskThreats="true" keepScanRecord="true" maxCheckFileLen="6291456" minCheckFileLen="0" scanVipreSuspicious="false" scanDerivatives="true" scanRootkits="true" scanProcessMemory="true" scanSystemModule="true" ssdt="true" ntdllExport="true" ntosExport="true" hookIAT="true" scanSysEnter="true" scanDevice="true" scanCodeSectionRing0="true" scanCodeSectionRing3="true" scanMBR="true">
<userIncludedPaths />
<userExcludedPaths />
<ignoredThreats />
</scannerOptions>
<cleanerOptions />
- <threats>
- <threat id="2719" name="Explorer32.Hijacker" level="3" category="Hijacker" type="Adware" quarantineId="" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="-1">
<authorURL />
<desc>Hijackers are software programs that modify users' default browser home page, search settings, error page settings, or desktop wallpaper without adequate notice, disclosure, or user consent. When the default home page is hijacked, the browser opens to the web page set by the hijacker instead of the user's designated home page. In some cases, the hijacker may block users from restoring their desired home page. A search hijacker redirects search results to other pages and may transmit search and browsing data to unknown servers. An error page hijacker directs the browser to another page, usually an advertising page, instead of the usual error page when the requested URL is not found. A desktop hijacker replaces the desktop wallpaper with advertising for products and services on the desktop.</desc>
<threatAdviceDetails>This is an elevated risk and should be removed or quarantined as it may compromise your privacy and security, make unwanted changes to your computer's settings, and negatively impact your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="3" dispValue="HKEY_USERS\S-1-5-21-2355909145-1085806099-568186159-1006\Software\XML -1">
<attr n="hive" v="HKEY_USERS" />
<attr n="key" v="S-1-5-21-2355909145-1085806099-568186159-1006\Software\XML" />
<attr n="valueType" v="-1" />
<attr n="valueName" v="" />
</trace>
</traces>
</threat>
- <threat id="43521" name="Trojan.FakeAlert" level="2" category="Trojan" type="Malware" quarantineId="" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="-1">
<authorURL />
<desc>Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="4" dispValue="C:\Documents and Settings\Keith hollis\Desktop\My Documents\rkill.scr">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Keith hollis\Desktop\My Documents\rkill.scr" />
<attr n="fileSize" v="262656" />
<attr n="crc8" v="D09785252A650000" />
<attr n="md5" v="9CBE01CD524593442E2425D797EDDB05" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="4" dispValue="C:\Documents and Settings\Keith hollis\Desktop\rkill.com">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Keith hollis\Desktop\rkill.com" />
<attr n="fileSize" v="262656" />
<attr n="crc8" v="4585DC1737830000" />
<attr n="md5" v="86E666C83E92C4E0AF908EAAABD169D0" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="4" dispValue="C:\Documents and Settings\Keith hollis\Desktop\rkill.pif">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Keith hollis\Desktop\rkill.pif" />
<attr n="fileSize" v="262656" />
<attr n="crc8" v="4585DC1737830000" />
<attr n="md5" v="86E666C83E92C4E0AF908EAAABD169D0" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="4" dispValue="C:\RECYCLER\S-1-5-21-2355909145-1085806099-568186159-1006\Dc1.scr">
<attr n="hidden" v="true" />
<attr n="path" v="C:\RECYCLER\S-1-5-21-2355909145-1085806099-568186159-1006\Dc1.scr" />
<attr n="fileSize" v="262144" />
<attr n="crc8" v="D8D7C47C2BA40000" />
<attr n="md5" v="56098055F0837065E4D154CE65947694" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="4" dispValue="C:\RECYCLER\S-1-5-21-2355909145-1085806099-568186159-1006\Dc2.scr">
<attr n="hidden" v="true" />
<attr n="path" v="C:\RECYCLER\S-1-5-21-2355909145-1085806099-568186159-1006\Dc2.scr" />
<attr n="fileSize" v="262656" />
<attr n="crc8" v="682F88DE7A950000" />
<attr n="md5" v="A343AE99A8B7EACA8F126E260DEF88DA" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="4" dispValue="C:\RECYCLER\S-1-5-21-2355909145-1085806099-568186159-1006\Dc8.scr">
<attr n="hidden" v="true" />
<attr n="path" v="C:\RECYCLER\S-1-5-21-2355909145-1085806099-568186159-1006\Dc8.scr" />
<attr n="fileSize" v="262656" />
<attr n="crc8" v="4585DC1737830000" />
<attr n="md5" v="86E666C83E92C4E0AF908EAAABD169D0" />
<attr n="detectionType" v="9" />
</trace>
</traces>
</threat>
- <threat id="147963" name="Trojan.DNSChanger.Gen" level="2" category="Trojan" type="Malware" quarantineId="" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="-1">
<authorURL />
<desc>Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\videoshow -1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\videoshow" />
<attr n="valueType" v="-1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\videoshow\CLSID -1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\videoshow\CLSID" />
<attr n="valueType" v="-1" />
<attr n="valueName" v="" />
</trace>
- <trace type="3" dispValue="HKEY_LOCAL_MACHINE\Software\Classes\videoshow\CLSID 1">
<attr n="hive" v="HKEY_LOCAL_MACHINE" />
<attr n="key" v="Software\Classes\videoshow\CLSID" />
<attr n="valueType" v="1" />
<attr n="valueName" v="" />
</trace>
</traces>
</threat>
- <threat id="175052" name="Trojan-Dropper.Gen" level="2" category="Trojan Downloader" type="Malware" quarantineId="" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="-1">
<authorURL />
<desc>A Trojan Downloader is a program typically installed through an exploit or some other deceptive means and that facilitates the download and installation of other malware and unwanted software onto a victim's PC. A Trojan Downloader may download adware, spyware or other malware from multiple servers or sources on the internet.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="4" dispValue="C:\Documents and Settings\Keith hollis\My Documents\My Documents 2\SETUP FILES\install.exe">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Keith hollis\My Documents\My Documents 2\SETUP FILES\install.exe" />
<attr n="fileSize" v="1805514" />
<attr n="crc8" v="03D2F7662BEE0000" />
<attr n="md5" v="B3B6D87E6F90A7949B12C436852F5989" />
<attr n="detectionType" v="1" />
</trace>
</traces>
</threat>
- <threat id="238758" name="Trojan.Win32.Malware" level="2" category="Trojan" type="Malware" quarantineId="" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="-1">
<authorURL />
<desc>Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="4" dispValue="C:\Documents and Settings\Keith hollis\My Documents\My Music\No 1's\FREE TOOLS & MUSIC\CD to MP3\freeripmp3.exe">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Keith hollis\My Documents\My Music\No 1's\FREE TOOLS & MUSIC\CD to MP3\freeripmp3.exe" />
<attr n="fileSize" v="1221877" />
<attr n="crc8" v="AFC66D52D7C50000" />
<attr n="md5" v="80B4FA2D71083D045495BA91E4BB3E49" />
<attr n="detectionType" v="1" />
</trace>
</traces>
</threat>
- <threat id="1672996" name="Monitor.Win32.AceSpy.GeN" level="2" category="Surveillance (General)" type="Surveillance Tool" quarantineId="" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="-1">
<authorURL />
<desc>A Surveillance Tool is a program that monitors and captures data from a computer including screenshots, keystrokes, web cam and microphone data, instant messaging, email, websites visited, programs run and files accessed and files shared on a P2P (peer to peer) network. Many Surveillance Tools can run in stealth mode, hidden from the user, and have the ability to store captured data for later retrieval by or transmission to another computer.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="4" dispValue="C:\Documents and Settings\Keith hollis\My Documents\My Documents 2\SETUP FILES\CUCUSOFT AND TMPEG\avi-proFuAEV429.exe">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Keith hollis\My Documents\My Documents 2\SETUP FILES\CUCUSOFT AND TMPEG\avi-proFuAEV429.exe" />
<attr n="fileSize" v="3002438" />
<attr n="crc8" v="7BDF7FC5274B0000" />
<attr n="md5" v="51CCFFB879CADDACE9FEA539F7318E07" />
<attr n="detectionType" v="1" />
</trace>
</traces>
</threat>
- <threat id="4125076" name="Trojan.Win32.Packer.Upack0.3.9 (v)" level="2" category="Trojan" type="Malware" quarantineId="" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="-1">
<authorURL />
<desc>Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="4" dispValue="C:\Program Files\WinRAR\SysTools\Plugins\Alcohol 1.x.dll">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Program Files\WinRAR\SysTools\Plugins\Alcohol 1.x.dll" />
<attr n="fileSize" v="7176" />
<attr n="crc8" v="4293EF4291050000" />
<attr n="md5" v="7510C2DF93137E63A454EAE68BF7E6B7" />
</trace>
- <trace type="4" dispValue="C:\Program Files\WinRAR\SysTools\Plugins\Empty Key.dll">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Program Files\WinRAR\SysTools\Plugins\Empty Key.dll" />
<attr n="fileSize" v="7184" />
<attr n="crc8" v="FE07F49285F70000" />
<attr n="md5" v="F23402F8865D18B7BC1B849CFF0D5D75" />
</trace>
</traces>
</threat>
- <threat id="4149778" name="Trojan-Spy.Win32.Banker.ovo" level="2" category="Trojan" type="Malware" quarantineId="" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="-1">
<authorURL />
<desc>Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="4" dispValue="C:\Documents and Settings\Keith hollis\My Documents\My Documents 2\BRETT\Crossword Construction Kit\CR-C4031.exe">
<attr n="hidden" v="true" />
<attr n="path" v="C:\Documents and Settings\Keith hollis\My Documents\My Documents 2\BRETT\Crossword Construction Kit\CR-C4031.exe" />
<attr n="fileSize" v="113152" />
<attr n="crc8" v="5C1570900C690000" />
<attr n="md5" v="CD60E21A223B61E8A9DB22C65763D400" />
<attr n="detectionType" v="9" />
</trace>
</traces>
</threat>
- <threat id="4294631" name="Trojan.Win32.Crot.i" level="2" category="Trojan" type="Malware" quarantineId="" adviseType="3" canQuarantine="true" author="" optionalScan="0" actionRequested="-1" cleanerResult="-1">
<authorURL />
<desc>Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.</desc>
<threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails>
<customData />
- <traces>
- <trace type="26" dispValue="2660,ntdll.dll!LdrGetProcedureAddress[21dcc640.x86.dll!0x35672A1E]">
<attr n="pid" v="2660" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="tgtModPath" v="C:\WINDOWS\system32\ntdll.dll" />
<attr n="tgtImgBase" v="7C800000" />
<attr n="tgtImgSize" v="F6000" />
<attr n="tgtFuncName" v="LdrGetProcedureAddress" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672A1E" />
<attr n="crc8" v="5226F381CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="26" dispValue="2660,ntdll.dll!NtWriteFile[21dcc640.x86.dll!0x35672A94]">
<attr n="pid" v="2660" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="tgtModPath" v="C:\WINDOWS\system32\ntdll.dll" />
<attr n="tgtImgBase" v="7C800000" />
<attr n="tgtImgSize" v="F6000" />
<attr n="tgtFuncName" v="NtWriteFile" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672A94" />
<attr n="crc8" v="5226F381CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="26" dispValue="2988,ntdll.dll!LdrGetProcedureAddress[21dcc640.x86.dll!0x35672A1E]">
<attr n="pid" v="2988" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="tgtModPath" v="C:\WINDOWS\system32\ntdll.dll" />
<attr n="tgtImgBase" v="7C800000" />
<attr n="tgtImgSize" v="F6000" />
<attr n="tgtFuncName" v="LdrGetProcedureAddress" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672A1E" />
<attr n="crc8" v="E9933EE7CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="26" dispValue="2988,ntdll.dll!NtWriteFile[21dcc640.x86.dll!0x35672A94]">
<attr n="pid" v="2988" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="tgtModPath" v="C:\WINDOWS\system32\ntdll.dll" />
<attr n="tgtImgBase" v="7C800000" />
<attr n="tgtImgSize" v="F6000" />
<attr n="tgtFuncName" v="NtWriteFile" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672A94" />
<attr n="crc8" v="E9933EE7CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="26" dispValue="2992,ntdll.dll!LdrGetProcedureAddress[21dcc640.x86.dll!0x35672A1E]">
<attr n="pid" v="2992" />
<attr n="procPath" v="c:\program files\Logitech\desktop messenger\8876480\Program\logitechdesktopmessenger.exe" />
<attr n="tgtModPath" v="C:\WINDOWS\system32\ntdll.dll" />
<attr n="tgtImgBase" v="7C800000" />
<attr n="tgtImgSize" v="F6000" />
<attr n="tgtFuncName" v="LdrGetProcedureAddress" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672A1E" />
<attr n="crc8" v="A4EA7070CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="26" dispValue="2992,ntdll.dll!NtWriteFile[21dcc640.x86.dll!0x35672A94]">
<attr n="pid" v="2992" />
<attr n="procPath" v="c:\program files\Logitech\desktop messenger\8876480\Program\logitechdesktopmessenger.exe" />
<attr n="tgtModPath" v="C:\WINDOWS\system32\ntdll.dll" />
<attr n="tgtImgBase" v="7C800000" />
<attr n="tgtImgSize" v="F6000" />
<attr n="tgtFuncName" v="NtWriteFile" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672A94" />
<attr n="crc8" v="A4EA7070CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="26" dispValue="3872,ntdll.dll!LdrGetProcedureAddress[21dcc640.x86.dll!0x35672A1E]">
<attr n="pid" v="3872" />
<attr n="procPath" v="c:\program files\iTunes\ituneshelper.exe" />
<attr n="tgtModPath" v="C:\WINDOWS\system32\ntdll.dll" />
<attr n="tgtImgBase" v="7C800000" />
<attr n="tgtImgSize" v="F6000" />
<attr n="tgtFuncName" v="LdrGetProcedureAddress" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672A1E" />
<attr n="crc8" v="FF3F913CCF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="26" dispValue="3872,ntdll.dll!NtWriteFile[21dcc640.x86.dll!0x35672A94]">
<attr n="pid" v="3872" />
<attr n="procPath" v="c:\program files\iTunes\ituneshelper.exe" />
<attr n="tgtModPath" v="C:\WINDOWS\system32\ntdll.dll" />
<attr n="tgtImgBase" v="7C800000" />
<attr n="tgtImgSize" v="F6000" />
<attr n="tgtFuncName" v="NtWriteFile" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672A94" />
<attr n="crc8" v="FF3F913CCF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="26" dispValue="992,ntdll.dll!LdrGetProcedureAddress[21dcc640.x86.dll!0x35672A1E]">
<attr n="pid" v="992" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\svchost.exe" />
<attr n="tgtModPath" v="C:\WINDOWS\system32\ntdll.dll" />
<attr n="tgtImgBase" v="7C800000" />
<attr n="tgtImgSize" v="F6000" />
<attr n="tgtFuncName" v="LdrGetProcedureAddress" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672A1E" />
<attr n="crc8" v="B3CE9067CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="26" dispValue="992,ntdll.dll!NtWriteFile[21dcc640.x86.dll!0x35672A94]">
<attr n="pid" v="992" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\svchost.exe" />
<attr n="tgtModPath" v="C:\WINDOWS\system32\ntdll.dll" />
<attr n="tgtImgBase" v="7C800000" />
<attr n="tgtImgSize" v="F6000" />
<attr n="tgtFuncName" v="NtWriteFile" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672A94" />
<attr n="crc8" v="B3CE9067CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="22" dispValue="0,C:\WINDOWS\win32k.sys:1">
<attr n="pid" v="0" />
<attr n="modPath" v="C:\WINDOWS\win32k.sys:1" />
<attr n="base" v="F5166000" />
<attr n="size" v="5000" />
<attr n="entryPoint" v="FFFFFFFF" />
<attr n="crc8" v="8A1BC925DA870000" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="22" dispValue="0,C:\WINDOWS\win32k.sys:2">
<attr n="pid" v="0" />
<attr n="modPath" v="C:\WINDOWS\win32k.sys:2" />
<attr n="base" v="F5364000" />
<attr n="size" v="F000" />
<attr n="entryPoint" v="FFFFFFFF" />
<attr n="crc8" v="E78FE3BE41670000" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="1380,gdi32.dll!GetHFONT[21dcc640.x86.dll!0x35672DC2]">
<attr n="flags" v="9" />
<attr n="pid" v="1380" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetHFONT" />
<attr n="tgtFuncAddr" v="77F17EA7" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DC2" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E816AF75BDEBF9" />
<attr n="crc8" v="3780D619CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="1380,gdi32.dll!GetTextExtentPoint32W[21dcc640.x86.dll!0x35672DDE]">
<attr n="flags" v="9" />
<attr n="pid" v="1380" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetTextExtentPoint32W" />
<attr n="tgtFuncAddr" v="77F18081" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DDE" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E858AD75BDEBF9" />
<attr n="crc8" v="3780D619CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="1380,user32.dll!CallNextHookEx[21dcc640.x86.dll!0x35672D96]">
<attr n="flags" v="9" />
<attr n="pid" v="1380" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\user32.dll" />
<attr n="tgtImgBase" v="7E410000" />
<attr n="tgtImgSize" v="91000" />
<attr n="tgtFuncName" v="CallNextHookEx" />
<attr n="tgtFuncAddr" v="7E42B410" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672D96" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E8817924B7EBF9" />
<attr n="crc8" v="3780D619CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="2660,gdi32.dll!GetHFONT[21dcc640.x86.dll!0x35672DC2]">
<attr n="flags" v="9" />
<attr n="pid" v="2660" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetHFONT" />
<attr n="tgtFuncAddr" v="77F17EA7" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DC2" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E816AF75BDEBF9" />
<attr n="crc8" v="5226F381CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="2660,gdi32.dll!GetTextExtentPoint32W[21dcc640.x86.dll!0x35672DDE]">
<attr n="flags" v="9" />
<attr n="pid" v="2660" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetTextExtentPoint32W" />
<attr n="tgtFuncAddr" v="77F18081" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DDE" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E858AD75BDEBF9" />
<attr n="crc8" v="5226F381CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="2660,user32.dll!CallNextHookEx[21dcc640.x86.dll!0x35672D96]">
<attr n="flags" v="9" />
<attr n="pid" v="2660" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\user32.dll" />
<attr n="tgtImgBase" v="7E410000" />
<attr n="tgtImgSize" v="91000" />
<attr n="tgtFuncName" v="CallNextHookEx" />
<attr n="tgtFuncAddr" v="7E42B410" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672D96" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E8817924B7EBF9" />
<attr n="crc8" v="5226F381CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="2988,gdi32.dll!GetHFONT[21dcc640.x86.dll!0x35672DC2]">
<attr n="flags" v="9" />
<attr n="pid" v="2988" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetHFONT" />
<attr n="tgtFuncAddr" v="77F17EA7" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DC2" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E816AF75BDEBF9" />
<attr n="crc8" v="E9933EE7CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="2988,gdi32.dll!GetTextExtentPoint32W[21dcc640.x86.dll!0x35672DDE]">
<attr n="flags" v="9" />
<attr n="pid" v="2988" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetTextExtentPoint32W" />
<attr n="tgtFuncAddr" v="77F18081" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DDE" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E858AD75BDEBF9" />
<attr n="crc8" v="E9933EE7CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="2988,user32.dll!CallNextHookEx[21dcc640.x86.dll!0x35672D96]">
<attr n="flags" v="9" />
<attr n="pid" v="2988" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="patchCount" v="1" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\user32.dll" />
<attr n="tgtImgBase" v="7E410000" />
<attr n="tgtImgSize" v="91000" />
<attr n="tgtFuncName" v="CallNextHookEx" />
<attr n="tgtFuncAddr" v="7E42B410" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672D96" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E8817924B7EBF9" />
<attr n="crc8" v="E9933EE7CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="2992,gdi32.dll!GetHFONT[21dcc640.x86.dll!0x35672DC2]">
<attr n="flags" v="9" />
<attr n="pid" v="2992" />
<attr n="procPath" v="c:\program files\Logitech\desktop messenger\8876480\Program\logitechdesktopmessenger.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetHFONT" />
<attr n="tgtFuncAddr" v="77F17EA7" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DC2" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E816AF75BDEBF9" />
<attr n="crc8" v="A4EA7070CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="2992,gdi32.dll!GetTextExtentPoint32W[21dcc640.x86.dll!0x35672DDE]">
<attr n="flags" v="9" />
<attr n="pid" v="2992" />
<attr n="procPath" v="c:\program files\Logitech\desktop messenger\8876480\Program\logitechdesktopmessenger.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetTextExtentPoint32W" />
<attr n="tgtFuncAddr" v="77F18081" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DDE" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E858AD75BDEBF9" />
<attr n="crc8" v="A4EA7070CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="2992,user32.dll!CallNextHookEx[21dcc640.x86.dll!0x35672D96]">
<attr n="flags" v="9" />
<attr n="pid" v="2992" />
<attr n="procPath" v="c:\program files\Logitech\desktop messenger\8876480\Program\logitechdesktopmessenger.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\user32.dll" />
<attr n="tgtImgBase" v="7E410000" />
<attr n="tgtImgSize" v="91000" />
<attr n="tgtFuncName" v="CallNextHookEx" />
<attr n="tgtFuncAddr" v="7E42B410" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672D96" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E8817924B7EBF9" />
<attr n="crc8" v="A4EA7070CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="3652,gdi32.dll!GetHFONT[21dcc640.x86.dll!0x35672DC2]">
<attr n="flags" v="9" />
<attr n="pid" v="3652" />
<attr n="procPath" v="c:\program files\zone labs\zonealarm\zlclient.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetHFONT" />
<attr n="tgtFuncAddr" v="77F17EA7" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DC2" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E816AF75BDEBF9" />
<attr n="crc8" v="732D419ECF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="3652,gdi32.dll!GetTextExtentPoint32W[21dcc640.x86.dll!0x35672DDE]">
<attr n="flags" v="9" />
<attr n="pid" v="3652" />
<attr n="procPath" v="c:\program files\zone labs\zonealarm\zlclient.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetTextExtentPoint32W" />
<attr n="tgtFuncAddr" v="77F18081" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DDE" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E858AD75BDEBF9" />
<attr n="crc8" v="732D419ECF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="3652,user32.dll!CallNextHookEx[21dcc640.x86.dll!0x35672D96]">
<attr n="flags" v="9" />
<attr n="pid" v="3652" />
<attr n="procPath" v="c:\program files\zone labs\zonealarm\zlclient.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\user32.dll" />
<attr n="tgtImgBase" v="7E410000" />
<attr n="tgtImgSize" v="91000" />
<attr n="tgtFuncName" v="CallNextHookEx" />
<attr n="tgtFuncAddr" v="7E42B410" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672D96" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E8817924B7EBF9" />
<attr n="crc8" v="732D419ECF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="3872,gdi32.dll!GetHFONT[21dcc640.x86.dll!0x35672DC2]">
<attr n="flags" v="9" />
<attr n="pid" v="3872" />
<attr n="procPath" v="c:\program files\iTunes\ituneshelper.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetHFONT" />
<attr n="tgtFuncAddr" v="77F17EA7" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DC2" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E816AF75BDEBF9" />
<attr n="crc8" v="FF3F913CCF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="3872,gdi32.dll!GetTextExtentPoint32W[21dcc640.x86.dll!0x35672DDE]">
<attr n="flags" v="9" />
<attr n="pid" v="3872" />
<attr n="procPath" v="c:\program files\iTunes\ituneshelper.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetTextExtentPoint32W" />
<attr n="tgtFuncAddr" v="77F18081" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DDE" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E858AD75BDEBF9" />
<attr n="crc8" v="FF3F913CCF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="3872,user32.dll!CallNextHookEx[21dcc640.x86.dll!0x35672D96]">
<attr n="flags" v="9" />
<attr n="pid" v="3872" />
<attr n="procPath" v="c:\program files\iTunes\ituneshelper.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\user32.dll" />
<attr n="tgtImgBase" v="7E410000" />
<attr n="tgtImgSize" v="91000" />
<attr n="tgtFuncName" v="CallNextHookEx" />
<attr n="tgtFuncAddr" v="7E42B410" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672D96" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E8817924B7EBF9" />
<attr n="crc8" v="FF3F913CCF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="992,gdi32.dll!GetHFONT[21dcc640.x86.dll!0x35672DC2]">
<attr n="flags" v="9" />
<attr n="pid" v="992" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\svchost.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetHFONT" />
<attr n="tgtFuncAddr" v="77F17EA7" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DC2" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E816AF75BDEBF9" />
<attr n="crc8" v="B3CE9067CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="992,gdi32.dll!GetTextExtentPoint32W[21dcc640.x86.dll!0x35672DDE]">
<attr n="flags" v="9" />
<attr n="pid" v="992" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\svchost.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\gdi32.dll" />
<attr n="tgtImgBase" v="77F10000" />
<attr n="tgtImgSize" v="49000" />
<attr n="tgtFuncName" v="GetTextExtentPoint32W" />
<attr n="tgtFuncAddr" v="77F18081" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672DDE" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E858AD75BDEBF9" />
<attr n="crc8" v="B3CE9067CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="30" dispValue="992,user32.dll!CallNextHookEx[21dcc640.x86.dll!0x35672D96]">
<attr n="flags" v="9" />
<attr n="pid" v="992" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\svchost.exe" />
<attr n="sectionName" v=".text" />
<attr n="tgtModPath" v="c:\WINDOWS\SYSTEM32\user32.dll" />
<attr n="tgtImgBase" v="7E410000" />
<attr n="tgtImgSize" v="91000" />
<attr n="tgtFuncName" v="CallNextHookEx" />
<attr n="tgtFuncAddr" v="7E42B410" />
<attr n="rktModPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="rktImgBase" v="35670000" />
<attr n="rktImgSize" v="D000" />
<attr n="rktFuncName" v="" />
<attr n="rktFuncAddr" v="35672D96" />
<attr n="codeLen" v="7" />
<attr n="tgtCode" v="90909090908BFF" />
<attr n="rktCode" v="E8817924B7EBF9" />
<attr n="crc8" v="B3CE9067CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="1012,c:\program files\common files\Apple\mobile device support\bin\applemobiledeviceservice.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="1012" />
<attr n="procPath" v="c:\program files\common files\Apple\mobile device support\bin\applemobiledeviceservice.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="1068,c:\program files\Bonjour\mdnsresponder.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="1068" />
<attr n="procPath" v="c:\program files\Bonjour\mdnsresponder.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="1232,c:\WINDOWS\SYSTEM32\svchost.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="1232" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\svchost.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="1340,c:\WINDOWS\SYSTEM32\svchost.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="1340" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\svchost.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="1380,c:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="1380" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="3780D619CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="1444,c:\program files\Java\jre6\bin\jqs.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="1444" />
<attr n="procPath" v="c:\program files\Java\jre6\bin\jqs.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="1872,c:\program files\DNA\btdna.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="1872" />
<attr n="procPath" v="c:\program files\DNA\btdna.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="196,c:\Program Files\AVG\AVG8\avgnsx.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="196" />
<attr n="procPath" v="c:\Program Files\AVG\AVG8\avgnsx.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="2284,c:\WINDOWS\SYSTEM32\alg.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="2284" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\alg.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="2660,c:\program files\internet explorer\iexplore.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="2660" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="5226F381CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="2988,c:\program files\internet explorer\iexplore.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="2988" />
<attr n="procPath" v="c:\program files\internet explorer\iexplore.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="E9933EE7CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="2992,c:\program files\Logitech\desktop messenger\8876480\Program\logitechdesktopmessenger.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="2992" />
<attr n="procPath" v="c:\program files\Logitech\desktop messenger\8876480\Program\logitechdesktopmessenger.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="A4EA7070CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="3652,c:\program files\zone labs\zonealarm\zlclient.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="3652" />
<attr n="procPath" v="c:\program files\zone labs\zonealarm\zlclient.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="732D419ECF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="3796,c:\viprerescue\viprerescuescanner.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="3796" />
<attr n="procPath" v="c:\viprerescue\viprerescuescanner.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="3872,c:\program files\iTunes\ituneshelper.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="3872" />
<attr n="procPath" v="c:\program files\iTunes\ituneshelper.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="FF3F913CCF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="444,c:\WINDOWS\SYSTEM32\spoolsv.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="444" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\spoolsv.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="952,c:\WINDOWS\SYSTEM32\svchost.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="952" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\svchost.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="8D456109CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="19" dispValue="992,c:\WINDOWS\SYSTEM32\svchost.exe,\\?\globalroot\device\__max++>\21dcc640.x86.dll">
<attr n="pid" v="992" />
<attr n="procPath" v="c:\WINDOWS\SYSTEM32\svchost.exe" />
<attr n="modPath" v="\\?\globalroot\device\__max++>\21dcc640.x86.dll" />
<attr n="base" v="35670000" />
<attr n="size" v="D000" />
<attr n="entryPoint" v="35673355" />
<attr n="crc8" v="B3CE9067CF3A0000" />
<attr n="md5" v="1F0F2A8A5B864498ECD895D12CC06823" />
<attr n="detectionType" v="9" />
</trace>
- <trace type="4" dispValue="C:\WINDOWS\SYSTEM32\eventlog.dll">
<attr n="hidden" v="true" />
<attr n="path" v="C:\WINDOWS\SYSTEM32\eventlog.dll" />
<attr n="fileSize" v="61952" />
<attr n="crc8" v="DE310B99FFE70000" />
<attr n="detectionType" v="9" />
</trace>
</traces>
</threat>
</threats>
</SBCSThreatEngineResults>

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:31 PM

Posted 03 November 2009 - 04:13 PM

Personally I think a reformat is a good idea. It will get rid of all the viruses, rootkits etc.

http://michaelstevenstech.com/cleanxpinstall.html
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users