Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue.Installer found with Malwarebytes...


  • This topic is locked This topic is locked
2 replies to this topic

#1 wingmaker

wingmaker

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:12:11 AM

Posted 20 February 2010 - 12:29 PM

Dear All,

I've been working on resolving this issue since Thursday evening with my first post to these forums however no one has responded to my requests for help (other than moving my initial post from one forum to this one). I'm wondering what if anything I'm doing wrong and what I need to do get some help. I humbly apologize if I did not follow protocol of some kind, I am new to these forums and mean no disrespect...

While waiting, I have gone ahead and done my own thing, having discovered that I was infected with Rogue.Installer virus or whatever. I've removed it successfully however my OS Windows XP is running painfully slow. Now I'm wondering if my laoptop had been hijacked. Can someone please evaluate the results of my scans and steer me in the right direction? Please...

My desktop wouldn't load properly, as described in my previous posts. I could only run on safe mode with networking...

I ran a Quick Scan with malwarebytes and found 2 infections with Rogue.Installer
1- category file in C:\Program Files\setup.exe
2- category Registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Micro...

I removed the infected files successfully, here is the log:
========================
Malwarebytes' Anti-Malware 1.44
Database version: 3765
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

20/02/2010 12:05:07 AM
mbam-log-2010-02-20 (00-05-07).txt

Scan type: Quick Scan
Objects scanned: 124285
Time elapsed: 11 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

====================================
Next... I used the ATF cleaner and selected ALL to remove files.


***I couldn't run SUPERAntiSypware.exe as it won't install on safe mode and I never had it before, not to mention that I am new to this site and this process, first time ever! So I rebooted and Windows XP was able to launch completely, desktop with icons and tool bar restored however everything is running painfully slow.

Then I was able to move on the SAS for a deeper cleaning, running it in safe mode and NO infections were found! See log below:
==================================================
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/20/2010 at 05:06 AM

Application Version : 4.34.1000

Core Rules Database Version : 4603
Trace Rules Database Version: 2415

Scan type : Complete Scan
Total Scan Time : 03:00:33

Memory items scanned : 353
Memory threats detected : 0
Registry items scanned : 4751
Registry threats detected : 0
File items scanned : 212224
File threats detected : 0
========================================

So then I ran GMER (from safe mode as I was already there), see the log below:
==========================================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-20 10:52:43
Windows 5.1.2600 Service Pack 2
Running: xf5y4xk5.exe; Driver: C:\DOCUME~1\Mama\LOCALS~1\Temp\awdoiuog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF6C3EC80]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF741A514]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF6C56900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF6C56B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF6C5AB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF6C3F210]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF741AD00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF741AFB8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF6C56280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF6C59F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF6C59F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF6C3F070]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF74193FA]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF6C58180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF6C57F40]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF741B422]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF6C5A150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF6C5A540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF6C42190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF6C3F440]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF741A7D8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF6C57200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF6C57080]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00EF0001
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[412] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[432] kernel32.dll!CreateThread + 1A 7C810849 4 Bytes CALL 0044AD11 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[648] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\csrss.exe[648] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\csrss.exe[648] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\csrss.exe[648] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 039A0001
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[672] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\winlogon.exe[672] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01240001
.text C:\WINDOWS\system32\winlogon.exe[672] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\winlogon.exe[672] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[716] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\services.exe[716] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00A20001
.text C:\WINDOWS\system32\services.exe[716] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\services.exe[716] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[728] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\lsass.exe[728] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B90001
.text C:\WINDOWS\system32\lsass.exe[728] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\lsass.exe[728] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[884] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B80001
.text C:\WINDOWS\system32\svchost.exe[884] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[884] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C90001
.text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C60001
.text C:\WINDOWS\system32\svchost.exe[1144] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1144] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1200] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00740001
.text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1200] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01BA0001
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1300] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtClose 7C90D586 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtClose + 4 7C90D58A 2 Bytes [2C, 5F] {SUB AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateFile 7C90D682 1 Byte [FF]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateFile 7C90D682 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateFile + 4 7C90D686 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateKey + 4 7C90D6DA 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateSection 7C90D793 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateSection + 4 7C90D797 2 Bytes [23, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtDeleteKey 7C90D8A4 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtDeleteKey + 4 7C90D8A8 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtDeleteValueKey 7C90D8CE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtDeleteValueKey + 4 7C90D8D2 2 Bytes [11, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtRenameKey 7C90E339 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtRenameKey + 4 7C90E33D 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtSetInformationFile 7C90E5D9 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtSetInformationFile + 4 7C90E5DD 2 Bytes [20, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtSetValueKey 7C90E7BC 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtSetValueKey + 4 7C90E7C0 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [26, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteFile 7C90E9F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteFile + 4 7C90E9F7 2 Bytes [1A, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteFileGather 7C90EA08 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteFileGather + 4 7C90EA0C 2 Bytes [1D, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteVirtualMemory 7C90EA32 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteVirtualMemory + 4 7C90EA36 2 Bytes [29, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00AC0001
.text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F320F5A
.text C:\WINDOWS\system32\svchost.exe[1308] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F2E0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1588] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00F90001
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1588] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[1588] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes JMP 5F040F5A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F6C46B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F6C46930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F6C47260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F6C44E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F6C44E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F6C46B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F6C46930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F6C47260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F6C46B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F6C47260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F6C46930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F6C44E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F6C47260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F6C46B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F6C46930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F6C5FB30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F6C46B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F6C44E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F6C47260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F6C46930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F6C3F980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F6C3F8D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F6C3FA80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F6C3F5E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
=======================================

Finally, I ran a DDS scan, see log below:

============================
DDS (Ver_09-12-01.01) - NTFSx86
Run by Mama at 11:59:52.35 on 20/02/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.2.1033.18.1014.280 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Genie-Soft\GBALite8LaCie\GBMAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Mama\Application Data\mjusbsp\magicJack.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Mama\Desktop\dds.scr
C:\WINDOWS\SoftwareDistribution\Download\e1b768948601bcabeb1406e8eeccf365\update\update.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1234047036&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Fn%3D1765344720&id=64855
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q105&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ZoneAlarm Spy Blocker BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [GBMLite8AgentLaCie] c:\program files\genie-soft\gbalite8lacie\GBMAgent.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [cdloader] "c:\documents and settings\mama\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [GBMLite8AgentLaCie] c:\program files\genie-soft\gbalite8lacie\GBMAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
StartupFolder: c:\docume~1\mama\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266633782437
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262460825281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mama\applic~1\mozilla\firefox\profiles\198jj1eu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1241632830&rver=5.5.4177.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=2057&id=64855&mkt=en-GB
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-20 16:53:06 0 d-----w- c:\program files\MSXML 6.0
2010-02-20 06:42:30 450560 ----a-w- c:\windows\system32\SET32.tmp
2010-02-20 06:37:59 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-02-20 06:14:28 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-20 06:13:35 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-20 06:13:35 0 d-----w- c:\docume~1\mama\applic~1\SUPERAntiSpyware.com
2010-02-20 05:51:57 0 d-----w- c:\windows\system32\CatRoot_bak
2010-02-20 05:46:02 0 d-----w- c:\docume~1\alluse~1\applic~1\DriverScanner
2010-02-20 05:46:01 0 d-----w- c:\program files\Uniblue
2010-02-20 05:46:01 0 d-----w- c:\docume~1\mama\applic~1\Uniblue
2010-02-20 05:42:33 1172480 ------w- c:\windows\system32\SET53.tmp
2010-02-20 05:41:36 332800 ----a-w- c:\windows\system32\SET28.tmp
2010-02-20 04:36:07 0 d-----w- c:\docume~1\mama\applic~1\Malwarebytes
2010-02-20 04:36:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-20 04:36:01 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-20 04:36:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-20 04:36:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-20 04:18:07 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2010-02-20 04:12:21 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-19 21:57:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-02-19 19:09:33 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-19 16:35:11 163840 ----a-r- c:\windows\system32\igfxres.dll
2010-02-18 18:17:56 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2010-02-18 18:16:45 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-02-18 18:15:59 452096 -c--a-w- c:\windows\system32\dllcache\fxsapi.dll
2010-02-18 18:14:47 16384 -c--a-w- c:\windows\system32\dllcache\tcptsat.dll
2010-02-18 18:12:30 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-02-18 18:12:20 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-02-18 18:12:20 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-02-18 18:12:20 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-02-18 18:12:20 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-02-18 17:59:00 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2010-02-18 17:59:00 21504 -c--a-w- c:\windows\system32\dllcache\cintlgnt.ime
2010-02-18 17:59:00 21504 ----a-w- c:\windows\system32\CINTLGNT.IME
2010-02-18 17:59:00 198656 -c--a-w- c:\windows\system32\dllcache\cintime.dll
2010-02-18 17:57:52 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-02-18 13:38:17 13753 ----a-r- c:\windows\SET66.tmp
2010-02-18 13:38:12 1086058 ----a-r- c:\windows\SET57.tmp
2010-02-18 13:38:09 1042903 ----a-r- c:\windows\SET54.tmp
2010-02-12 16:54:15 13753 ----a-r- c:\windows\SET5F.tmp
2010-02-12 16:54:10 1086058 ----a-r- c:\windows\SET53.tmp
2010-02-12 16:54:08 1042903 ----a-r- c:\windows\SET50.tmp
2010-02-11 15:03:02 13753 ----a-r- c:\windows\SET5E.tmp
2010-02-11 15:02:56 1086058 ----a-r- c:\windows\SET52.tmp
2010-02-11 15:02:54 1042903 ----a-r- c:\windows\SET4F.tmp
2010-02-11 14:05:05 13753 ----a-r- c:\windows\SET5D.tmp
2010-02-11 14:05:00 1086058 ----a-r- c:\windows\SET51.tmp
2010-02-11 14:04:57 1042903 ----a-r- c:\windows\SET4E.tmp
2010-02-10 23:58:45 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2010-02-10 23:57:54 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2010-02-10 23:57:53 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2010-02-10 23:57:53 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2010-02-10 23:57:53 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2010-02-10 23:08:07 13753 ----a-r- c:\windows\SETCF.tmp
2010-02-10 23:08:02 1086058 ----a-r- c:\windows\SETC3.tmp
2010-02-10 23:07:59 1042903 ----a-r- c:\windows\SETC0.tmp
2010-01-21 19:55:41 32494896 ----a-w- c:\program files\QuickTimeInstaller.exe
2010-01-21 19:44:52 0 d-----w- c:\windows\system32\Adobe
2010-01-21 19:42:09 1956528 ----a-w- c:\program files\install_flash_player_ax.exe
2010-01-21 19:30:27 0 d-----w- C:\Sun
2010-01-21 19:22:26 0 d-----w- c:\program files\VideoLAN
2010-01-21 19:21:09 18030130 ----a-w- c:\program files\vlc-1.0.3-win32.exe

==================== Find3M ====================

2010-02-18 18:20:12 907122976 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-02-18 18:20:12 10808996 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-18 18:11:16 23332 ----a-w- c:\windows\system32\emptyregdb.dat
2010-01-21 16:02:08 919840 ----a-w- c:\program files\JavaSetup6u18-rv.exe
2009-12-04 03:50:58 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-16 17:40:15 1082328 ----a-w- c:\program files\SpazAIR.air
2009-05-04 23:22:50 1878888 ----a-w- c:\program files\install_flash_player.exe
2009-04-24 12:42:46 133492859 ----a-w- c:\program files\openofficeorg1.cab
2009-04-24 12:42:20 9815040 ----a-w- c:\program files\openofficeorg31.msi
2009-04-23 22:36:08 336 ----a-w- c:\program files\setup.ini
2009-03-18 23:43:55 359672 ----a-w- c:\program files\PartyPokerSetup.exe
2007-12-25 18:54:07 41724304 ----a-w- c:\program files\zlsSetup_70_462_000_en.exe
2007-12-25 18:47:58 55725064 ----a-w- c:\program files\setpoint424(2).exe
2007-11-17 19:30:40 16892616 ----a-w- c:\program files\setupeng.exe
2007-11-16 20:26:01 759 ----a-w- c:\program files\Network Stumbler.lnk
2006-11-18 03:24:06 66046 ----a-w- c:\program files\Dupe_Free_0_NO_VISTA.ico
2002-03-11 09:06:30 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45:04 1708856 ----a-w- c:\program files\instmsia.exe

============= FINISH: 12:03:39.21 ===============


Attach file log below:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 18/02/2010 1:19:02 PM
System Uptime: 20/02/2010 11:26:15 AM (1 hours ago)

Motherboard: Hewlett-Packard | | 09BC
Processor: Intel® Pentium® M processor 1.73GHz | U1 | 1729/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 68 GiB total, 39.375 GiB free.
D: is FIXED (NTFS) - 25 GiB total, 24.715 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 418.043 GiB free.
G: is CDROM (CDFS)
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 18/02/2010 3:34:41 PM - System Checkpoint
RP2: 20/02/2010 12:45:46 AM - Installed Uniblue DriverScanner v1.0
RP3: 20/02/2010 1:13:29 AM - Installed SUPERAntiSpyware Free Edition
RP4: 20/02/2010 11:02:37 AM - Software Distribution Service 3.0
RP5: 20/02/2010 11:31:00 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe ConnectNow Add-in
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
Adobe Shockwave Player 11.5
Agere Systems AC'97 Modem
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Article Page Machine 1.0
µTorrent
AVG Free 9.0
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Bonjour
Broadcom 802.11 Driver
CDDRV_Installer
CoffeeCup Free FTP
Content Magnet Article Extractor 1.0
DupeFree Pro
FB Adder 1.7
FileZilla Client 3.2.7
Free Article Rewriter Software v2.0
Free Duplicate Checker v2.0
Genie Backup Assistant
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
HP Help and Support
HP Wireless Assistant
HyperVRE 1.9.1
Intel® Graphics Media Accelerator Driver for Mobile
InterVideo DVD Check
InterVideo WinDVD
iPhone Configuration Utility
iTunes
J2SE Runtime Environment 5.0
Java™ 6 Update 13
Java™ 6 Update 15
KhalInstallWrapper
Logitech SetPoint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.17)
MSN
MSXML 6 Service Pack 2 (KB973686)
Network Stumbler 0.4.0 (remove only)
Nvu 1.0PR
OpenOffice.org 3.1
PA095 / PA075 USB2.0 DOCK
Package: Tony de Bree´s Tip Article Creator 1.0
Quick Launch Buttons 5.00 D5
QuickTime
REALTEK Gigabit and Fast Ethernet NIC Driver
Safari
Sales Letter Creator 1.4
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB975025)
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Spaz
Spelling Dictionaries Support For Adobe Reader 9
Spyware Doctor 6.0
SUPERAntiSpyware Free Edition
Testimonials Generator
Texas Instruments PCIxx21/x515 drivers.
The Ultimate PLR Article Collection
TIxx21/x515
TomTom HOME 2.7.3.1894
TomTom HOME Visual Studio Merge Modules
TweepSoftware
TweetDeck
twhirl
Uniblue DriverScanner 2009
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955759)
Update for Windows XP (KB973687)
VC 9.0 Runtime
VLC media player 1.0.3
Web Tools Now Blog Finder
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

20/02/2010 8:31:11 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0012F05DEB8A. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
20/02/2010 2:02:57 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 eabfiltr Fips intelppm KLIF SASDIFSV SASKUTIL
20/02/2010 12:25:48 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
20/02/2010 11:55:11 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Windows XP (KB971468).
20/02/2010 11:43:35 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Windows XP (KB978251).
20/02/2010 11:41:46 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Windows XP (KB975560).
20/02/2010 11:38:21 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80246007: Security Update for Windows XP (KB978706).
20/02/2010 10:54:10 AM, error: Dhcp [1002] - The IP address lease 192.168.1.138 for the Network Card with network address 0012F05DEB8A has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
20/02/2010 1:49:08 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
20/02/2010 1:49:08 AM, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
20/02/2010 1:48:29 AM, error: Service Control Manager [7034] - The TrueVector Internet Monitor service terminated unexpectedly. It has done this 1 time(s).
19/02/2010 9:42:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
19/02/2010 8:57:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 eabfiltr Fips intelppm KLIF
19/02/2010 5:05:15 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. .
19/02/2010 5:05:15 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\AvastUI.exe. Reference error message: The operation completed successfully. .
19/02/2010 5:05:15 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
19/02/2010 5:01:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi AvgLdx86 AvgMfx86 eabfiltr Fips intelppm KLIF
19/02/2010 4:58:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
19/02/2010 11:23:13 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP AvgLdx86 AvgMfx86 eabfiltr Fips intelppm KLIF
19/02/2010 11:22:52 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service COMSysApp with arguments "" in order to run the server: {182C40F0-32E4-11D0-818B-00A0C9231C29}
18/02/2010 3:58:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
18/02/2010 3:30:29 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
18/02/2010 10:42:58 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
18/02/2010 10:41:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
18/02/2010 10:36:54 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi AvgLdx86 AvgMfx86 AvgTdiX eabfiltr Fips intelppm IPSec KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant
18/02/2010 10:36:54 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
18/02/2010 10:36:54 AM, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
18/02/2010 10:36:54 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
18/02/2010 10:36:54 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
18/02/2010 10:36:54 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
18/02/2010 10:36:54 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
18/02/2010 10:36:54 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
18/02/2010 10:36:54 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
18/02/2010 10:36:54 AM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
18/02/2010 1:22:01 PM, error: Dhcp [1002] - The IP address lease 192.168.2.13 for the Network Card with network address 0012F05DEB8A has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
18/02/2010 1:19:59 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
18/02/2010 1:13:26 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

==== End Of File ===========================

And so I have managed to resolve my initial problem of infection. Can someone interpret these results to let me know why my PC is running so slowly? Is it possible my laptop had been hijacked as well or do I now need to post to the windows XP forum for fine tuning?

Thanks, I hope someone responds to my post as I have been working on this completely on my own since Friday... sad.gif

WingMaker

Edited by wingmaker, 20 February 2010 - 12:31 PM.


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:11 AM

Posted 21 February 2010 - 02:33 PM

Hi wingmaker,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and keep either AVG or Spyware Doctor Or Zone Alarm and uninstall the other two.

  2. Please run DDS and post both the fresh DDS.txt to your reply.


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:11 AM

Posted 26 February 2010 - 08:01 AM

This thread will now be closed due to lack of activity.

If you should have the a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users