Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

may have variation of vundo trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 Bill9855

Bill9855

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 25 April 2010 - 10:20 PM

I'm not sure who was using my computer, so I don't know how it all started. However, the first problem I had was when my watch dog kept popping up asking to allow a jpeg viewer to be allowed on start up. I clicked no but it kept comming back. The next problem was that another program kept asking if the page I was on could download an "active X" file, even though I didn't have any windows open. Lastly, I keep getting notices that I am being hacked by a HTTPS Tideserve request and anoter IP address.

I updated and installed Spyware Dr and then ran, spybot search and destroy, Spyware dr, Norton AV(even thought the definitions are out of date), CCcleaner, RegCure, and lastly System security suite 1.04. After a restart the virus was still there, and my screen was blank except that I could use CTRL ALT DELETE to get task manager up and open programs that way.

Next I downloaded and used Trojan Hunter and repeated the steps as before only adding the anti trojan progran. Now I can get a normal startup but the problem is still there. next I found the program in the windows 32 file. (vtuurr.dll,Dll Regester Server) I changed the name because I could not delete it (open file) and tried to restart in safe mode so that it wouldn't start. No can do. I cannot safe start, and the file duplicated itself. I cannot delete lines in the registry either they only get reinstalled. I also hace a Hijack this log if you want it, and will have toget mu system 32 file fixed

I probably made things worse but I hate being beaten by these S.O.B.s Can anyone help? I have attached the requested information as well as screen shots of some of the other things that I have found. Any help would be appreciated.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 20:28:19.76 on Sun 04/25/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.313 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/
uSearch Page = hxxp://srch-qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
uWindow Title =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~2\tools\iesdsg.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~2\tools\iesdpb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [tuvwvwsys] rundll32.exe "vtuurr.dll",DllRegisterServer
dRun: [awwurrsys] rundll32.exe "vtuurr.dll",DllRegisterServer
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~2\tools\iesdpb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 vtuurr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2007-2-24 30592]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2007-2-24 51072]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2005-6-3 3744]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2004-8-27 235168]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169576]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2005-6-3 3904]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton systemworks\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~4\norton~2\NPROTECT.EXE [2005-11-3 95832]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-6-3 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-10 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081220.003\NAVENG.Sys [2008-12-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081220.003\NavEx15.Sys [2008-12-20 876112]
R3 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-8-26 334984]
S2 mrtRate;mrtRate; [x]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79520]
S3 idrmkl;idrmkl;\??\c:\docume~1\owner\locals~1\temp\idrmkl.sys --> c:\docume~1\owner\locals~1\temp\idrmkl.sys [?]
S3 SAVScan;Symantec AVScan;c:\program files\norton systemworks\norton antivirus\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2010-04-26 00:16:42 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-26 00:04:04 0 d-----w- c:\program files\Cobian Backup 10
2010-04-21 04:37:28 0 d-----w- c:\docume~1\alluse~1\applic~1\TrojanHunter
2010-04-21 04:10:37 0 d-----w- c:\docume~1\owner\applic~1\TrojanHunter
2010-04-21 03:03:35 0 d-----w- c:\program files\TrojanHunter 5.3
2010-04-15 04:41:33 324608 ----a-w- c:\windows\ctfmon.exe
2010-04-15 03:42:14 90112 ---ha-w- c:\windows\system32\vtuurr.dll
2010-04-15 03:42:14 90112 ----a-w- c:\windows\system32\bill1
2010-04-15 03:42:13 367616 ----a-w- c:\windows\opeEF.exe
2010-04-15 03:42:13 0 ----a-w- c:\windows\opeEF.tmp
2010-04-15 03:42:12 0 ----a-w- c:\windows\opeEC.tmp

==================== Find3M ====================

2010-04-15 05:45:15 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:36:09 100864 ----a-w- c:\windows\system32\6to4svc.dll
2006-11-21 23:51:54 774144 -c--a-w- c:\program files\RngInterstitial.dll

============= FINISH: 20:30:28.42 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 22:09:36
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwldqpod.sys


---- System - GMER 1.0.15 ----

SSDT 834010E0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xED8DA6C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xED8DA910]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\disk.sys entry point in ".rsrc" section [0xF74BF514]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6C1C340, 0xFFF7F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6300, 0x238C20, 0xF8000020]
? C:\WINDOWS\TEMP\mc21.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[256] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[256] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[308] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[308] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[308] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[308] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[308] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe[420] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe[420] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe[420] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe[420] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe[420] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe[480] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe[480] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe[480] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe[480] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe[480] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE[536] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE[536] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE[536] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE[536] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE[536] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\nvsvc32.exe[600] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\nvsvc32.exe[600] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\nvsvc32.exe[600] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\nvsvc32.exe[600] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\nvsvc32.exe[600] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[624] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[624] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[624] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008F000A
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 008E000C
.text C:\WINDOWS\System32\svchost.exe[1020] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 0261000A
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE[1236] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE[1236] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE[1236] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE[1236] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE[1236] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1292] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1292] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1292] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1292] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1376] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1376] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1544] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1544] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1544] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1544] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1544] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1628] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1628] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1628] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1628] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1676] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1676] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1676] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1676] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1676] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1724] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1724] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1724] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1724] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1724] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1820] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1820] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1820] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1820] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1912] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1912] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1912] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[1912] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1912] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1972] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1972] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1972] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1972] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1972] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2028] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2028] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2028] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2028] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2028] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\notepad.exe[2540] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\notepad.exe[2540] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\notepad.exe[2540] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\notepad.exe[2540] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\notepad.exe[2540] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\notepad.exe[2540] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\WINDOWS\LTMSG.exe[2792] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\LTMSG.exe[2792] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\LTMSG.exe[2792] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\LTMSG.exe[2792] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\LTMSG.exe[2792] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\LTMSG.exe[2792] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\HP\KBD\KBD.EXE[2820] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\HP\KBD\KBD.EXE[2820] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\HP\KBD\KBD.EXE[2820] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\HP\KBD\KBD.EXE[2820] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\HP\KBD\KBD.EXE[2820] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\HP\KBD\KBD.EXE[2820] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\windows\system\hpsysdrv.exe[2832] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\windows\system\hpsysdrv.exe[2832] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\windows\system\hpsysdrv.exe[2832] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\windows\system\hpsysdrv.exe[2832] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\windows\system\hpsysdrv.exe[2832] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\windows\system\hpsysdrv.exe[2832] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\WINDOWS\System32\alg.exe[3672] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3672] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\alg.exe[3672] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\alg.exe[3672] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[3672] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[3672] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\WINDOWS\explorer.exe[7768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CD000A
.text C:\WINDOWS\explorer.exe[7768] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CE000A
.text C:\WINDOWS\explorer.exe[7768] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CC000C
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\notepad.exe[11704] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\notepad.exe[11704] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\notepad.exe[11704] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\notepad.exe[11704] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\notepad.exe[11704] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\notepad.exe[11704] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ikhfile.sys (PCTools Research Pty Ltd.)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat ikhfile.sys (PCTools Research Pty Ltd.)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8376CAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\disk.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by Bill9855, 26 April 2010 - 08:57 AM.


BC AdBot (Login to Remove)

 


#2 Bill9855

Bill9855
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:31 PM

Posted 26 April 2010 - 11:18 PM

[attachment=55108:Norton_A...napshots.doc]I'm not sure who was using my computer, so I don't know how it all started. However, the first problem I had was when my watch dog kept popping up asking to allow a jpeg viewer to be allowed on start up. I clicked no but it kept comming back. The next problem was that another program kept asking if the page I was on could download an "active X" file, even though I didn't have any windows open. Lastly, I keep getting notices that I am being hacked by a HTTPS Tideserve request and anoter IP address.

I updated and installed Spyware Dr and then ran, spybot search and destroy, Spyware dr, Norton AV(even thought the definitions are out of date), CCcleaner, RegCure, and lastly System security suite 1.04. After a restart the virus was still there, and my screen was blank except that I could use CTRL ALT DELETE to get task manager up and open programs that way.

Next I downloaded and used Trojan Hunter and repeated the steps as before only adding the anti trojan progran. Now I can get a normal startup but the problem is still there. next I found the program in the windows 32 file. (vtuurr.dll,Dll Regester Server) I changed the name because I could not delete it (open file) and tried to restart in safe mode so that it wouldn't start. No can do. I cannot safe start, and the file duplicated itself. I cannot delete lines in the registry either. They only get reinstalled. Lastlt, when I use msconfig, I can find the .dll's listed in the start up. when I uncheck them and restart, they get checked by themselves. I also have a "Hijack this" log if you want it, and will have to get my system 32 file fixed(named it bill1)



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 20:28:19.76 on Sun 04/25/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.313 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\LTMSG.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/
uSearch Page = hxxp://srch-qus10.hpwis.com/
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
uWindow Title =
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://qus10.hpwis.com/
mSearch Bar = hxxp://srch-qus10.hpwis.com/
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~2\tools\iesdsg.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spywar~2\tools\iesdpb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Norton Internet Security: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [tuvwvwsys] rundll32.exe "vtuurr.dll",DllRegisterServer
dRun: [awwurrsys] rundll32.exe "vtuurr.dll",DllRegisterServer
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~2\tools\iesdpb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: att.net\webauth
Trusted Zone: fortunerep.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com\download
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 vtuurr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2007-2-24 30592]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2007-2-24 51072]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton systemworks\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2005-6-3 3744]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 192104]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2004-8-27 235168]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169576]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2005-6-3 3904]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton systemworks\norton antivirus\NAVAPSVC.EXE [2005-9-23 139888]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~4\norton~2\NPROTECT.EXE [2005-11-3 95832]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-6-3 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-10 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081220.003\NAVENG.Sys [2008-12-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081220.003\NavEx15.Sys [2008-12-20 876112]
R3 SAVRT;SAVRT;c:\program files\norton systemworks\norton antivirus\savrt.sys [2005-8-26 334984]
S2 mrtRate;mrtRate; [x]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2004-8-27 79520]
S3 idrmkl;idrmkl;\??\c:\docume~1\owner\locals~1\temp\idrmkl.sys --> c:\docume~1\owner\locals~1\temp\idrmkl.sys [?]
S3 SAVScan;Symantec AVScan;c:\program files\norton systemworks\norton antivirus\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2010-04-26 00:16:42 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-04-26 00:04:04 0 d-----w- c:\program files\Cobian Backup 10
2010-04-21 04:37:28 0 d-----w- c:\docume~1\alluse~1\applic~1\TrojanHunter
2010-04-21 04:10:37 0 d-----w- c:\docume~1\owner\applic~1\TrojanHunter
2010-04-21 03:03:35 0 d-----w- c:\program files\TrojanHunter 5.3
2010-04-15 04:41:33 324608 ----a-w- c:\windows\ctfmon.exe
2010-04-15 03:42:14 90112 ---ha-w- c:\windows\system32\vtuurr.dll
2010-04-15 03:42:14 90112 ----a-w- c:\windows\system32\bill1
2010-04-15 03:42:13 367616 ----a-w- c:\windows\opeEF.exe
2010-04-15 03:42:13 0 ----a-w- c:\windows\opeEF.tmp
2010-04-15 03:42:12 0 ----a-w- c:\windows\opeEC.tmp

==================== Find3M ====================

2010-04-15 05:45:15 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-16 13:19:55 2181376 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39:04 2058368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:36:09 100864 ----a-w- c:\windows\system32\6to4svc.dll
2006-11-21 23:51:54 774144 -c--a-w- c:\program files\RngInterstitial.dll

============= FINISH: 20:30:28.42 ===============




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 22:09:36
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fwldqpod.sys


---- System - GMER 1.0.15 ----

SSDT 834010E0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xED8DA6C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xED8DA910]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\disk.sys entry point in ".rsrc" section [0xF74BF514]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6C1C340, 0xFFF7F, 0xF8000020]
.text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6300, 0x238C20, 0xF8000020]
? C:\WINDOWS\TEMP\mc21.tmp The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[256] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[256] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[256] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[308] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[308] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[308] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[308] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[308] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe[420] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe[420] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe[420] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe[420] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe[420] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe[480] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe[480] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe[480] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe[480] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe[480] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE[536] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE[536] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE[536] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE[536] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\NPROTECT.EXE[536] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\nvsvc32.exe[600] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\nvsvc32.exe[600] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\nvsvc32.exe[600] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\nvsvc32.exe[600] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\nvsvc32.exe[600] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[624] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[624] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[624] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[624] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[724] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[724] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[736] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[736] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008F000A
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0090000A
.text C:\WINDOWS\System32\svchost.exe[1020] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 008E000C
.text C:\WINDOWS\System32\svchost.exe[1020] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 0261000A
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1196] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1196] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE[1236] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE[1236] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE[1236] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE[1236] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\NORTON~4\NORTON~2\SPEEDD~1\NOPDB.EXE[1236] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1292] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1292] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1292] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1292] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1376] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1376] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[1376] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1476] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1544] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1544] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1544] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1544] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1544] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1628] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1628] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1628] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1628] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccProxy.exe[1628] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1676] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1676] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1676] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1676] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Norton Internet Security\ISSVC.exe[1676] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1724] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1724] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1724] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1724] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1724] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1820] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1820] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1820] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1820] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe[1820] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1912] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1912] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1912] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[1912] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1912] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1972] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1972] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1972] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1972] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[1972] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2028] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2028] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2028] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2028] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[2028] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2084] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\notepad.exe[2540] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\notepad.exe[2540] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\notepad.exe[2540] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\notepad.exe[2540] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\notepad.exe[2540] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\notepad.exe[2540] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\WINDOWS\LTMSG.exe[2792] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\LTMSG.exe[2792] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\LTMSG.exe[2792] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\LTMSG.exe[2792] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\LTMSG.exe[2792] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\LTMSG.exe[2792] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\HP\KBD\KBD.EXE[2820] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\HP\KBD\KBD.EXE[2820] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\HP\KBD\KBD.EXE[2820] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\HP\KBD\KBD.EXE[2820] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\HP\KBD\KBD.EXE[2820] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\HP\KBD\KBD.EXE[2820] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\windows\system\hpsysdrv.exe[2832] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\windows\system\hpsysdrv.exe[2832] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\windows\system\hpsysdrv.exe[2832] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\windows\system\hpsysdrv.exe[2832] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\windows\system\hpsysdrv.exe[2832] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\windows\system\hpsysdrv.exe[2832] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2872] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe[2988] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3008] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\WINDOWS\System32\alg.exe[3672] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3672] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\alg.exe[3672] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\alg.exe[3672] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[3672] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\alg.exe[3672] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE[3852] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[4832] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\WINDOWS\explorer.exe[7768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CD000A
.text C:\WINDOWS\explorer.exe[7768] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CE000A
.text C:\WINDOWS\explorer.exe[7768] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CC000C
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for gmer.zip\gmer.exe[10948] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D
.text C:\WINDOWS\system32\notepad.exe[11704] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\notepad.exe[11704] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\notepad.exe[11704] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\notepad.exe[11704] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\notepad.exe[11704] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\notepad.exe[11704] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ikhfile.sys (PCTools Research Pty Ltd.)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat ikhfile.sys (PCTools Research Pty Ltd.)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8376CAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 2
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 35
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 4
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceType 7
Reg HKLM\SYSTEM\controlset002\control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties@DeviceCharacteristics 256
Reg HKLM\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories@

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\disk.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 4/2/2004 1:46:47 PM
System Uptime: 4/21/2010 1:37:01 AM (115 hours ago)

Motherboard: ASUSTeK Computer INC. | | Diablo
Processor: AMD Athlon™ 64 Processor 3200+ | Socket 754 | 1994/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 148 GiB total, 129.801 GiB free.
D: is FIXED (FAT32) - 5 GiB total, 0.947 GiB free.
E: is CDROM (CDFS)
F: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Acrobat.com
Acronis PrivacyExpert
Adobe Acrobat 5.0
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album Starter Edition
Adobe Photoshop Elements 7.0
Adobe Photoshop.com Inspiration Browser
Adobe Reader 9.3.1
Adobe SVG Viewer 3.0
Advanced Networking Pack for Windows XP
AiO_Scan
AIOMinimal
AiOSoftware
ArcSoft PhotoImpression 6
ArcSoft Print Creations
ArcSoft ShowBiz 2
ArcSoft Software Suite
Calculator Powertoy for Windows XP
CC_ccProxyExt
ccCommon
CCleaner
ccPxyCore
CheckIt Diagnostics
Command & Conquer Generals
Command & Conquer Red Alert 2
Command & Conquer Tiberian Sun
Command and ConquerTM Generals Zero Hour
Compaq Connections
Compatibility Pack for the 2007 Office system
Connection Keep Alive
Copy
CreativeProjects
Critical Update for Windows Media Player 11 (KB959772)
Director
DocProc
Enhanced Multimedia Keyboard Solution
EPSON CX8400 User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX8400 Series Scanner Driver Update
Fax
GdiplusUpgrade
GoToMeeting 4.1.0.366
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.0
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB909279)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Deskjet Preloaded Printer Drivers
HP Photo & Imaging 3.1
HP Photo and Imaging 2.0 - Photosmart Cameras
HP PSC & OfficeJet 3.0
HP Update
hpmdtab
HpSdpAppCoreApp
HPSystemDiagnostics
InstantShare
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterActual Player
Internet Worm Protection
InterVideo WinDVD Player
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_06
Java™ 6 Update 13
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
LiveReg (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Shockwave Player
Mah Jong Tiles Deluxe
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Baseline Security Analyzer 1.2.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Access 2003
Microsoft Office PowerPoint 2003 Template Creation Wizard
Microsoft Office PowerPoint 2003 Template Pack 1
Microsoft Office PowerPoint 2003 Template Pack 2
Microsoft Office PowerPoint 2003 Template Pack 3
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Producer for Microsoft Office PowerPoint 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
MS Access 97 SP2
MSN Music Assistant
MSRedist
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NAVShortcut
Norton AntiSpam
Norton AntiVirus 2006
Norton AntiVirus Parent MSI
Norton Cleanup
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Protection Center
Norton SystemWorks
Norton SystemWorks 2006
Norton SystemWorks 2006 (Symantec Corporation)
Norton Utilities
Norton WMI Update
NSW_DRM_COLLECTION
NVIDIA Drivers
NVIDIA Windows 2000/XP Display Drivers
PC-Doctor for Windows
PerformanceTest v5.0
PhotoGallery
PhotoshopdotcomInspirationBrowser
Photosmart 140,240,7200,7600,7700,7900 Series
Pop-Up Stopper Free Edition
PrintScreen
Professor Answers
Professor Teaches Excel 2003
Professor Teaches PowerPoint 2003
Professor Teaches Word 2003
PS2
PSShortcutsP
Python 2.2 combined Win32 extensions
Python 2.2.1
QFolder
Quicken 2004
QuickProjects
Readme
RealPlayer
RecordNow!
RegCure
Registrar Registry Manager 4.03
Registrar Registry Manager 4.03 (Lite Edition)
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Series 6 Drill and Practice
SkinsHP1
SkinsHP2
Sonic Update Manager
SPBBC
Spybot - Search & Destroy
Spyware Doctor 4.0
Sybase SQL Anywhere 7 Personal Server
Symantec KB-DocID:2003093015493306
SymNet
System Security Suite 1.04
Top Comp Calculator
TrayApp
TrojanHunter 5.3
Tweak UI
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player (Remove Only)
WebFldrs XP
WebReg
Westell Firmware Upgrade
Westwood Shared Internet Components
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888240
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Zone Deluxe Games

==== Event Viewer Messages From Past Week ========

4/25/2010 8:14:50 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The system cannot find the file specified.

==== End Of File ===========================

Edited by Orange Blossom, 29 April 2010 - 12:10 AM.
Merged topics. ~ OB


#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:31 AM

Posted 30 April 2010 - 11:19 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:31 AM

Posted 03 May 2010 - 10:52 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users