Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stealth spyware in XP


  • This topic is locked This topic is locked
2 replies to this topic

#1 KyleD

KyleD

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 16 October 2010 - 09:21 PM

Sorry to be bothering the forums with this, but I'm having a problem and I need professional advice. I'm running XP Pro SP2, and I've got some spyware that I can't get rid of. It's not running any processes that show up in Process Explorer, and it's not listed in HijackThis. It's apparently also hammering a number of ad websites in the background (I can't see it, but URLsnooper tells me that it's happening, a lot). Google results are, of course, redirected to ads. I've tried Avast, Lavasoft Ad-Aware, Spybot, and Symantec, and none of them work. ComboFix has results that I'm really not sure about.

Also sometimes svchost.exe goes down with a fault from ntdll.dll, I have no idea if that's even related.

My first thread is up here: http://www.bleepingcomputer.com/forums/topic354159.html


Here's my DDS output:

DDS (Ver_10-10-10.03) - NTFSx86
Run by kyle at 17:50:19.01 on Sat 10/16/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2150 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Razer Diamondback 3G\razerhid.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Dell PC Suite\Application Launcher\Application Launcher.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Program Files\SpybotSD\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Orbitdownloader\orbitdm.exe
F:\ProcessExplorer\procexp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer Diamondback 3G\razerofa.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Common Files\Teleca Shared\logger.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Dell PC Suite\Mobile Phone Monitor\pcc_capi.exe
C:\Program Files\Dell PC Suite\Mobile Phone Monitor\TCPVBTServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winamp.exe
E:\STEAM\Steam.exe
C:\Documents and Settings\Kyle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybotsd\SDHelper.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.EXE
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [SpybotSD TeaTimer] c:\program files\spybotsd\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\kyle\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Home Theater SchSvr] "c:\program files\common files\intervideo\schsvr\SchSvr.exe"
mRun: [WINCINEMAMGR] "c:\program files\intervideo\common\bin\WinCinemaMgr.exe"
mRun: [WINREMOTE] "c:\program files\intervideo\common\bin\WinRemote.exe"
mRun: [CloneCDTray] "c:\program files\clonecd\CloneCDTray.exe" /s
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes anti-malware\mbam.exe" /runcleanupscript
mRun: [Diamondback] c:\program files\razer diamondback 3g\razerhid.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Dell PC Suite] "c:\program files\dell pc suite\application launcher\Application Launcher.exe" /startoptions
StartupFolder: c:\docume~1\kyle\startm~1\programs\startup\shortc~1.lnk - f:\processexplorer\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybotsd\SDHelper.dll
Trusted Zone: netlibrary.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {FC1204D0-363B-4129-B7DC-A9B7A1A40329} = 192.168.0.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kyle\applic~1\mozilla\firefox\profiles\8hfd4xew.db profile\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\kyle\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-9-13 64288]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2008-5-28 337280]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2008-5-28 54656]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\common files\abbyy\finereader\9.00\licensing\pe\NetworkLicenseServer.exe [2007-12-6 660768]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2008-6-24 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2008-6-24 169320]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [2010-7-4 3584]
R2 inpout32;inpout32;c:\windows\system32\drivers\inpout32.sys [2010-7-4 11936]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2008-9-30 1956792]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-1 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101008.004\naveng.sys [2010-10-8 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101008.004\navex15.sys [2010-10-8 1371184]
R3 Razerlow;Diamondback 3G USB Filter Driver;c:\windows\system32\drivers\DB3G.sys [2009-11-4 13225]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2010-7-1 34896]
S2 AntipPolice_;AntiPol;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-13 133104]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1357464]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2008-9-30 116664]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

============== File Associations ===============

txtfile=c:\program files\editpad\EditPad.exe "%1"

=============== Created Last 30 ================

2010-10-16 21:16:36 -------- d-----w- c:\program files\Avast5
2010-10-16 21:16:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-10-16 20:28:30 -------- d-sha-r- C:\cmdcons
2010-10-16 20:25:38 77312 ----a-w- c:\windows\MBR.exe
2010-10-16 20:25:37 98816 ----a-w- c:\windows\sed.exe
2010-10-16 20:25:37 256512 ----a-w- c:\windows\PEV.exe
2010-10-16 20:25:37 161792 ----a-w- c:\windows\SWREG.exe
2010-10-16 19:25:48 301927 ----a-w- c:\windows\system32\EditPad.exe
2010-10-16 11:24:21 -------- d-----w- c:\docume~1\kyle\applic~1\uTorrent
2010-10-16 09:59:57 -------- d-----w- c:\docume~1\kyle\applic~1\Webroot
2010-10-16 09:18:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Geek Squad
2010-10-16 08:25:13 -------- d-----w- C:\!KillBox
2010-10-16 05:21:38 1066176 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-10-16 03:25:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-10-15 08:05:23 -------- d-----w- c:\docume~1\kyle\locals~1\applic~1\Temp
2010-10-15 07:54:30 -------- d-----w- C:\streak
2010-10-15 04:03:33 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-10-15 04:03:18 581192 ----a-r- c:\windows\system32\WinUSBCoInstaller.dll
2010-10-15 04:03:18 1112288 ----a-r- c:\windows\system32\WdfCoInstaller01007.dll
2010-10-15 03:25:36 -------- d-----w- c:\docume~1\kyle\locals~1\applic~1\Dell
2010-10-15 03:25:35 -------- d-----w- c:\docume~1\kyle\applic~1\Teleca
2010-10-15 03:24:51 -------- d-----w- c:\program files\common files\Teleca Shared
2010-10-15 03:24:48 -------- d-----w- c:\program files\Dell PC Suite
2010-10-15 03:24:48 -------- d-----w- c:\docume~1\kyle\applic~1\Dell
2010-10-15 03:24:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Teleca
2010-10-15 03:24:44 -------- d-----w- c:\program files\MSXML 6.0
2010-10-14 23:47:32 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-14 23:29:56 -------- d-----w- c:\docume~1\kyle\locals~1\applic~1\Sunbelt Software
2010-10-14 23:29:16 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-10-14 17:28:36 -------- d-----w- c:\program files\uTorrent
2010-10-13 21:49:53 0 ----a-w- c:\windows\Nbusikisoxebuxe.bin
2010-10-09 08:04:34 -------- d-----w- c:\program files\RADVideo
2010-10-09 03:09:27 -------- d-----w- c:\program files\SpybotSD
2010-10-09 03:09:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-10-05 06:13:33 -------- d-----w- c:\docume~1\kyle\locals~1\applic~1\Criterion Games
2010-10-05 06:10:09 -------- d-----w- C:\ProgramData
2010-10-05 06:10:00 3630 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-10-02 19:44:12 -------- d-----w- C:\found.000
2010-09-19 03:33:29 2829 ----a-w- c:\windows\War3Unin.pif
2010-09-19 03:33:29 139264 ----a-w- c:\windows\War3Unin.exe
2010-09-18 23:08:13 -------- d-----w- c:\docume~1\kyle\locals~1\applic~1\DC++
2010-09-18 23:08:13 -------- d-----w- c:\docume~1\kyle\applic~1\DC++
2010-09-18 23:07:31 -------- d-----w- c:\program files\DCplusplus
2010-09-18 21:43:18 -------- d-----w- c:\docume~1\kyle\locals~1\applic~1\id Software

==================== Find3M ====================

2010-09-22 22:00:24 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-09-18 21:50:17 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-09-18 21:41:21 22328 ----a-w- c:\docume~1\kyle\applic~1\PnkBstrK.sys
2010-08-12 12:15:20 15880 ----a-w- c:\windows\system32\lsdelete.exe

============= FINISH: 17:50:47.54 ===============






and here's my ARK.txt (GMER)
GMER 1.0.15.15319 - http://www.gmer.net
Rootkit scan 2010-10-16 18:40:48
Windows 5.1.2600 Service Pack 2
Running: r69rkg0u.exe; Driver: C:\DOCUME~1\Kyle\LOCALS~1\Temp\fxroquog.sys


---- System - GMER 1.0.15 ----

SSDT 8A814B58 ZwAlertResumeThread
SSDT 8A814C38 ZwAlertThread
SSDT 8A89A568 ZwAllocateVirtualMemory
SSDT 8A8E4198 ZwConnectPort
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB80F887E]
SSDT 8A8148A8 ZwCreateMutant
SSDT 8A8C3BC8 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB4AFE690]
SSDT 8A81C558 ZwFreeVirtualMemory
SSDT 8A814998 ZwImpersonateAnonymousToken
SSDT 8A814A78 ZwImpersonateThread
SSDT 8A81C478 ZwMapViewOfSection
SSDT 8A8147C8 ZwOpenEvent
SSDT 8A902370 ZwOpenProcessToken
SSDT 8A81C250 ZwOpenThreadToken
SSDT 8A8146D8 ZwQueryValueKey
SSDT 8A8CDAB0 ZwResumeThread
SSDT 8A814F90 ZwSetContextThread
SSDT 8A81C320 ZwSetInformationProcess
SSDT 8A814EC0 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB4AFE8E0]
SSDT 8A8145F8 ZwSuspendProcess
SSDT 8A814D40 ZwSuspendThread
SSDT 8A8D4E00 ZwTerminateProcess
SSDT 8A814E00 ZwTerminateThread
SSDT 8A8A1580 ZwUnmapViewOfSection
SSDT 8A8A15B8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F10 80503B10 4 Bytes CALL 2ED4EFC4
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB73D9380, 0x550AF5, 0xE8000020]
? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 008E000A
.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 008F000A
.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 008D000C
.text C:\WINDOWS\System32\svchost.exe[1284] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 012D000A
.text C:\WINDOWS\System32\svchost.exe[1284] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00A5000A
.text C:\WINDOWS\Explorer.EXE[1676] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1676] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1676] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A0000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[1740] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 014C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1740] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 014D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1740] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 014B000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[1740] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Winamp\winamp.exe[2212] USER32.dll!SetScrollInfo 77D4902C 7 Bytes JMP 0424B623 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2212] USER32.dll!GetScrollPos 77D4F66F 5 Bytes JMP 0424B5D3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2212] USER32.dll!SetScrollRange 77D4F6BB 5 Bytes JMP 0424B679 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2212] USER32.dll!SetScrollPos 77D4F780 5 Bytes JMP 0424B64E C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2212] USER32.dll!GetScrollRange 77D4F7B7 5 Bytes JMP 0424B5F8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2212] USER32.dll!ShowScrollBar 77D50142 5 Bytes JMP 0424B6A7 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2212] USER32.dll!GetScrollInfo 77D53A2F 7 Bytes JMP 0424B5AB C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[2212] USER32.dll!EnableScrollBar 77D97BAD 7 Bytes JMP 0424B583 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\WINDOWS\Explorer.EXE[3976] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[3976] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[3976] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A0000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8B34A292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8B34A292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8B34A292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8B34A292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8B34A292

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2A 0xC6 0x20 0x62 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x6F 0x53 0x58 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAF 0x7F 0x14 0x11 ...
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu@imagepath \systemroot\system32\drivers\gasfkylvfnopah.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\main\injector@* gasfkywsp8y.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkylvfnopah.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\modules@gasfkycmd.dll \systemroot\system32\gasfkyubwwbptf.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\modules@gasfkylog.dat \systemroot\system32\gasfkymqrdhaiy.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\modules@gasfkywsp.dll \systemroot\system32\gasfkynpyktltq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\modules@gasfky.dat \systemroot\system32\gasfkypkliequb.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyypbijkdu\modules@gasfkywsp8y.dll \systemroot\system32\gasfkypjlavuhn.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x9C 0x49 0x76 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x6F 0x53 0x58 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA6 0x8D 0x8A 0x03 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2A 0xC6 0x20 0x62 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x6F 0x53 0x58 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2F 0x26 0xD7 0x19 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2A 0xC6 0x20 0x62 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x6F 0x53 0x58 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x78 0xD9 0x66 0x30 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2A 0xC6 0x20 0x62 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x6F 0x53 0x58 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x78 0xD9 0x66 0x30 ...

---- EOF - GMER 1.0.15 ----


Thanks for helping me.

Attached Files


Edited by KyleD, 16 October 2010 - 09:23 PM.


BC AdBot (Login to Remove)

 


#2 KyleD

KyleD
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 23 October 2010 - 06:38 AM

Update: I flattened and reinstalled, problem solved.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:33 PM

Posted 23 October 2010 - 03:18 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users