Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-dnet.e, Trojan.bankash, Haxdoor.fam, Goldun.fam, Antivirus Gold, Hotwebfinder.winbrume


  • This topic is locked This topic is locked
43 replies to this topic

#1 ericwilmoth

ericwilmoth

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 17 March 2007 - 09:05 AM

my original post is here:
http://www.bleepingcomputer.com/forums/t/84596/2-haxdoors-psa3d-and-tmpf00exe/

i'd been having trouble with my internet connection getting disabled. after a while i stumbled on your site and began following the guidance given to me in the post i mentioned above. Sunbelt Counterspy found:
Trojan-Dnet.E, Trojan.BankAsh, Haxdoor.Fam, Goldun.Fam, AntiVirus Gold, HotWebFinder.Winbrume.

I followed the instructions on the Preparation Guide for use before posting a HijackThis Log page and am now, finally, posting my hijackthis log here, and patiently awaiting further assistance from you kind folks.
I have not yet re-enabled system restore since the instructions did not mention doing so. Please let me know when i should turn it back on. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 9:49:36 AM, on 3/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Quicknote\quicknote.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\DigiPortal Software\ChoiceMail\IzyMail.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: twpR32 - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

BC AdBot (Login to Remove)

 


#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 PM

Posted 25 March 2007 - 02:17 PM

Hello ericwilmoth, and welcome to BleepingComputer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 PM

Posted 26 March 2007 - 09:25 AM

OK ericwilmoth. Let's get started! :thumbsup:

IMPORTANT
You are infected with the Backdoor.Haxdoor trojan. Haxdoor is a backdoor trojan with an advanced kernel-mode rootkit that injects its hooks to the user-mode from the kernel and allows a remote attacker to gain access to and control a computer. Haxdoor compromises system integrity by making changes to the system that allow it to steal usernames and passwords. This infection drops .dlls, system drivers, and modifies the registry. Haxdoor variants may also cause "STOP 0x00000050" or "STOP 0x0000008e" error message (BSOD).
In short: Haxdoor is a controlled backdoor that can be used to gain unauthorized access to your machine. This infection utilizes a rootkit to hide itself.

Due to the status of some of the files you have on your computer, I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer from the internet until the computer can be cleaned. Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable - for email, banks, eBay, forums, etc. Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.


Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


Step #1: temporarily disabling Sunbelt Software's CounterSpy
You have Sunbelt Software's CounterSpy running on your machine and that is good. However, CounterSpy's real-time protection can interfere with the changes you will make on your system, so please follow these instructions to temporarily disable CounterSpy's real-time protection:
1. Right-click the running icon of CounterSpy in the system tray.
2. With your mouse, hover over Active Protection Status (this should be enabled).
3. A menu will slide out. Right-click on Disable Active Protection.

You can re-enable CounterSpy's real-time protection once your system is clean.

Step #2: updating Sun Java Console
You need to update your Sun Java Console. Older versions have vulnerabilities that malware can and are using to infect systems.
Please perform these instructions to update your Sun Java Console:
1. Close all programs so that you are at your Desktop.
2. Go to Start > Control Panel > Add/Remove Programs and check any item with Java Runtime Environment (JRE) in the name.
3. Click the Remove or Change/Remove button next to these items to remove all versions of Java.
4. Reboot your computer.
5. Download and install the latest version of Java Runtime Environment (JRE) 6 (click).

Step #3: haxfix.exe
Download haxfix.exe to your Desktop by clicking the download link below.
Download haxfix.exe.

Once it is downloaded, double-click the haxfix.exe file to install haxfix (standard installation path is C:\Program Files\haxfix).
Place a checkmark in the checkbox labelled "Create a desktop icon". Click Next.
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click Finish. A red dos window (dos box) will open.
Select option 1. Make logfile by typing 1 and press Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open.
Copy the entire contents of that log file and paste them into this thread.

Step #4: moving HijackThis to a convenient location
You are running HijackThis from the Desktop. Because HijackThis is both for analysis and repair it is essential that it runs from within its own folder: HijackThis makes backups of the repairs in case there is a need for reversal of the procedure and you are probably more apt to delete the backups if HijackThis is running from the Desktop. Please move HijackThis.exe into its own directory on the C: drive by following these steps:
1. Navigate to the C: drive using Windows Explorer or My Computer.
2. Right-click in the folder window and select New > Folder.
3. Name the folder to "HijackThis" (without the quotation marks).
4. Move HijackThis.exe from the Desktop into the newly created directory.
NOTE: HijackThis.exe is now located in C:\HijackThis.

Step #5: HijackThis scan
Double-click the HijackThis.exe file and when the HijackThis window opens, click on the button labelled "Do a system scan and save a logfile". HijackThis will perform a system scan, and when the scan is complete, Notepad will open up containing the scan results. The HijackThis log will be automatically saved to the HijackThis folder. Copy the entire contents of the new HijackThis log and post them here.

Do not forget to include the haxfix log file in your next reply as well.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#4 ericwilmoth

ericwilmoth
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 26 March 2007 - 08:26 PM

Thanks, htv8.

Question about the network connection issue--this is my home pc and i have a wireless network going between it and my laptop. I was trying to figure out how to disable the network but allow the laptop to still connect to the internet. Iíve managed to disable file and printer sharing in the general tab of the wireless connection setting on the laptop, but when I attempt to do the same for my pc it wonít let me uncheck that or any of the other boxes for the other settings and I donít know why.

During all this I also noticed that among my workgroup computers there is a third system listed that should not be there--i'm assuming it's from the haxdoor; it's called Arphaxad and i can't gain access to it or review any significant properties.

So basically Iím unsure what to do about this Arphaxad thing, and Iím confused about the situation with my network connection in general. I guess when I established the network originally I set it up so that the one connection serves for both the link between the computers as well as a shared link to the internet. I donít know if it would be wise to revise it all so that these were made separate, and if so, Iím not even sure what Iíd need to do. If simply deselecting the file and printer sharing tool is sufficient then I guess I need to find out why itís not working on my pc.

One other concern I should mention relates to the image I attached, which is a photo of a blue screen that pops up on my computer occasionally after it shuts down spontaneously. It started months agoÖbut only happened like once every three months, and never after making any significant changes to my systemÖso I just restarted my computer and kept moving. But this last week itís happened three times. I have no idea if itís related to the rest of this, so if you could advise me on that too Iíd greatly appreciate it.

Anyway, hopefully you can help me sort all this out. Thanks!






Here's those log files:

HAXFIX logfile - by Marckie

version 4.39
Mon 03/26/2007 21:08:34.12

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
matching notify keys found
twpR

checking for matching services
matching services found
Aspi32
twpR32
twpR64

checking for matching safeboot services
matching safeboot services found
twpR32.sys
twpR64.sys

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


Finished!


Logfile of HijackThis v1.99.1
Scan saved at 9:21:00 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Quicknote\quicknote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\AVANTB~1\avant.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to AD Black List - C:\PROGRA~1\AVANTB~1\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\PROGRA~1\AVANTB~1\AddAllToADBlackList.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\PROGRA~1\AVANTB~1\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\PROGRA~1\AVANTB~1\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\PROGRA~1\AVANTB~1\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\PROGRA~1\AVANTB~1\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: twpR32 - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Edited by ericwilmoth, 27 March 2007 - 12:53 AM.


#5 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 PM

Posted 28 March 2007 - 11:02 AM

Hello there again.

Question about the network connection issue--this is my home pc and i have a wireless network going between it and my laptop. I was trying to figure out how to disable the network but allow the laptop to still connect to the internet. Iíve managed to disable file and printer sharing in the general tab of the wireless connection setting on the laptop, but when I attempt to do the same for my pc it wonít let me uncheck that or any of the other boxes for the other settings and I donít know why.

To disable your wireless connections, please follow these instructions:
1. Go to Start > Control Panel and click on the Network and Internet Connections category.
2. Open Network Connections.
3. In the Network Connections window, under "Lan or High-Speed Internet", right-click on your wireless connection(s), usually Wireless Network Connection.
4. In the menu that opens up, click on Disable.

Once the connection is disabled, the Wireless Network Connection icon should turn gray and in the status text under its name, it should say "Disabled". When you want to use the wireless connection again, right-click on the icon again and select Enable.

During all this I also noticed that among my workgroup computers there is a third system listed that should not be there--i'm assuming it's from the haxdoor; it's called Arphaxad and i can't gain access to it or review any significant properties.

So basically Iím unsure what to do about this Arphaxad thing, and Iím confused about the situation with my network connection in general. I guess when I established the network originally I set it up so that the one connection serves for both the link between the computers as well as a shared link to the internet. I donít know if it would be wise to revise it all so that these were made separate, and if so, Iím not even sure what Iíd need to do. If simply deselecting the file and printer sharing tool is sufficient then I guess I need to find out why itís not working on my pc.

You should be able to resolve the computer's name to an IP address by using networking commands. Use a computer in your workgroup and nslookup the computer's name (which will use NetBIOS over TCP/IP and/or WINS) to resolve the IP address. When that IP address is resolved, you can ping, traceroute (in Windows: tracert), or discover with packet sniffing when and how it's getting to you.
As I do not have experience in using networking commands, workgroup computers or their connections, I recommend starting a new thread about this in the Networking forum if you want to.

NOTE: If there is an infestation on any computer, all computers should be taken off the network and cleaned individually.

One other concern I should mention relates to the image I attached, which is a photo of a blue screen that pops up on my computer occasionally after it shuts down spontaneously. It started months agoÖbut only happened like once every three months, and never after making any significant changes to my systemÖso I just restarted my computer and kept moving. But this last week itís happened three times. I have no idea if itís related to the rest of this, so if you could advise me on that too Iíd greatly appreciate it.

OK. As I concentrate mainly on malware removal, I think it is best to ask for help about this error in the Windows XP Home and Professional forum as this error is caused by a legit driver file. Meanwhile, I will research the error you got. Please note that I start working on your malware issues and this may or may not solve other issues you have with your machine.

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: re-enabling System Restore
You said that you have System Restore set to disabled. I want you to re-enable it in case anything goes wrong. The chance that anything goes wrong is almost nil but you never know. Please perform these instructions to re-enable System Restore:
1. Close all programs so that you have nothing open and are at your Desktop.
2. Go to Start > Run.
3. In the Run field type SYSDM.CPL and press the OK button.
4. Click the System Restore tab.
5. Uncheck the option labelled "Turn off System Restore" to turn System Restore back on.
6. Click the OK button.

Step #2: haxfix autofix
Navigate to C:\Program Files\haxfix and double-click on fix.bat (or double-click on the fix.bat Desktop icon).
Close all programs/windows so that you have nothing open since this step requires a reboot.
Select option 2. Run auto fix by typing 2 and then press Enter.
If an infection is found, you'll get a message to close all other open windows. Close them, except the red DOS window from haxfix and then press Enter.
The computer will reboot.
After the reboot a log file will open.
Copy the entire contents of that log file and paste them into this thread.

Step #3: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#6 ericwilmoth

ericwilmoth
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 28 March 2007 - 05:18 PM

I posted in those other threads like you suggested. Thanks.
Hereís the logs from the new scans, but two things to let you knowó
One is that I had the firewall on when I started the haxfix and it was interrupting the scan so frequently that I turned it off. After I did it looked like the haxfix was just sitting there doing nothing for a minute, so I closed it and ran it againóso I donít know if that might have affected the results in this log.

The other thing is that I made sure I was disconnected from the internet while doing the scans, but aside from that Iíve stayed connected before and after. My laptop is off, so the network is moot. Iíve not been accessing sites related to my finances or anything else where I need to be concerned about login infoóexcept for this siteóbut Iím doing a lot of critical research at the moment, which is why Iím staying online. What I want to know is if this is anything youíd be concerned about, as far as continuing this cleanup. I know you advised to limit my internet connection till this is resolved, but I wasnít sure if that was a critical necessity to clean things out properly, or just a suggestion to limit the chances of someone swiping my data.

If I absolutely need to stay offline from this unit till Iím done and should be handling all my conferencing with you through another computer than Iíll do so, it just sounded so far like that was a good idea, if available, but not necessarily an absolute necessity. If you can clarify Iíll do whatever must be done.

Thanks.

P.S.óIím able to add file attachments in this thread, but not in othersÖmight you know why?

HAXFIX logfile - by Marckie

version 4.39
Wed 03/28/2007 17:45:53.42

--- Auto Haxdoorfix ---


searching for files:


searching for services....
service twpR32 found
[SWSC] DeleteService FAIL
service twpR64 found
[SWSC] DeleteService FAIL


--- Goldunfix ---


searching for files:


checking iexplore.exe
iexplore.exe is not infected

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

notifykey twpR32 not found


searching for services

service twpR32 found
service twpR64 found


searching for safeboot services

not needed


searching for files

twpR32.dll exists
deleting twpR32.dll
twpR32.dll has been deleted

twpR32.sys exists
deleting twpR32.sys
twpR32.sys has been deleted

twpR64.sys exists
deleting twpR64.sys
twpR64.sys has been deleted


checking for other files

kgcpt.dat exists
deleting kgcpt.dat
kgcpt.dat has been deleted


checking for a3d files

no a3d files found


Finished




Logfile of HijackThis v1.99.1
Scan saved at 5:57:50 PM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Quicknote\quicknote.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

#7 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 PM

Posted 30 March 2007 - 06:01 PM

Hello, ericwilmoth. Sorry for the delay in getting back to you.

<..> One is that I had the firewall on when I started the haxfix and it was interrupting the scan so frequently that I turned it off.

Your log indeed does not show a firewall running. To prevent unauthorised traffic both out of and into your computer, please re-enable your firewall again. It is important that you use a software firewall in order to keep your computer safe and secure...

The other thing is that I made sure I was disconnected from the internet while doing the scans, but aside from that Iíve stayed connected before and after. <...> Iím doing a lot of critical research at the moment, which is why Iím staying online. What I want to know is if this is anything youíd be concerned about, as far as continuing this cleanup. I know you advised to limit my internet connection till this is resolved, but I wasnít sure if that was a critical necessity to clean things out properly, or just a suggestion to limit the chances of someone swiping my data.

The advice I gave you is a suggestion to limit the chances of allowing unauthorised remote access to the infected computer. Haxdoor is a controlled backdoor that can be used to gain unauthorized access to your machine. An installed keylogger which is a variant of Backdoor.Haxdoor.D logs certain keystrokes such as visiting websites, entering forms, writing in Notepad or other documents, writing email, etc. The keylogger is installed as a device service on your machine. Due to the status of some of the files you have on your computer, it is really recommended to keep the PC disconnected from the Internet and from your network if it is on a network until the computer can be cleaned.

P.S.óIím able to add file attachments in this thread, but not in othersÖmight you know why?

Yes. This is because HijackThis Team members often need to attach fixes to their posts (like specific registry fixes for users). In other forums, users are not allowed to attach files as storing a lot of files apparently takes up a lot of server space. This setting is set by the forum administrator.

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: Haxfix manu fix
We have to run haxfix again and perform a manual fix. Please perform these instructions:
1. Navigate to C:\Program Files\haxfix and double-click on fix.bat (or double-click on the fix.bat Desktop icon).
2. Close all programs/windows so that you have nothing open since this step requires a reboot.
3. Select option 3. Run manu fix by typing 3 and then press Enter.
This message will appear:

echo Insert the haxdoorkey,
and then press Enter:

4. At this point, please type the following: twpR. When this is a valid choice, the key will be added to delete.
This message will appear:

Haxdoorkey twpR added to delete.
Do you want to add a new haxdoorkey?
Press Y for YES or N for NO and then press Enter:

This message indicates that there is the possibility to add a new key: Yes (type Y) or No (type N).
5. Type Y for Yes and press Enter.
6. Type ddsntdll. When this is a valid choice, the key will be added to delete.
7. Follow the on-screen prompts and once asked if you want to add a new haxdoorkey, type N for No and press Enter.
The computer will reboot.
8. After reboot a log file will open: C:\haxfix.txt. Copy the entire contents of that log file and paste them into this thread.

Step #2: F-Secure Blacklight scan
Please download F-Secure Blacklight from the download link below.
Download F-Secure Blacklight

Once downloaded, move blbeta.exe into its own directory on the C: drive.

Now please perform these instructions to run F-Secure Blacklight:
1. Double-click on the blbeta.exe file to start F-Secure Blacklight.
2. In the upcoming screen, check the checkbox labelled "I accept the agreement" and press the Next button.
3. Next, press the Scan button.
4. Once the scanning procedure is done, click on the Next button, followed by clicking on the Exit button.
5. Navigate to the folder in which blbeta.exe is located using My Computer or Windows Explorer and open the Notepad file in it.
6. Post the entire contents of that log as a reply to this post.
NOTE: Do not fix anything with F-Secure Blacklight. Files found may be legitimate!

Step #3: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.
Also include the entire contents of the haxfix report and the F-Secure Blacklight log in your next reply.
NOTE: Use several posts if necessary to include everything in the logs.

Edited by htv8, 30 March 2007 - 06:04 PM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#8 ericwilmoth

ericwilmoth
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 31 March 2007 - 03:22 AM

Thanks for the clarification about the keystrokes. Is there any limit to how much they can aquire that way--if i wrote a novel, could they nab every keystroke? Is it limited to keystrokes? can they lift files?

Here's the scan results. Thanks a lot for your help.

HAXFIX logfile - by Marckie

version 4.39
Sat 03/31/2007 1:37:10.65

--- Manual Haxdoorfix ---

Adding haxdoorkeys to delete...
twpR

searching for services....
service twpR32 found
[SWSC] DeleteService FAIL
service twpR64 found
[SWSC] DeleteService FAIL


--- Goldunfix ---


searching for files:


checking iexplore.exe
iexplore.exe is not infected

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

notifykey twpR32 not found


searching for services

service twpR32 found
service twpR64 found


searching for safeboot services

not needed


searching for files

twpR32.dll exists
deleting twpR32.dll
twpR32.dll has been deleted

twpR32.sys exists
deleting twpR32.sys
twpR32.sys has been deleted

twpR64.sys exists
deleting twpR64.sys
twpR64.sys has been deleted


checking for other files

No other files found


checking for a3d files

no a3d files found


Finished



03/31/07 01:55:55 [Info]: BlackLight Engine 1.0.61 initialized
03/31/07 01:55:55 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/31/07 01:55:56 [Note]: 7019 4
03/31/07 01:55:56 [Note]: 7005 0
03/31/07 01:56:18 [Note]: 7006 0
03/31/07 01:56:18 [Note]: 7011 1876
03/31/07 01:56:19 [Note]: 7026 0
03/31/07 01:56:19 [Note]: 7026 0
03/31/07 01:56:25 [Note]: FSRAW library version 1.7.1021
03/31/07 04:13:06 [Note]: 7007 0



Logfile of HijackThis v1.99.1
Scan saved at 4:14:21 AM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Quicknote\quicknote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 PM

Posted 31 March 2007 - 01:54 PM

Hello, ericwilmoth.

Thanks for the clarification about the keystrokes. Is there any limit to how much they can aquire that way--if i wrote a novel, could they nab every keystroke? Is it limited to keystrokes? can they lift files?

It is possible for malware creators to profit by simply stealing from a person whose computer is infected. Installing themselves on your computer, malware programs can perform malicious functions, including keylogging, stealing files and other important (financial) data, spreading the virus or spam to everyone in the user's email address book, and taking control of the user's machine for the purpose of hacking other computers.
A keylogger captures the user's keystrokes when entering (important) information that may be useful to the malware creator. A keystroke refers to the pressing of a keyboard button that is connected to some form of digital computer. Keylogger malicious software could record every key stroke you type, and from that information steal important data such as your passwords, credit card information and even social security numbers. The captured information is then transmitted automatically to the malware creator, enabling fraud or other theft. Similarly, malware could copy CD keys or passwords for online services, allowing the creator to steal accounts.

Haxdoor is a controlled backdoor that can be used to gain unauthorized access to your machine. A backdoor is a method of bypassing normal authentication procedures. Backdoors are typically used to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors hackers use either trojan horses or worms.
Some haxdoor variants will include a rootkit driver to hide the infection.

Your log indeed does not show a firewall running. To prevent unauthorised traffic both out of and into your computer, please re-enable your firewall again. It is important that you use a software firewall in order to keep your computer safe and secure...

If not already re-enabled, please re-enable your firewall!

Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


Apparently, some haxdoor services are still present on your PC. Let's have a more in-depth look.

Step #1: generating a StartupList log with HijackThis
We need to use HijackThis to create a StartupList log. Please perform these instructions to generate a StartupList log with HijackThis:
1. Launch HijackThis.
2. Click on the Open the Misc Tools section button.
3. Make sure that both boxes to the right of the Generate StartupList log button are checked:
  • List also minor sections (full)
  • List empty sections (complete)
4. Click on the Generate StartupList log button.
5. Click Yes at the prompt.
6. A Notepad file will open with the contents of the HijackThis StartupList log displayed. Copy/Paste this log in your next reply.
NOTE: The StartupList log will be automatically saved to the HijackThis folder as well.

More information with a screenshot, can be found here.

Step #2: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#10 ericwilmoth

ericwilmoth
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 31 March 2007 - 03:13 PM

Thanks--I've got the firewall up now. I'm using the sunbelt firewall, and at the moment it doesn't automatically start when my computer boots up. I'm looking for the setting to change that.


StartupList report, 3/31/2007, 3:56:59 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Quicknote\quicknote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\IzyMail.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Acrobat Speed Launcher.lnk = ?
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray = C:\PROGRA~1\SYMANT~1\VPTray.exe
Adobe Version Cue CS2 = "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
(Default) =
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SBCSTray = C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
BlazeServoTool = "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
Quicknote = C:\Program Files\Quicknote\quicknote.exe
swg = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Task Scheduler jobs:

XoftSpy.job

--------------------------------------------------

Enumerating Download Program Files:

[SupportSoft SmartIssue]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlsi.dll
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab

[SupportSoft Script Runner Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlsr.dll
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[LSSupCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LSSupCtl.dll
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/pub/shock...director/sw.cab

[Microsoft Data Collection Control]
InProcServer32 = C:\WINDOWS\system32\odc.dll
CODEBASE = https://support.microsoft.com/OAS/ActiveX/odc.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[DivXBrowserPlugin Object]
InProcServer32 = C:\Program Files\DivX\DivX Web Player\npdivx32.dll
CODEBASE = http://go.divx.com/plugin/DivXBrowserPlugin.cab

[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0]
InProcServer32 = C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Live365Player Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Play365.dll
CODEBASE = http://www.live365.com/players/play365.cab

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Adobe Version Cue CS2: "C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (manual start)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: system32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\system32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: system32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: system32\DRIVERS\audstub.sys (manual start)
Broadcom 440x 10/100 Integrated Controller XP Driver: system32\DRIVERS\bcm4sbxp.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CD-ROM Driver: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Symantec AntiVirus Definition Watcher: "C:\Program Files\Symantec AntiVirus\DefWatch.exe" (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Disk Driver: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Symantec Eraser Control driver: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (system)
EraserUtilDrvI1: \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI1.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: system32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: system32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
Firewall Driver: \SystemRoot\system32\drivers\fwdrv.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: system32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
ialm: system32\DRIVERS\ialmnt5.sys (manual start)
IdeBusDr: system32\DRIVERS\IdeBusDr.sys (system)
Intel® Ultra ATA Controller: system32\DRIVERS\IdeChnDr.sys (system)
InstallDriver Table Manager: "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (manual start)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (disabled)
Intel Processor Driver: system32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: system32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: system32\DRIVERS\kbdclass.sys (system)
Kerio HIPS Driver: \SystemRoot\system32\drivers\khips.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Sunbelt Kerio Personal Firewall 4: "C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" (autostart)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (manual start)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Mouse Class Driver: system32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: system32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070330.018\naveng.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070330.018\navex15.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Parallel port driver: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
Pen Class: system32\Drivers\PenClass.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Terminal Server Device Redirector Driver: system32\DRIVERS\rdpdr.sys (manual start)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Linksys Wireless-G PCI Adapter Driver: system32\DRIVERS\RT2500.sys (manual start)
Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver: system32\DRIVERS\RTL8139.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRoam: "C:\Program Files\Symantec AntiVirus\SavRoam.exe" (manual start)
SAVRT: \??\C:\Program Files\Symantec AntiVirus\savrt.sys (system)
SAVRTPEL: \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys (system)
Sunbelt CounterSpy Antispyware: "C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe" (autostart)
SBHR: system32\drivers\sbhr.sys (system)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: system32\DRIVERS\serenum.sys (manual start)
Serial port driver: system32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (manual start)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (manual start)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{C5C7DDFB-D4D6-46AB-8318-8EE23DA9780F} (manual start)
Symantec AntiVirus: "C:\Program Files\Symantec AntiVirus\Rtvscan.exe" (autostart)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
TabletService: C:\WINDOWS\system32\Tablet.exe (autostart)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\system32\tlntsvr.exe (disabled)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: system32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: system32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: system32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: system32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: system32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Windows CE USB Serial Host Driver: system32\DRIVERS\wceusbsh.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 37,150 bytes
Report generated in 0.312 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



Logfile of HijackThis v1.99.1
Scan saved at 3:58:55 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Quicknote\quicknote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\IzyMail.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

#11 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:18 PM

Posted 02 April 2007 - 12:08 PM

Please print out or copy this page to Notepad. This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. A print out of the instructions would be a good reference to make sure you don't get lost. You may also like to save these instructions in Word/Notepad to the Desktop where they can be easily found for the same reasons as above.
Also make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: UploadMalware.com upload
First enable the viewing of hidden files in Windows XP by following these steps:
1. Close all programs so that you are at your Desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and then click on the menu option labelled "Folder Options".
4. After the new window appears select the View tab.
5. Remove the checkmark from the checkbox labelled "Hide file extensions for known file types".
6. Remove the checkmark from the checkbox labelled "Hide protected operating system files".
7. Select the radio button labelled "Show hidden files and folders".
8. Press the Apply button and then press the OK button and shutdown My Computer.

Your computer is now configured to show all hidden system files and folders.

Now go to UploadMalware.com and follow these directions to submit the files listed below:
1. In the Name field, please enter your display name: ericwilmoth.
2. In the Email or Topic field, please copy/paste the entire URL to this topic: http://www.bleepingcomputer.com/forums/t/85082/trojan-dnete-trojanbankash-haxdoorfam-goldunfam-antivirus-gold-hotwebfinderwinbrume/.
3. Upload the following file(s) by clicking the Browse... button(s), located next to File(s) To Submit (do not be concerned if you cannot find the files):
C:\WINDOWS\system32\ddsntdll.d
C:\WINDOWS\system32\ddsntdll.dll
4. In the Comments and Further Info field, please type the following: request by htv8.
5. Click the Send File(s) button to submit the file(s) found.

Step #2
Download VundoFix.exe to your Desktop by clicking the download link below.
Download VundoFix.exe

Once downloaded, double-click VundoFix.exe to run VundoFix.

Now please perform these instructions:
1. Right-click inside the listbox (white box) and click the option labelled "Add more files?".
2. Copy/paste the entries inside the CODE boxes below one by one into the first two boxes:
C:\WINDOWS\system32\ddsntdll.d
C:\WINDOWS\system32\ddsntdll.dll
3. Click the button labelled "Add File(s)".
4. Click the button labelled "Close Window".
5. Click the button labelled "Scan for Vundo".
6. Once it's done scanning, click the button labelled "Remove Vundo".
7. Click the Yes button at the prompt asking you if you want to remove the files.
NOTE: Once you click Yes, your Desktop will go blank as it starts removing Vundo.
8. When completed, it will prompt that it will reboot your computer. Click OK.

NOTE: It is possible that VundoFix encountered a file it could not remove. VundoFix will run on reboot, simply follow the above instructions starting from "Click the button labelled "Scan for Vundo"" when VundoFix appears upon rebooting.

Post the entire contents of C:\vundofix.txt in your next reply.

Step #3: HijackThis fix
Scan again with HijackThis. Put a checkmark by this entry if it is present, double-checking to be sure that only this entry is checked:
O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing)

Close all other windows - you should only see HijackThis on your Desktop - and then click the button labelled "Fix checked".

Step #4: file(s)/folder(s) deletion
Reboot your computer into Safe Mode. Restart your computer and gently tap the F8 key repeatedly on your keyboard while starting up until you are presented with a new menu in which you can select the option for Safe Mode using the arrow keys on your keyboard.
For more information on how to boot your computer into Safe Mode, see this reference: How to start Windows into Safe Mode.

Now delete the following files or directories (do not be concerned if they do not exist):
C:\WINDOWS\system32\ddsntdll.d
C:\WINDOWS\system32\ddsntdll.dll

Reboot your computer to boot back into normal mode.

Step #5: GMER rootkit scan
Please download GMER from the link below.
Download GMER

Once download, unzip GMER to the Desktop. Open the program and click on the Rootkit tab. Make sure all the boxes on the right of the screen are checked, EXCEPT for the checkbox labelled "Show all".
Click on Scan and when the scan has run, click Copy and paste the results (if any) here as a reply.

Step #6: haxfix scan
Navigate to C:\Program Files\haxfix and double-click on fix.bat (or double-click on the fix.bat Desktop icon). A red DOS window (DOS box) will open.
Select option 1. Make logfile by typing 1 and press Enter.
Haxfix will start scanning the computer. When it is finished a log file will open.
Copy the entire contents of that log file and paste them into this thread.

Step #7: Silent Runners scan
Please download Silent Runners.zip from the download link below and save it to your Desktop.
Download Silent Runners.zip

Once it is downloaded, extract the ZIP file to a new folder on your Desktop. Run the Silent Runners.vbs file inside it by double-clicking on it.
NOTE: If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run. This script is not malicious so please allow it.

Once launched, you will receive a prompt: "Skip supplementary searches?". Click the No button. A text file will appear in the Silent Runners folder. Silent Runners is not done yet, so please let it run. (It won't appear to be doing anything)! Once you receive the "All Done!" prompt, open the text file and post the entire contents of that text file in your next reply.

Step #8: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.

In your next reply, please also include the entire contents of:
- C:\vundofix.txt
- the GMER rootkit scan report
- the haxfix log file
- the Silent Runners log file

NOTE: Use several posts if necessary to include everything in the logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#12 ericwilmoth

ericwilmoth
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 03 April 2007 - 12:06 AM

I found C:\WINDOWS\system32\ddsntdll.dll and uploaded it to UploadMalware.com.
After Vundofix did its scan it told me it didnít find anything and also did not reboot the computer.
I did the Hijackthis scan, found O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing) and followed your instructions for having it fixed.
Same with the safemode deletion of C:\WINDOWS\system32\ddsntdll.dll, which was the only one I found.
Everything else went noramally. The scans are belowóI also included the results of the first of the two hijackthis scans.

Incidentally, I donít know if this makes a difference or not, but my sunbelt counterspy trial ran out so I decided to uninstall and reinstall it to see if I could get more mileage out of it since Iím low on funds. What I didnít do, though, was delete the quarantined files first. A fresh scan did not find anything but cookies, but I thought I should mention it just in case.

Hereís the scan results:

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:58:26 PM 4/2/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...


--------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:54:53 PM, on 4/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Quicknote\quicknote.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O20 - Winlogon Notify: ddsntdll - ddsntdll.d (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--------------------------------------------

#13 ericwilmoth

ericwilmoth
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 03 April 2007 - 12:09 AM

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-03 00:40:24
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwClose
SSDT 8979C3E8 ZwConnectPort
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcess
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwCreateThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwDeleteValueKey
SSDT \SystemRoot\system32\drivers\khips.sys ZwLoadDriver
SSDT \SystemRoot\system32\drivers\khips.sys ZwMapViewOfSection
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwOpenKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwResumeThread
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetInformationFile
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwSetValueKey
SSDT \SystemRoot\system32\drivers\fwdrv.sys ZwWriteFile

---- Kernel code sections - GMER 1.0.12 ----

PAGENDSM NDIS.sys!NdisMIndicateStatus F7426A5F 6 Bytes JMP A6D0BC5E \SystemRoot\system32\drivers\fwdrv.sys

---- User code sections - GMER 1.0.12 ----

.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\PROGRA~1\SYMANT~1\VPTray.exe[124] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001601A8
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00160090
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00160694
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!CreateProcessW 7C802332 5 Bytes JMP 001602C0
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!CreateProcessA 7C802367 5 Bytes JMP 00160234
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00160004
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0016011C
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001604F0
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!CreateThread 7C810637 5 Bytes JMP 0016057C
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001603D8
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0016034C
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!WinExec 7C86136D 5 Bytes JMP 00160464
.text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00160608
.text C:\WINDOWS\system32\csrss.exe[480] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001607AC
.text C:\WINDOWS\system32\csrss.exe[480] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00160720
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00070608
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000707AC
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00070720
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000708C4
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00070838
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[484] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\winlogon.exe[504] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\winlogon.exe[504] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00070720
.text C:\WINDOWS\system32\winlogon.exe[504] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000708C4
.text C:\WINDOWS\system32\winlogon.exe[504] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00070838
.text C:\WINDOWS\system32\winlogon.exe[504] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00070950
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\services.exe[556] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\services.exe[556] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\services.exe[556] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\services.exe[556] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\services.exe[556] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\services.exe[556] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\lsass.exe[568] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\lsass.exe[568] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\lsass.exe[568] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\lsass.exe[568] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\lsass.exe[568] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\lsass.exe[568] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\ati2evxx.exe[716] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\ati2evxx.exe[716] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\ati2evxx.exe[716] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[736] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[736] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[736] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[736] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[808] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[808] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[868] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[868] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[868] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[868] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[868] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[868] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[868] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[868] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[868] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[868] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[868] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00080EC8
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\alg.exe[980] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\alg.exe[980] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\alg.exe[980] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\alg.exe[980] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\alg.exe[980] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\alg.exe[980] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1008] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1008] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1072] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1072] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1072] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1072] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1088] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00080F54
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00080D24
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00080FE0
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00080EC8
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1124] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\spoolsv.exe[1184] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\spoolsv.exe[1184] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\spoolsv.exe[1184] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\system32\spoolsv.exe[1184] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\system32\spoolsv.exe[1184] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\system32\spoolsv.exe[1184] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Avant Browser\avant.exe[1300] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Avant Browser\avant.exe[1300] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Avant Browser\avant.exe[1300] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Avant Browser\avant.exe[1300] wininet.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00130DB0
.text C:\Program Files\Avant Browser\avant.exe[1300] wininet.dll!InternetConnectA 771C30C3 5 Bytes JMP 00130F54
.text C:\Program Files\Avant Browser\avant.exe[1300] wininet.dll!InternetOpenA 771C58BA 5 Bytes JMP 00130D24
.text C:\Program Files\Avant Browser\avant.exe[1300] wininet.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00130E3C
.text C:\Program Files\Avant Browser\avant.exe[1300] wininet.dll!InternetConnectW 771CEE00 5 Bytes JMP 00130FE0
.text C:\Program Files\Avant Browser\avant.exe[1300] wininet.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00130EC8
.text C:\Program Files\Avant Browser\avant.exe[1300] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Avant Browser\avant.exe[1300] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Avant Browser\avant.exe[1300] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Symantec AntiVirus\DefWatch.exe[1308] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe[1344] kernel32.dll!VirtualProtectEx 7

#14 ericwilmoth

ericwilmoth
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 03 April 2007 - 12:11 AM

.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\svchost.exe[1568] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\svchost.exe[1568] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\svchost.exe[1568] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00130DB0
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00130F54
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00130D24
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00130E3C
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00130FE0
.text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[1600] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00130EC8
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\ati2evxx.exe[1768] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\ati2evxx.exe[1768] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\ati2evxx.exe[1768] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\Tablet.exe[1872] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\Tablet.exe[1872] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\Tablet.exe[1872] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\explorer.exe[1896] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\explorer.exe[1896] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\explorer.exe[1896] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\WINDOWS\explorer.exe[1896] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00080DB0
.text C:\WINDOWS\explorer.exe[1896] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00080F54
.text C:\WINDOWS\explorer.exe[1896] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00080D24
.text C:\WINDOWS\explorer.exe[1896] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00080E3C
.text C:\WINDOWS\explorer.exe[1896] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00080FE0
.text C:\WINDOWS\explorer.exe[1896] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00080EC8
.text C:\WINDOWS\explorer.exe[1896] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000808C4
.text C:\WINDOWS\explorer.exe[1896] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00080838
.text C:\WINDOWS\explorer.exe[1896] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00080950
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00130DB0
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00130F54
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00130D24
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00130E3C
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00130FE0
.text C:\Program Files\iTunes\iTunesHelper.exe[1960] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00130EC8
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000701A8
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00070090
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00070694
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000702C0
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00070234
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00070004
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0007011C
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000704F0
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0007057C
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000703D8
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0007034C
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00070464
.text C:\WINDOWS\system32\wdfmgr.exe[1996] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00070608
.text C:\WINDOWS\system32\wdfmgr.exe[1996] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000707AC
.text C:\WINDOWS\system32\wdfmgr.exe[1996] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00070720
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[2096] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00130DB0
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00130F54
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00130D24
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00130E3C
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00130FE0
.text C:\Program Files\Java\jre1.6.0\bin\jusched.exe[2668] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00130EC8
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe[2928] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\iPod\bin\iPodService.exe[3124] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\iPod\bin\iPodService.exe[3124] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\iPod\bin\iPodService.exe[3124] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000801A8
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00080090
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00080694
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000802C0
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00080234
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00080004
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0008011C
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000804F0
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0008057C
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000803D8
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0008034C
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00080464
.text C:\WINDOWS\system32\ctfmon.exe[3136] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00080608
.text C:\WINDOWS\system32\ctfmon.exe[3136] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000807AC
.text C:\WINDOWS\system32\ctfmon.exe[3136] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00080720
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe[3300] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 000301A8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00030090
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00030694
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 000302C0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00030234
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00030004
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0003011C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 000304F0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0003057C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 000303D8
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0003034C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00030464
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00030608
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 000307AC
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00030720
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 000308C4
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00030838
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00030950
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00030DB0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00030F54
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00030D24
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00030E3C
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00030FE0
.text C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe[3308] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00030EC8
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Documents and Settings\Administrator\Desktop\toolbars\antivirus\gmer.exe[3436] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001401A8
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00140090
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00140694
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001402C0
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00140234
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00140004
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0014011C
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001404F0
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0014057C
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001403D8
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0014034C
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00140464
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00140608
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001407AC
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00140720
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001408C4
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00140838
.text C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE[3500] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00140950
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] WININET.dll!InternetOpenW 771BAEFD 5 Bytes JMP 00130DB0
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] WININET.dll!InternetConnectA 771C30C3 5 Bytes JMP 00130F54
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] WININET.dll!InternetOpenA 771C58BA 5 Bytes JMP 00130D24
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] WININET.dll!InternetOpenUrlA 771C5B6D 5 Bytes JMP 00130E3C
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] WININET.dll!InternetConnectW 771CEE00 5 Bytes JMP 00130FE0
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] WININET.dll!InternetOpenUrlW 771D5B52 5 Bytes JMP 00130EC8
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 001308C4
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 00130838
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[3712] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00130950
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\Program Files\Quicknote\quicknote.exe[3740] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\Program Files\Quicknote\quicknote.exe[3740] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\Program Files\Quicknote\quicknote.exe[3740] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001301A8
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00130090
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!WriteProcessMemory 7C80220F 5 Bytes JMP 00130694
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001302C0
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00130234
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 00130004
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!VirtualAllocEx 7C809A72 5 Bytes JMP 0013011C
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!CreateRemoteThread 7C81042C 5 Bytes JMP 001304F0
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!CreateThread 7C810637 5 Bytes JMP 0013057C
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!CreateProcessInternalW 7C819513 5 Bytes JMP 001303D8
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!CreateProcessInternalA 7C81DDD6 5 Bytes JMP 0013034C
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00130464
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] kernel32.dll!SetThreadContext 7C862AA5 5 Bytes JMP 00130608
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] USER32.dll!SetWindowsHookExW 77D5E4AF 5 Bytes JMP 001307AC
.text C:\WINDOWS\system32\WTablet\TabUserW.exe[3784] USER32.dll!SetWindowsHookExA 77D611E9 5 Bytes JMP 00130720

---- EOF - GMER 1.0.12 ----

Edited by ericwilmoth, 03 April 2007 - 12:14 AM.


#15 ericwilmoth

ericwilmoth
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:02:18 PM

Posted 03 April 2007 - 12:14 AM

HAXFIX logfile - by Marckie

version 4.39
Tue 04/03/2007 0:42:43.42

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
Aspi32
twpR32
twpR64

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


Finished!


"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"BlazeServoTool" = ""C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"" [file not found]
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"Quicknote" = "C:\Program Files\Quicknote\quicknote.exe" [null data]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"Adobe Version Cue CS2" = ""C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"" ["Adobe Sytems Incorporated"]
"Acrobat Assistant 7.0" = ""C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"(Default)" = "(empty string)" [file not found]
"SBCSTray" = "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" ["Sunbelt Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {HKLM...CLSID} = "Universal Plug and Play Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\

"LowRiskFileTypes" = (REG_SZ) .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\

"SaveZoneInformation" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRecentDocsMenu" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoSaveSettings" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|
Don't save settings at exit}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRemoteRecursiveEvents" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\scrnsave.scr" [MS]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Acrobat Speed Launcher" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe" [null data]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Google Updater" -> shortcut to: "C:\Program Files\Google\Google Updater\GoogleUpdater.exe -systray -startup" ["Google"]
"TabUserW.exe" -> shortcut to: "C:\WINDOWS\system32\WTablet\TabUserW.exe" ["Wacom Technology, Corp."]


Enabled Scheduled Tasks:
------------------------

"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INETREPL.DLL" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INETREPL.DLL" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Sunbelt CounterSpy Antispyware, SBCSSvc, ""C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe"" ["Sunbelt Software"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
TabletService, TabletService, "C:\WINDOWS\system32\Tablet.exe" ["Wacom Technology, Corp."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Canon MP FAX Port\Driver = "CNCUPM2K.dll" ["Canon Inc."]
Canon MP Language Monitor MP730\Driver = "CNMLMya.DLL" ["CANON INC."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 98 seconds, including 18 seconds for message boxes)


-------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:54:17 AM, on 4/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Quicknote\quicknote.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.www.archetypalimages.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BlazeServoTool] "C:\Program Files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Quicknote] C:\Program Files\Quicknote\quicknote.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O17 - HKLM\System\CS2\Services\Tcpip\..\{09E23375-82B3-4B48-8ADF-348D38C37667}: NameServer = 68.87.77.130,68.87.72.130
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users