Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojans tannick, downloader, backdoor.haxdoor and rustock

Started by JB1111 , Dec 07 2006 11:25 AM

  • Please log in to reply

#1
JB1111
Posted 07 December 2006 - 11:25 AM

JB1111

    Member

  • Member
  • PipPip
  • 21 posts
Major problems with a laptop.

Here is the hijack log, I will also pay for help. Will be looking for a phone number to call and give donation, not trusting online transfers.

Thanks,
JB

Logfile of HijackThis v1.99.1
Scan saved at 10:13:06 AM, on 12/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Shelly\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Shelly\LOCALS~1\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe

F3 - REG:win.ini: run=,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IEEventObj Class - {A69DD619-0385-4347-801D-781C09701BF2} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Autodesk DWF - {C363E0F4-1D07-4ffb-A69F-BB7D3F4E70A5} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Autodesk DWF - {C363E0F4-1D07-4ffb-A69F-BB7D3F4E70A5} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wupdate] rundll32.exe c:\winupdtm.dll,wupdate
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20126\svchost.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] :C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 192.168.1.99
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...;img=2101-27-28
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://summit.mlxcha...FileCruiser.cab
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://summit.mlxcha...ol/Specfile.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://vail.mlxchang...ectComboBox.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1138735268923
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://vail.mlxchang...ClientUtils.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://summit.mlxcha...ol/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://vail.mlxchang...ol/IRCSharc.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.h.../qdiagh.cab?326
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://summit.mlxcha...CustomCtrls.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Edited by JB1111, 07 December 2006 - 11:39 AM.

  • 0

Advertisements

#2
loophole
Posted 07 December 2006 - 12:52 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Please run a scan with HijackThis and check the following lines for removal:

O4 - HKLM\..\Run: [wupdate] rundll32.exe c:\winupdtm.dll,wupdate
O4 - HKLM\..\Run: [Microsoft WPCEmail] C:\WINDOWS\inet20126\svchost.exe

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Reboot the computer

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#3
JB1111
Posted 07 December 2006 - 02:12 PM

JB1111

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Loop,

Thanks for the fast response. Here is the results of Combofix

Shelly - 06-12-07 12:28:40.25 Service Pack 2
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Shelly\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\drivers\npf.sys


((((((((((((((((((((((((((((((( Files Created from 2006-11-07 to 2006-12-07 ))))))))))))))))))))))))))))))))))


2006-12-06 17:06 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-06 17:06 <DIR> d-------- C:\Program Files\Grisoft
2006-12-05 20:27 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-12-05 20:27 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-12-05 20:27 <DIR> d-------- C:\Program Files\Spyware Doctor
2006-12-05 20:27 <DIR> d-------- C:\Documents and Settings\Shelly\Application Data\PC Tools
2006-12-05 11:54 45,056 --a------ C:\Documents and Settings\Shelly\wpcem.exe
2006-12-05 11:51 81,920 --a------ C:\WINDOWS\system32\Packet.dll
2006-12-05 11:51 61,440 --a------ C:\WINDOWS\system32\WanPacket.dll
2006-12-05 11:51 53,299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2006-12-05 11:51 233,472 --a------ C:\WINDOWS\system32\wpcap.dll
2006-12-05 11:50 <DIR> d-------- C:\WINDOWS\inet20126
2006-12-05 11:49 8,436 --a------ C:\update85325030.exe
2006-12-05 11:47 8,436 --a------ C:\update94665964.exe
2006-12-05 11:46 8,436 --a------ C:\update94406742.exe
2006-12-05 11:46 8,436 --a------ C:\update02063300.exe
2006-12-05 11:40 4,056 --a------ C:\update65144065.exe
2006-12-05 11:39 8,436 --a------ C:\update94223351.exe
2006-12-05 11:39 8,436 --a------ C:\update88387984.exe
2006-12-05 11:39 45,568 --a------ C:\winupdtm.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-07 12:21 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-07 12:21 -------- d-------- C:\Program Files\Common Files
2006-12-06 18:06 212849 --a------ C:\Program Files\HijackThis.zip
2006-12-05 13:00 -------- d-------- C:\Program Files\Norton AntiVirus
2006-12-05 11:49 -------- d-------- C:\Program Files\Symantec
2006-11-28 10:21 -------- d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2006-11-03 10:03 -------- d-------- C:\Documents and Settings\Shelly\Application Data\Macromedia
2006-10-26 15:12 -------- d-------- C:\Program Files\iTunes
2006-10-26 15:11 -------- d-------- C:\Program Files\iPod
2006-10-26 15:09 -------- d-------- C:\Program Files\QuickTime
2006-10-24 12:02 -------- d-------- C:\Program Files\Microsoft Easy Assist
2006-10-20 08:27 -------- d-------- C:\Program Files\Google
2006-10-12 09:41 1824 --a------ C:\reg_AppID_CLSID.reg
2006-10-11 16:49 -------- d-------- C:\Documents and Settings\Shelly\Application Data\Xerox
2006-10-11 12:07 252752 --a------ C:\WINDOWS\system32\odc.dll
2006-09-15 22:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"=":C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"PrintServer Diagnostic"="C:\\Program Files\\Print Server\\PTP\\PSDiagnostic.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,fe,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\officejet 6100.lnk"
"backup"="C:\\WINDOWS\\pss\\officejet 6100.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hposol08.exe "
"item"="officejet 6100"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1157407420.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1157483359.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-12-07 12:53:54.87
C:\ComboFix.txt ... 06-12-07 12:53

Here is another hijack log too, it looked like the laptop still has issues so I thought you may need it. :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 4:21:04 PM, on 12/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Shelly\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IEEventObj Class - {A69DD619-0385-4347-801D-781C09701BF2} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Autodesk DWF - {C363E0F4-1D07-4ffb-A69F-BB7D3F4E70A5} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Autodesk DWF - {C363E0F4-1D07-4ffb-A69F-BB7D3F4E70A5} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] :C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 192.168.1.99
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...;img=2101-27-28
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://summit.mlxcha...FileCruiser.cab
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://summit.mlxcha...ol/Specfile.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://vail.mlxchang...ectComboBox.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1138735268923
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://vail.mlxchang...ClientUtils.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://summit.mlxcha...ol/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://vail.mlxchang...ol/IRCSharc.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.h.../qdiagh.cab?326
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://summit.mlxcha...CustomCtrls.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


Thanks,
JB

Edited by JB1111, 07 December 2006 - 05:23 PM.

  • 0

#4
loophole
Posted 07 December 2006 - 10:08 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi, what is telling you that you have Haxdoor and Rustock?

Download GMER from here:
http://www.gmer.net/gmer.zip
  • Unzip it to the desktop
  • Right click Gmer.ex and rename it to rkit.exe
  • Click the Rootkit tab and click the Scan button.
  • Warning! Please do not select the "Show all" checkbox during the scan.
  • Once done, click the Copy button.
  • This will copy the results to your clipboard.
  • Paste the results here in your next reply.
If you're having problems with running GMER.exe, try it in safe mode. This tool works in safe mode. Most other rootkit revealers don't.
  • 0

#5
JB1111
Posted 08 December 2006 - 10:39 AM

JB1111

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I hope this worked correctly I had to break down the scan into two as it failed to copy when I ran it as one scan. I gathered the Haxdoor and Rustock names from Norton pop-ups.
Thanks,
JB

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-08 09:25:32
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 864C0570 ZwConnectPort
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\explorer.exe[180] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[180] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\explorer.exe[180] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\explorer.exe[180] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\explorer.exe[180] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\explorer.exe[180] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[376] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[376] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\svchost.exe[376] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[376] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\csrss.exe[444] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[444] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\csrss.exe[444] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\csrss.exe[444] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\csrss.exe[444] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\csrss.exe[444] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\csrss.exe[444] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\csrss.exe[444] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[468] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[468] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[468] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[468] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[468] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[468] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[468] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[468] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\services.exe[512] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[512] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\services.exe[512] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\services.exe[512] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\services.exe[512] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\services.exe[512] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\services.exe[512] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\services.exe[512] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\lsass.exe[524] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[524] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\lsass.exe[524] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\lsass.exe[524] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\lsass.exe[524] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\lsass.exe[524] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\lsass.exe[524] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\lsass.exe[524] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Spyware Doctor\swdoctor.exe[568] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Spyware Doctor\swdoctor.exe[568] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Program Files\Spyware Doctor\swdoctor.exe[568] USER32.dll!DispatchMessageA 77D4BCBD 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Spyware Doctor\swdoctor.exe[568] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 13, 5F ]
.text C:\Program Files\Spyware Doctor\swdoctor.exe[568] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 0F, 5F ]
.text C:\Program Files\Spyware Doctor\swdoctor.exe[568] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[668] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[668] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[668] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[668] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\svchost.exe[668] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[668] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[696] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[696] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[696] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[696] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[696] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[696] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[696] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[696] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\WLTRYSVC.EXE[696] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[820] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[820] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[820] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[820] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[820] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[820] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[820] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[820] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\BCMWLTRY.EXE[820] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[892] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[892] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[892] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[892] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[892] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[892] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[892] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[892] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[892] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[916] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\rundll32.exe[916] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[916] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[916] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[916] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[916] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\WINDOWS\system32\rundll32.exe[916] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[916] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\rundll32.exe[916] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[936] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\WLTRAY.EXE[936] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[936] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[936] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[936] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[936] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\WINDOWS\system32\WLTRAY.EXE[936] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[936] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\WLTRAY.EXE[936] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[944] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[944] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[944] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[944] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[944] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[944] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[944] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[944] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe[944] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[952] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[952] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[952] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[952] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[952] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[952] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[952] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[952] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[952] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[960] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[960] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[960] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[960] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[960] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[960] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[960] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[960] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe[960] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[988] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[988] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1028] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[1052] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\hkcmd.exe[1052] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[1052] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[1052] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[1052] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[1052] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\WINDOWS\system32\hkcmd.exe[1052] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[1052] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\hkcmd.exe[1052] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[1064] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\ctfmon.exe[1064] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[1064] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[1064] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[1064] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\WINDOWS\system32\ctfmon.exe[1064] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[1064] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\ctfmon.exe[1064] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1068] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1068] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1068] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1068] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[1084] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxpers.exe[1084] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[1084] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[1084] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[1084] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\WINDOWS\system32\igfxpers.exe[1084] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[1084] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\igfxpers.exe[1084] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Print Server\PTP\PSDiagnostic.exe[1108] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Print Server\PTP\PSDiagnostic.exe[1108] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Print Server\PTP\PSDiagnostic.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Print Server\PTP\PSDiagnostic.exe[1108] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Print Server\PTP\PSDiagnostic.exe[1108] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Print Server\PTP\PSDiagnostic.exe[1108] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Program Files\Print Server\PTP\PSDiagnostic.exe[1108] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Print Server\PTP\PSDiagnostic.exe[1108] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Print Server\PTP\PSDiagnostic.exe[1108] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1116] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\QuickTime\qttask.exe[1116] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1116] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1116] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1116] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1116] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Program Files\QuickTime\qttask.exe[1116] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1116] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\QuickTime\qttask.exe[1116] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1164] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1164] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1164] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1164] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1164] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1164] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1164] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1164] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1164] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1180] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1180] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\igfxsrvc.exe[1292] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1392] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1392] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1392] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1392] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1392] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1392] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1392] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1492] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1492] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1492] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1492] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[1516] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1516] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1516] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[1516] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1532] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1532] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1532] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1532] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1532] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1532] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1532] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[1532] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1588] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1588] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1588] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1588] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1588] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1588] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1588] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1588] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1624] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1624] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ D2, 77 ]
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1624] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, CC, 77 ]
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1624] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, CF, 77 ]
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1624] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, C9, 77 ]
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1624] USER32.DLL!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 01, 78 ]
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1624] USER32.DLL!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, FB, 77 ]
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1624] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, F7, 77 ]
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1716] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1716] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1716] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1716] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1716] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1716] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1716] user32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1716] user32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1716] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE[1832] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE[1832] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE[1832] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE[1832] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE[1832] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE[1832] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE[1832] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE[1832] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe[1844] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe[1844] ntdll.dll!NtTerminateProcess + 4 7C90E892 2 Bytes [ 0E, 5F ]
.text C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe[1844] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe[1844] kernel32.dll!CreateProcessW 7C802332 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe[1844] kernel32.dll!CreateProcessA 7C802367 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe[1844] kernel32.dll!FreeLibrary + 15 7C80AA7B 4 Bytes [ BD, 55, 7F, E2 ]
.text C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe[1844] USER32.dll!SetWindowsHookExW 77D6E621 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe[1844] USER32.dll!SetWindowsHookExA 77D702B2 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe[1844] GDI32.dll!Escape 77F27FBB 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1900] ntdll.dll!NtTerminateProcess 7C90E88E 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1900] ntd
  • 0

#6
loophole
Posted 09 December 2006 - 05:13 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Lets try this scan

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0

#7
JB1111
Posted 09 December 2006 - 06:36 PM

JB1111

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Loop and many thanks,

Here is the report from the Panda scan.


Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Shelly\Cookies\shelly@com[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Shelly\Cookies\shelly@serving-sys[1].txt

Im not sure if you support spyware doctor but I had loaded it prior to seeking your help. Here is a log from it if this may be of help.
Thanks,
JB
Infection Name Location Risk
Advertising C:\Documents and Settings\Shelly\Cookies\shelly@com[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\Shelly\Cookies\shelly@geekstogo[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\Shelly\Cookies\shelly@serving-sys[1].txt Low
CWS.XPSystem C:\WINDOWS\inet20126 High
CWS.XPSystem C:\WINDOWS\inet20126\killer.exe High
CWS.XPSystem C:\WINDOWS\inet20126\killer.exe.bak High
CWS.XPSystem C:\WINDOWS\inet20126\mm.pid High
CWS.XPSystem C:\WINDOWS\inet20126\svchost.exe.bak High
CWS.XPSystem C:\WINDOWS\inet20126\wpcem.exe High
Trojan.PSW.Agent.FV HKCU\Software\Microsoft\Mailer Data High
Trojan.PSW.Agent.FV HKCU\Software\Microsoft\Mailer Data## High
Trojan.PSW.Agent.FV HKCU\Software\Microsoft\Mailer Data##Date High
Trojan.PWS.Tanspy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load High
Trojan.PWS.Tanspy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load## High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256 High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256## High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256##NextInstance High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000 High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000## High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000##Capabilities High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000##Class High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000##ClassGUID High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000##ConfigFlags High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000##DeviceDesc High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000##Legacy High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000##Service High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000\Control High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Enum\root\legacy_ntio256\0000\Control## High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256 High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256## High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256##DisplayName High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256##ErrorControl High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256##ImagePath High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256##Start High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256##Type High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256\Enum High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256\Enum## High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256\Enum##0 High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256\Enum##Count High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256\Enum##INITSTARTFAILED High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256\Enum##NextInstance High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256\Security High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256\Security## High
Rootkit.Foop HKLM\SYSTEM\ControlSet001\Services\ntio256\Security##Security High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256 High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256## High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256##NextInstance High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256\0000 High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256\0000## High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256\0000##Capabilities High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256\0000##Class High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256\0000##ClassGUID High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256\0000##ConfigFlags High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256\0000##DeviceDesc High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256\0000##Legacy High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Enum\root\legacy_ntio256\0000##Service High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Services\ntio256 High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Services\ntio256## High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Services\ntio256##DisplayName High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Services\ntio256##ErrorControl High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Services\ntio256##ImagePath High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Services\ntio256##Start High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Services\ntio256##Type High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Services\ntio256\Security High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Services\ntio256\Security## High
Rootkit.Foop HKLM\SYSTEM\ControlSet002\Services\ntio256\Security##Security High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256 High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256## High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256##NextInstance High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000 High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000## High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000##Capabilities High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000##Class High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000##ClassGUID High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000##ConfigFlags High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000##DeviceDesc High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000##Legacy High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000##Service High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000\Control High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Enum\root\legacy_ntio256\0000\Control## High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256 High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256## High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256##DisplayName High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256##ErrorControl High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256##ImagePath High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256##Start High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256##Type High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256\Enum High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256\Enum## High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256\Enum##0 High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256\Enum##Count High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256\Enum##INITSTARTFAILED High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256\Enum##NextInstance High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256\Security High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256\Security## High
Rootkit.Foop HKLM\SYSTEM\CurrentControlSet\Services\ntio256\Security##Security High


Other Sections:

Edited by JB1111, 09 December 2006 - 10:59 PM.

  • 0

#8
loophole
Posted 13 December 2006 - 12:52 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Jb

I apologize for the delay, I have been really sick :whistling:

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

Create a Startup List
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post
Reboot and post the log for me please
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP