Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Removing Fake Windows Security Centre - Help [Closed]

Started by springmellon , Sep 08 2009 01:39 PM

  • This topic is locked This topic is locked

#1
springmellon
Posted 08 September 2009 - 01:39 PM

springmellon

    New Member

  • Member
  • Pip
  • 8 posts
I would be very grateful for any help with this.

I bought a used laptop from EBAY recently. When I got the laptop I found that it was infected with a fake Windows Security Centre which promps you to install Smart Protector, which the previous owner did. I scanned the computer with Superantispayware and MBAM. These showed up a whole load of infections and sucessfully deleted maost of them including Smart Protector. Unfortunately they have not got rid of the fake Security Center, which I just cannot seem to remove.
A scan with MBAM shows the following remaining infections which it detects but still remain after selecting delete and rebooting:

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\system32\wcenter.exe (Trojan.FakeAlert) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{34c1631e-c45c-47e5-a703-cd5c96d78176} (Trojan.BHO.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{34c1631e-c45c-47e5-a703-cd5c96d78176} (Trojan.BHO.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart Protector (Rogue.SmartProtector) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bthc.dll (Trojan.BHO.H) -> No action taken.
C:\Documents and Settings\connor_2\Local Settings\Temp\ybfyxncf.dat (Rootkit.Agent) -> No action taken.
C:\WINDOWS\system32\wcenter.exe (Trojan.FakeAlert) -> No action taken.



I have tried turning of the sytem restore and restarting in safe mode but the Fake Windows Security Center always comes back.

Here is the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:54:24, on 08/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\s3hotkey.exe
C:\WINDOWS\system32\00THotkey.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\system32\SxgTkBar.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Belkin\F5D9010\Belkinwcui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wcenter.exe
C:\Program Files\3 Mobile Broadband\3Connect\AutoUpdateSrv.exe
C:\Program Files\3 Mobile Broadband\3Connect\WilogApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file)
O2 - BHO: (no name) - {34C1631E-C45C-47E5-A703-CD5C96D78176} - C:\WINDOWS\system32\bthc.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {f5c48f6e-282d-3f05-7c8c-1d1db85b1d08} - C:\WINDOWS\uvifukifurizevul.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 02
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [F5D9010] C:\Program Files\Belkin\F5D9010\Belkinwcui.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.underdog....80_loader.html"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1123561945-839522115-1957994488-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - S-1-5-21-1123561945-839522115-1957994488-1003 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - S-1-5-21-1123561945-839522115-1957994488-1003 Startup: StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: PC Health.lnk = C:\Program Files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.micros...b?1139406804265
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB017B40-6C58-4194-89BC-893C15768466}: NameServer = 141.1.1.1 195.27.1.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SecuritySystem - {EC4C84BE-B817-47BD-9860-86933DDE59D0} - C:\Documents and Settings\All Users\Application Data\Microsoft\aspyphondu.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe

--
End of file - 10942 bytes


Any help removing the Fake Windows Security Center and other remaining infections would make my day.

Thanks
Springmellon
  • 0

Advertisements

#2
hammerman
Posted 08 September 2009 - 02:07 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello and welcome to GeeksToGo.
I'm hammerman and I'm going to help you fix your problem.

Please note that I am still in training and my replies need to be checked by an expert. This means there may be a small delay between my posts. Please bear with me.

I am looking through your log now and will reply as soon as possible.

Before we begin, I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
  • 0

#3
springmellon
Posted 08 September 2009 - 02:43 PM

springmellon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
brilliant thanks very much
  • 0

#4
hammerman
Posted 08 September 2009 - 02:55 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

WARNING:
You have a backdoor trojan installed on your computer.
Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Can you please follow these steps.

-- Step 1 --

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

-- Step 2 --

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

-- Step 3 --

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#5
springmellon
Posted 09 September 2009 - 01:05 AM

springmellon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi. Here are the logs
Thanks Again.
  • 0

#6
springmellon
Posted 09 September 2009 - 01:06 AM

springmellon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi. Here are the logs
Thanks Again.
  • 0

#7
springmellon
Posted 09 September 2009 - 01:08 AM

springmellon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi. Here are the logs
Thanks Again.

Attached Files


  • 0

#8
hammerman
Posted 09 September 2009 - 12:17 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi springmellon,

Can you please post the Combofix and GMER logs normally and attach the OTS log only.

It's easier for use to work with that way.

Thanks.
  • 0

#9
springmellon
Posted 09 September 2009 - 01:06 PM

springmellon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi.

Thanks for coming back to this.







ComboFix 09-09-08.02 - main 09/09/2009 7:27.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.511.142 [GMT 1:00]
Running from: C:\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-09 05:34 . 2009-09-09 05:34 385024 ----a-w- c:\windows\system32\wcenter.exe
2009-09-08 21:54 . 2009-09-08 21:54 3200988 ----a-r- C:\Combo-Fix.exe
2009-09-08 21:49 . 2009-09-08 21:49 280282 ----a-w- C:\gmer.zip
2009-09-08 21:48 . 2009-09-08 21:49 516096 ----a-w- C:\OTS.exe
2009-09-08 17:29 . 2009-09-08 17:29 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2009-09-08 17:28 . 2009-09-08 17:28 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2009-09-08 16:55 . 2009-09-08 16:55 401720 ----a-w- C:\HijackThis.exe
2009-09-07 08:56 . 2009-09-07 19:54 -------- d-----w- c:\documents and settings\Administrator
2009-09-06 22:35 . 2009-09-07 09:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-09-06 22:34 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 22:34 . 2009-09-06 22:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 22:34 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 22:29 . 2009-09-06 22:29 366120 ----a-w- C:\Download_6.1.0.447f-sdregnow-setup.exe
2009-09-06 22:10 . 2009-09-06 22:10 34543112 ----a-w- C:\Ad-AwareAE.exe
2009-09-06 19:28 . 2009-09-06 19:28 50688 ----a-w- C:\ATF-Cleaner.exe
2009-09-06 17:31 . 2009-09-06 17:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-06 17:31 . 2009-09-06 17:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-06 17:31 . 2009-09-06 17:31 -------- d-----w- c:\documents and settings\main\Application Data\SUPERAntiSpyware.com
2009-09-06 17:28 . 2009-09-06 17:28 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-06 17:04 . 2009-09-06 17:04 7163936 ----a-w- C:\SUPERAntiSpyware.exe
2009-09-06 01:12 . 2009-09-06 01:12 -------- d-----w- c:\documents and settings\main\Application Data\Malwarebytes
2009-09-06 01:12 . 2009-09-06 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-06 01:11 . 2009-09-06 22:20 3942048 ----a-w- C:\mbam-setup.exe
2009-09-06 00:54 . 2009-09-07 18:13 26709272 ----a-w- C:\sdsetup.exe
2009-09-05 22:38 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-05 22:38 . 2009-09-05 23:08 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-05 22:38 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-05 22:37 . 2009-09-05 22:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-05 22:37 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-05 22:37 . 2009-09-08 17:11 -------- d-----w- c:\program files\Spyware Doctor
2009-09-05 22:37 . 2009-09-05 22:37 -------- d-----w- c:\documents and settings\main\Application Data\PC Tools
2009-09-05 22:37 . 2009-09-05 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-05 22:36 . 2009-09-05 22:36 18051464 ----a-w- C:\6.1.0.447d-sd-setup.exe
2009-09-05 21:06 . 2009-09-05 21:06 -------- d-----w- c:\program files\VS Revo Group
2009-09-05 20:35 . 2009-09-05 20:35 -------- d-----w- c:\documents and settings\main\Local Settings\Application Data\RadioSure
2009-09-05 20:22 . 2009-09-05 20:22 2219225 ----a-w- C:\RadioSure-2.0.872-setup.exe
2009-09-05 20:12 . 2009-09-05 20:12 -------- d-----w- c:\documents and settings\main\Application Data\Ashampoo
2009-09-05 20:12 . 2009-09-05 20:12 -------- d-----w- c:\documents and settings\main\Local Settings\Application Data\ashampoo
2009-09-05 20:12 . 2009-09-05 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ashampoo
2009-09-05 20:12 . 2009-09-05 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\page
2009-09-05 20:05 . 2009-09-05 20:05 6054784 ----a-w- C:\ashampoo_burning_studio_6_free_676_4311.exe
2009-09-05 19:55 . 2005-12-09 22:09 56832 ----a-w- C:\mpk.exe
2009-09-05 19:55 . 2009-09-05 19:55 51029 ----a-w- C:\mpk.zip
2009-09-05 19:30 . 2009-09-05 19:33 -------- d-----w- C:\docs
2009-09-05 19:30 . 2009-09-05 19:33 -------- d-----w- C:\src
2009-09-05 19:30 . 2009-09-05 19:30 10633767 ----a-w- C:\mame0133s.exe
2009-09-05 12:12 . 2009-09-05 12:13 -------- d-----w- c:\documents and settings\main\Application Data\dvdcss
2009-09-05 10:06 . 2009-09-05 10:06 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-04 23:42 . 2009-09-04 23:42 -------- d-----w- c:\documents and settings\main\Local Settings\Application Data\Help
2009-09-04 23:33 . 2001-05-21 01:16 61598 ----a-w- c:\windows\system32\EBPMON2.DLL
2009-09-04 23:33 . 2001-03-29 01:21 57344 ----a-w- c:\windows\system32\ECBTEG.DLL
2009-09-04 23:33 . 2000-09-14 01:03 145 ----a-w- c:\windows\system32\EBPPORT.DAT
2009-09-04 23:33 . 2009-09-04 23:33 -------- d-----w- c:\program files\EPSON
2009-09-04 23:33 . 2000-06-07 00:01 34304 ----a-w- c:\windows\system32\EBPCHP.DLL
2009-09-04 23:33 . 2009-09-04 23:33 -------- d-----w- C:\EPSON
2009-09-04 20:40 . 2009-09-04 20:40 4108299 ----a-w- C:\sc680_winxp_full.exe
2009-09-04 18:37 . 2009-09-04 18:37 -------- d-----w- c:\documents and settings\main\Application Data\Apple Computer
2009-09-04 18:35 . 2009-09-04 18:35 -------- d-----w- c:\documents and settings\main\Local Settings\Application Data\Apple Computer
2009-09-04 18:35 . 2009-09-04 18:35 -------- d-----w- c:\program files\QuickTime
2009-09-04 14:13 . 2009-09-04 14:13 -------- d-----w- c:\windows\ie8updates
2009-09-04 14:08 . 2009-09-04 14:12 -------- d-----w- C:\21c5d0ad9cda8f6deb01
2009-09-04 08:49 . 2009-09-04 08:49 -------- d-----w- c:\program files\RegMagik
2009-09-04 08:48 . 2009-09-05 22:07 -------- d-----w- c:\program files\RegCleaner
2009-09-04 08:47 . 2009-09-07 21:22 -------- d-----w- c:\documents and settings\main\Application Data\GetRightToGo
2009-09-04 08:45 . 2009-09-04 08:46 -------- d-----w- C:\ce38de16813a580967f16afff0df5d
2009-09-04 08:45 . 2009-09-04 08:45 -------- d-----w- c:\program files\ACW
2009-09-04 07:35 . 2009-09-05 14:54 -------- d-sh--w- c:\windows\system32\LocalSystem32
2009-09-03 19:33 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-09-03 19:33 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-09-03 19:30 . 2009-09-03 19:30 -------- d-----w- c:\documents and settings\main\Local Settings\Application Data\{DD4E68DA-DBCD-4C1F-B85E-FF8A7BEBE383}
2009-09-01 19:09 . 2008-04-13 23:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-09-01 19:09 . 2008-04-13 23:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-09-01 05:34 . 2009-09-01 05:34 -------- d-sh--w- c:\documents and settings\main\IECompatCache
2009-08-31 21:40 . 2009-08-31 21:42 -------- d-----w- c:\documents and settings\main\Application Data\vlc
2009-08-31 21:38 . 2009-08-31 21:38 -------- d-----w- c:\program files\VideoLAN
2009-08-31 19:03 . 2009-08-31 19:03 2993200 ----a-w- C:\vlc-1.0.1-win32.exe
2009-08-31 10:19 . 2009-08-31 10:19 -------- d-sh--w- c:\documents and settings\main\PrivacIE
2009-08-31 08:23 . 2009-08-31 08:23 -------- d-sh--w- c:\documents and settings\main\IETldCache
2009-08-31 08:16 . 2009-08-31 08:18 -------- dc-h--w- c:\windows\ie8
2009-08-30 16:39 . 2009-08-30 16:39 -------- d-----w- c:\documents and settings\main\Application Data\Birdstep Technology
2009-08-30 16:39 . 2009-08-30 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Birdstep Technology
2009-08-30 16:36 . 2009-02-17 19:34 112640 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2009-08-30 16:36 . 2008-12-30 10:55 102656 ----a-w- c:\windows\system32\drivers\ewusbfake.sys
2009-08-30 16:36 . 2008-12-13 10:26 102400 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2009-08-30 16:36 . 2008-04-14 08:36 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2009-08-30 16:36 . 2007-08-09 03:13 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2009-08-30 16:36 . 2009-08-30 16:36 -------- d-----w- c:\program files\Huawei Modems
2009-08-30 16:36 . 2009-08-30 16:36 70667 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2009-08-30 16:36 . 2007-05-28 16:00 10240 ------w- c:\windows\system32\drivers\mdvrmng.sys
2009-08-30 16:35 . 2009-08-30 16:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-30 16:35 . 2009-08-30 16:35 -------- d-----w- c:\program files\3 Mobile Broadband
2009-08-30 16:34 . 2009-08-30 16:34 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-28 15:04 . 2001-08-17 21:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-08-28 15:04 . 2008-04-14 04:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-08-28 15:04 . 2008-04-13 23:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-08-28 15:04 . 2008-04-13 23:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 05:57 . 2009-01-10 20:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-07 09:31 . 2009-09-07 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-07 09:30 . 2009-09-07 12:39 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-07 09:30 . 2009-09-07 09:31 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-07 09:22 . 2009-09-07 09:22 -------- d-----w- c:\program files\Lavasoft
2009-09-07 08:57 . 2009-09-07 08:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-06 23:45 . 2009-04-23 16:18 0 ----a-w- c:\windows\Nqisuvubov.bin
2009-09-06 16:59 . 2009-09-06 08:13 77 ----a-w- c:\documents and settings\main\udpcrawl.tmp
2009-09-05 23:07 . 2009-09-05 23:07 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-09-05 21:56 . 2009-07-22 08:08 -------- d-----w- c:\program files\Google
2009-09-04 23:40 . 2009-04-29 05:01 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-04 19:00 . 2009-05-26 10:18 -------- d-----w- c:\documents and settings\main\Application Data\LimeWire
2009-09-04 14:33 . 2009-07-23 09:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-03 21:51 . 2009-03-22 08:01 -------- d-----w- c:\program files\Orbitdownloader
2009-09-03 21:50 . 2009-05-25 06:15 -------- d-----w- c:\documents and settings\main\Application Data\Orbit
2009-08-31 10:20 . 2009-08-31 10:20 0 --sha-w- c:\windows\system32\21.tmp
2009-08-31 10:20 . 2009-08-31 10:19 0 --sha-w- c:\windows\system32\20.tmp
2009-08-05 09:01 . 2008-04-14 04:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2008-04-14 04:41 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2008-04-27 21:46 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-04-27 22:05 915456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:21 . 2009-06-26 16:20 34 ----a-w- c:\documents and settings\main\jagex_runescape_preferences.dat
2009-06-26 09:41 . 2008-04-14 04:41 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:41 . 2008-04-14 04:42 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:41 . 2008-04-14 04:42 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:41 . 2008-04-14 04:42 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:41 . 2008-04-14 04:42 136704 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:41 . 2008-04-14 04:41 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 10:28 . 2008-04-13 23:01 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2008-04-14 04:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2008-04-14 04:41 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2008-04-14 04:42 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2008-04-14 04:42 76288 ----a-w- c:\windows\system32\telnet.exe
.

------- Sigcheck -------

[-] 2008-04-27 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-22 39408]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"00THotkey"="c:\windows\system32\00THotkey.exe" [2002-01-30 249856]
"EM_EXEC"="c:\progra~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-12-03 35328]
"TMESRV.EXE"="c:\program files\TOSHIBA\TME3\TMESRV31.EXE" [2002-02-21 118784]
"TMERzCtl.EXE"="c:\program files\TOSHIBA\TME3\TMERzCtl.EXE" [2002-02-04 77824]
"TMEEJME.EXE"="c:\program files\TOSHIBA\TME3\TMEEJME.EXE" [2002-02-05 65536]
"TMESBS.EXE"="c:\program files\TOSHIBA\TME3\TMESBS32.EXE" [2002-02-21 73728]
"F5D9010"="c:\program files\Belkin\F5D9010\Belkinwcui.exe" [2006-03-14 1585152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-07 520024]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-22 1181064]
"S3Hotkey"="s3hotkey.exe" - c:\windows\system32\s3hotkey.exe [2002-09-19 31232]
"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]
"TFncKy"="TFncKy.exe" [BU]
"Tpwrtray"="TPWRTRAY.EXE" - c:\windows\system32\TPWRTRAY.EXE [2002-01-31 196608]
"SxgTkBar"="SxgTkBar.exe" - c:\windows\system32\Sxgtkbar.exe [2001-07-11 53248]
"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2001-08-03 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]
StarOffice 8.lnk - c:\program files\Sun\StarOffice 8\program\quickstart.exe [2007-2-2 122880]

c:\documents and settings\main\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-4-7 1773568]
PC Health.lnk - c:\program files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs [2008-12-23 2126]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SecuritySystem"= {EC4C84BE-B817-47BD-9860-86933DDE59D0} - c:\documents and settings\All Users\Application Data\Microsoft\aspyphondu.dll [2009-08-31 772096]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [07/09/2009 10:31 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [05/09/2009 23:38 206256]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [04/09/2009 14:50 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [04/09/2009 14:49 74480]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [23/12/2008 13:04 5802]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [30/08/2009 17:36 10240]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [07/09/2009 10:24 348752]
R2 Tmesbs;Tmesbs32;c:\program files\Toshiba\TME3\tmesbs32.exe [23/12/2008 13:04 73728]
R2 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [23/12/2008 13:04 118784]
R3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [30/08/2009 17:36 102656]
R3 SOFTXG;YAMAHA XG WDM SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [23/12/2008 13:34 967040]
S1 ipbhagvi;ipbhagvi;\??\c:\windows\system32\drivers\ipbhagvi.sys --> c:\windows\system32\drivers\ipbhagvi.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\program files\Subagames\CrossFire\GameGuard\dump_wmimmc.sys --> c:\program files\Subagames\CrossFire\GameGuard\dump_wmimmc.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 22:34 1029456]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [04/09/2009 14:50 7408]
S3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\DRIVERS\ss.sys --> c:\windows\system32\DRIVERS\ss.sys [?]
S3 wlags48b;Agere Wireless PCCard Driver;c:\windows\system32\drivers\wlags48b.sys [02/01/2000 16:44 171520]

--- Other Services/Drivers In Memory ---

*Deregistered* - aujasnkj
*Deregistered* - mchInjDrv
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 09:30]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-09 07:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet064\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1123561945-839522115-1957994488-1003\Software\SecuROM\License information*]
"datasecu"=hex:d2,86,77,d5,c5,3a,8d,90,5a,c4,2b,08,96,98,39,cf,f1,59,9b,5d,e1,
cb,cb,6e,1f,7c,54,84,13,f4,a0,77,0a,01,fc,5f,bb,5f,60,9c,53,11,88,71,0c,68,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Toolbar\QuickComplete]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Smart Protector\Lic]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3748)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\TOSHIBA\TME3\TMEEJMD.DLL
c:\progra~1\MOUSEW~1\SYSTEM\LgMousHk.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\documents and settings\All Users\Application Data\Microsoft\aspyphondu.dll
.
Completion time: 2009-09-09 7:38
ComboFix-quarantined-files.txt 2009-09-09 06:38
ComboFix2.txt 2009-09-08 22:20

Pre-Run: 30,333,444,096 bytes free
Post-Run: 30,298,365,952 bytes free

299 --- E O F --- 2009-09-08 00:38




















GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-09 07:10:11
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF852787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8527BFE]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xF2BDC6D0]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02240001
.text C:\WINDOWS\Explorer.EXE[208] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[208] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\00THotkey.exe[324] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01110001
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\s3hotkey.exe[400] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BC0001
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C00001
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DF0001
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010F0001
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\csrss.exe[500] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 013B0001
.text C:\WINDOWS\system32\csrss.exe[500] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[500] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D60001
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\winlogon.exe[552] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014F0001
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001
.text C:\WINDOWS\system32\services.exe[596] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[596] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[608] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BD0001
.text C:\WINDOWS\system32\lsass.exe[608] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[608] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\SxgTkBar.exe[612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00ED0001
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009B0001
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A40001
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001
.text C:\WINDOWS\system32\svchost.exe[768] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[768] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E40001
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\TFNF5.exe[784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C60001
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01320001
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E50001
.text C:\WINDOWS\system32\svchost.exe[836] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[836] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02A40001
.text C:\WINDOWS\System32\svchost.exe[876] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[876] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00640001
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01490001
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04880001
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A20001
.text C:\WINDOWS\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009A0001
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1312] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CD0001
.text C:\WINDOWS\system32\spoolsv.exe[1312] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1312] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00910001
.text C:\WINDOWS\system32\svchost.exe[1384] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1384] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 012D0001
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1452] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01EE0001
.text C:\Program Files\Java\jre6\bin\jqs.exe[1452] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1452] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02B90001
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F2C0F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F250F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F220F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [2A, 5F]
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F2F0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00730001
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1524] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1524] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1556] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044AD11 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F20001
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E40001
.text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1700] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03EB0001
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1700] kernel32.dll!CreateThread + 1B 7C8106F2 3 Bytes CALL 0044ACCE C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1700] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1700] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe[1704] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01240001
.text C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe[1704] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe[1704] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe[1740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01060001
.text C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe[1740] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe[1740] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F30001
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\UPHClean\uphclean.exe[1784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009F0001
.text C:\Program Files\UPHClean\uphclean.exe[1784] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\UPHClean\uphclean.exe[1784] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[1952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DD0001
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\System32\alg.exe[2800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00840001
.text C:\WINDOWS\System32\alg.exe[2800] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\alg.exe[2800] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[2800] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wcenter.exe[3056] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003C0001
.text C:\WINDOWS\system32\wcenter.exe[3056] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003C0001
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 013EC650
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 013EC600
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 013E8850
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 013E9AB0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 013EB3C0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 013E9D20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 013E9B30
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 013EA9C0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 013EC300
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 013EC340
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 013EC6E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 013EC1C0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 013EB320
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 013EA2E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 013E9C90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 013EA010
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 013ECC60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 013EAD10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 013EB180
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 013EB840
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 013EB5D0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 013EB7C0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 013EBCA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 013EB9B0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 013E9C00
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 013EA190
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 013EC420
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 013EB710
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 013EB2C0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 013EB140
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 013EB4D0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 013EC700
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 013EB510
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 013EC9A0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 013EC940
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 013ECB90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 013ECC30
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 013ECA60

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- EOF - GMER 1.0.15 ----




GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-09 07:10:11
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF852787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF8527BFE]
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xF2BDC6D0]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02240001
.text C:\WINDOWS\Explorer.EXE[208] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[208] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\00THotkey.exe[324] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01110001
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\00THotkey.exe[324] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\s3hotkey.exe[400] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BC0001
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\s3hotkey.exe[400] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C00001
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE[456] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DF0001
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE[484] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 010F0001
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE[488] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\csrss.exe[500] KERNEL32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 013B0001
.text C:\WINDOWS\system32\csrss.exe[500] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\csrss.exe[500] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D60001
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE[504] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\winlogon.exe[552] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 014F0001
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\winlogon.exe[552] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\services.exe[596] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001
.text C:\WINDOWS\system32\services.exe[596] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\services.exe[596] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\lsass.exe[608] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BD0001
.text C:\WINDOWS\system32\lsass.exe[608] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\lsass.exe[608] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\SxgTkBar.exe[612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00ED0001
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\SxgTkBar.exe[612] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009B0001
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe[656] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A40001
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\TPWRTRAY.EXE[728] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00FD0001
.text C:\WINDOWS\system32\svchost.exe[768] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[768] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E40001
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jusched.exe[776] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\TFNF5.exe[784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C60001
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\TFNF5.exe[784] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01320001
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Belkin\F5D9010\Belkinwcui.exe[796] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\svchost.exe[836] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E50001
.text C:\WINDOWS\system32\svchost.exe[836] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[836] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\System32\svchost.exe[876] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02A40001
.text C:\WINDOWS\System32\svchost.exe[876] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\svchost.exe[876] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00640001
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[908] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01490001
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[1012] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 04880001
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Registry Mechanic\RegMech.exe[1044] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\svchost.exe[1076] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A20001
.text C:\WINDOWS\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1076] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009A0001
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\spoolsv.exe[1312] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00CD0001
.text C:\WINDOWS\system32\spoolsv.exe[1312] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\spoolsv.exe[1312] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00910001
.text C:\WINDOWS\system32\svchost.exe[1384] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1384] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 012D0001
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1432] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1452] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01EE0001
.text C:\Program Files\Java\jre6\bin\jqs.exe[1452] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1452] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 02B90001
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F2C0F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F250F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F220F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [2A, 5F]
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1488] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F2F0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1524] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00730001
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1524] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[1524] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1556] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044AD11 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F20001
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe[1612] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E40001
.text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\svchost.exe[1684] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1700] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03EB0001
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1700] kernel32.dll!CreateThread + 1B 7C8106F2 3 Bytes CALL 0044ACCE C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1700] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1700] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe[1704] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01240001
.text C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe[1704] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe[1704] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe[1740] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01060001
.text C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe[1740] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe[1740] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F30001
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe[1780] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\Program Files\UPHClean\uphclean.exe[1784] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009F0001
.text C:\Program Files\UPHClean\uphclean.exe[1784] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\UPHClean\uphclean.exe[1784] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[1952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DD0001
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wscntfy.exe[1952] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\WINDOWS\System32\alg.exe[2800] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00840001
.text C:\WINDOWS\System32\alg.exe[2800] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\alg.exe[2800] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\System32\alg.exe[2800] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wcenter.exe[3056] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003C0001
.text C:\WINDOWS\system32\wcenter.exe[3056] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wcenter.exe[3056] user32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003C0001
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!ChangeDisplaySettingsExA 7E42384E 6 Bytes JMP 5F140F5A
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!SetForegroundWindow 7E4242ED 6 Bytes JMP 5F0D0F5A
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!SetWindowsHookExW 7E42820F 6 Bytes JMP 5F0A0F5A
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!SetWindowPos 7E4299F3 3 Bytes [FF, 25, 1E]
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!SetWindowPos + 4 7E4299F7 2 Bytes [12, 5F]
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!SetWindowsHookExA 7E431211 6 Bytes JMP 5F040F5A
.text C:\DOCUME~1\main\LOCALS~1\Temp\7zO10.tmp\gmer.exe[3644] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 6 Bytes JMP 5F170F5A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 013EC650
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 013EC600
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 013E8850
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 013E9AB0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 013EB3C0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 013E9D20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 013E9B30
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 013EA9C0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 013EC300
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 013EC340
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 013EC6E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 013EC1C0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 013EB320
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 013EA2E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 013E9C90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 013EA010
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 013ECC60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 013EAD10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 013EB180
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 013EB840
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 013EB5D0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 013EB7C0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 013EBCA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 013EB9B0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 013E9C00
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 013EA190
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 013EC420
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 013EB710
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 013EB2C0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 013EB140
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 013EB4D0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 013EC700
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 013EB510
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 013EC9A0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 013EC940
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 013ECB90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 013ECC30
IAT C:\Program Files\Registry Mechanic\RegMech.exe[1044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 013ECA60

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- EOF - GMER 1.0.15 ----

Attached Files


  • 0

#10
springmellon
Posted 09 September 2009 - 01:11 PM

springmellon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OTS LOG

Attached Files


  • 0

#11
hammerman
Posted 10 September 2009 - 02:00 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello,

Can you please carry out these steps.

-- Step 1 --

I notice you are running one or more Peer-to-Peer (P2P) programs. The files shared by P2P programs are often infected with viruses and malware, even though they may appear to be legitimate. For this reason, I would recommend you uninstall them. If you decide to keep them, I ask that you do not use them while we are fixing your problem.

An article indicating the Dangers of P2P can be found here

-- Step 2 --

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill All Processes]
[Unregister Dlls]
[Processes - Safe List]
YY -> wcenter.exe -> C:\WINDOWS\System32\wcenter.exe
[Driver Services - Safe List]
YY -> (vkquwexg) vkquwexg [Kernel | Unknown | Running] ->
[Registry - Safe List]
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1123561945-839522115-1957994488-1003] > -> HKEY_USERS\S-1-5-21-1123561945-839522115-1957994488-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableTaskMgr" -> [1]
YN -> \\"DisableRegistryTools" -> [1]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{EC4C84BE-B817-47BD-9860-86933DDE59D0}" [HKLM] -> C:\Documents and Settings\All Users\Application Data\Microsoft\aspyphondu.dll [SecuritySystem]
[Files/Folders - Created Within 30 Days]
NY -> wcenter.exe -> C:\WINDOWS\System32\wcenter.exe
NY -> ExterminateItSetup.exe -> C:\ExterminateItSetup.exe
[Custom Items]
:files
c:\windows\Nqisuvubov.bin
c:\documents and settings\main\udpcrawl.tmp
c:\windows\system32\21.tmp
c:\windows\system32\20.tmp
:end
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

-- Step 3 --

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\windows\system32\drivers\ipbhagvi.sys

Folder::

Registry::

Driver::
ipbhagvi

SRPeek::
c:\windows\system32\sfcfiles.dll


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

-- Step 4 --

I notice that you do not have an antivirus program running on your computer. Without this protection, you are extremely vulnerable to the ever-increasing number of viruses and malware present today. This is so important that I ask you to install an antivirus program before we proceed any further.

There are many free programs available for you to use. Two such programs are Avast from here or Avira from here. Please install ONE of these programs now and ensure you carry out a full update.

-- Step 5 --
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Can you please reply with
1. The report from the OTS fix (step 2)
2. The Combofix report (step 3)
3. Confirmation that you have installed an antivirus program.
4. The OTLListIt.txt and Extras.txt logs (step 5)
  • 0

#12
hammerman
Posted 15 September 2009 - 01:17 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP