Help - Search - Members - Calendar
Full Version: Win32 trojan
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
kr82
Jul 28 2009, 12:25 AM
Hey there, yet another victim of a trojan. This one seems to have come in via the windows automatic update installer. It keeps reinstalling itself after ad-aware quarantines it. Reportedly, it says creating a system restore point failed and succeeded - so I am unsure which is correct. Ad-aware calls it "win32Trojan.Tdss" in side system32 folder is "UACxyxtepmpux.dll" listed as the infected file. Below will be pasted my hijjackthis log. It is severely limiting my ability to browse, I had to manually navigate all sites as clicking from a google search auto-redirects me to crummy ad sites.

Thanks in advance for the help!!! Anything further that I can provide just let me know.

Kirie

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:14:36 PM, on 7/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\K\K.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\K\My Documents\mbam-setup.exe
C:\Documents and Settings\K\My Documents\mbam-setup.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
O4 - HKLM\..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\K\lsass.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [K] C:\Documents and Settings\K\K.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9475 bytes
kr82
Jul 28 2009, 12:55 AM
Here's a hijackthis log after the darn thing reinstalls itself:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:01 PM, on 7/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\K\K.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
O4 - HKLM\..\Run: [WLSS] C:\Program Files\Wireless Select Switch\WLSS.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\K\lsass.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [K] C:\Documents and Settings\K\K.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9384 bytes
Blade81
Jul 28 2009, 08:05 AM
Hi,


Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.


    • _______________



    Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab and then scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log in your reply.


    _________________________


    Kaspersky Online Scanner

    Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

    • Read the requirements and privacy statement then click on the Accept button.
    • The program will launch and start to download the latest definition files.
    • You will be prompted to install an application from Kaspersky. Click Run
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • Click on Save Report As....
    • Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Save this report to a convenient place.
    • Copy and paste that information into your topic.
    • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
    If you need a tutorial, see here
    kr82
    Jul 28 2009, 08:35 AM

    DDS (Ver_09-06-26.01) - NTFSx86
    Run by K at 0:28:47.07 on Tue 07/28/2009
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.456 [GMT -7:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\IoctlSvc.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Battery Meter\BTMeter.exe
    C:\Program Files\Wireless Select Switch\WLSS.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
    C:\Documents and Settings\K\K.exe
    C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\K\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.live.com
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    uRun: [K] c:\documents and settings\k\K.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
    mRun: [WLSS] c:\program files\wireless select switch\WLSS.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
    mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
    mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [LSA Shellu] c:\documents and settings\k\lsass.exe
    StartupFolder: c:\docume~1\k\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
    Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ============= SERVICES / DRIVERS ===============

    R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-4-3 14248]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-27 64160]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
    R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-4-3 93968]

    =============== Created Last 30 ================

    2009-07-27 16:14 <DIR> --d----- c:\program files\Trend Micro
    2009-07-27 15:44 15,688 a------- c:\windows\system32\lsdelete.exe
    2009-07-27 15:31 389,120 a------- c:\documents and settings\k\iexplore.exe
    2009-07-27 15:30 <DIR> --dsh--- c:\documents and settings\k\PrivacIE
    2009-07-27 15:30 <DIR> --dsh--- c:\documents and settings\k\IETldCache
    2009-07-27 15:28 64,160 a------- c:\windows\system32\drivers\Lbd.sys
    2009-07-27 15:27 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
    2009-07-27 15:26 <DIR> --d----- c:\program files\Lavasoft
    2009-07-27 15:24 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
    2009-07-27 15:21 <DIR> --d----- c:\windows\ie8updates
    2009-07-27 15:19 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
    2009-07-27 15:19 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
    2009-07-27 15:15 <DIR> -cd-h--- c:\windows\ie8
    2009-07-27 15:02 196,608 a------- c:\documents and settings\k\WYMGFC.exe
    2009-07-27 15:01 40,960 a------- c:\documents and settings\k\JOGGYS.exe
    2009-07-27 15:01 40,960 ---shr-- c:\documents and settings\k\K.exe
    2009-07-16 01:20 <DIR> --d----- c:\program files\Combined Community Codec Pack
    2009-07-11 15:30 69 a------- c:\windows\NeroDigital.ini

    ==================== Find3M ====================

    2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
    2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
    2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
    2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
    2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
    2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll

    ============= FINISH: 0:30:31.28 ===============
    kr82
    Jul 28 2009, 08:44 AM
    I am unable to run gmer, but the exe button only pops up a random named download, each time with a different name, from www2.gmer.net. It hasn't been the same name twice. I downloaded the zip file, extracted it to my desktop, and it does nothing when I double-click it. More specifically, it said it had to close, and asked me to send an error report to microsoft:

    AppName: gmer.exe AppVer: 1.0.15.14972 ModName: gmer.exe
    ModVer: 1.0.15.14972 Offset: 000b03f0

    That's what data it wanted to send. Now it just hangs with an hourglass on my pointer and does nothing. I will attempt a reboot and see what happens, then move to the Kaspersky step. Thank you very much for the fast reply and the help, this is far beyond my skill to fix, and it pains me to have my computer so infected.

    EDIT: I missed the part where it said the random name was purposeful, I have successfully installed and am running gmer now, under another name. My computer is spamming me with weird audio files for porn now. sad.gif
    kr82
    Jul 28 2009, 09:24 AM
    GMER 1.0.15.14972 - http://www.gmer.net
    Rootkit scan 2009-07-28 01:23:19
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    Code 85F44068 ZwEnumerateKey
    Code 85EE7068 ZwFlushInstructionCache
    Code 85F2E066 IofCallDriver
    Code 85F73066 IofCompleteRequest
    Code 85EFF065 ZwSaveKey
    Code 85E72065 ZwSaveKeyEx

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 85F2E06B
    .text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 85F7306B
    .text ntkrnlpa.exe!ZwSaveKey 80500D68 5 Bytes JMP 85EFF06A
    .text ntkrnlpa.exe!ZwSaveKeyEx 80500D7C 5 Bytes JMP 85E7206A
    PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 85EE706C
    PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 85F4406C

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\wbem\unsecapp.exe[144] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00FE000A
    .text C:\WINDOWS\system32\wbem\unsecapp.exe[144] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00FF000A
    .text C:\WINDOWS\System32\alg.exe[152] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B1000A
    .text C:\WINDOWS\System32\alg.exe[152] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B2000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00FB000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00FC000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9261 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DC8A9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED2C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254254 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E40B6CB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E40B5FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E40B668 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E40B4CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E40B530 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E40B72E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E40B592 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED320 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10012230
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10012070
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10012050
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10012030
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] WININET.dll!HttpAddRequestHeadersA 3D94D02E 5 Bytes JMP 0107000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[436] WININET.dll!HttpAddRequestHeadersW 3D94FF29 5 Bytes JMP 0118000A
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[484] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BD000A
    .text C:\WINDOWS\system32\wbem\wmiprvse.exe[484] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C0000A
    .text C:\Program Files\Java\jre6\bin\java.exe[552] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00CC000A
    .text C:\Program Files\Java\jre6\bin\java.exe[552] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CD000A
    .text C:\WINDOWS\system32\winlogon.exe[680] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0096000A
    .text C:\WINDOWS\system32\winlogon.exe[680] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0097000A
    .text C:\WINDOWS\system32\services.exe[728] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A6000A
    .text C:\WINDOWS\system32\services.exe[728] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A7000A
    .text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00AD000A
    .text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00B0000A
    .text C:\Documents and Settings\K\Desktop\kj26ptdp.exe[1064] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00EC000A
    .text C:\Documents and Settings\K\Desktop\kj26ptdp.exe[1064] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00ED000A
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1272] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00F5000A
    .text C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe[1272] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00F6000A
    .text C:\WINDOWS\system32\spoolsv.exe[1320] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D6000A
    .text C:\WINDOWS\system32\spoolsv.exe[1320] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D7000A
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1448] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BB000A
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1448] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BC000A
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1464] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BF000A
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1464] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C0000A
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1504] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BC000A
    .text C:\Program Files\Java\jre6\bin\jqs.exe[1504] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BD000A
    .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1560] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E2000A
    .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[1560] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E3000A
    .text C:\WINDOWS\Explorer.EXE[1604] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DE000A
    .text C:\WINDOWS\Explorer.EXE[1604] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DF000A
    .text C:\WINDOWS\system32\IoctlSvc.exe[1608] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00BA000A
    .text C:\WINDOWS\system32\IoctlSvc.exe[1608] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00BB000A
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1644] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00A3000A
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1644] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A4000A
    .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1684] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E5000A
    .text C:\Program Files\Dell Support Center\bin\sprtsvc.exe[1684] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E6000A
    .text C:\WINDOWS\system32\wdfmgr.exe[1732] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 009F000A
    .text C:\WINDOWS\system32\wdfmgr.exe[1732] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00A0000A
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2100] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00FD000A
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2100] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00FE000A
    .text C:\WINDOWS\RTHDCPL.EXE[2108] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 01F9000A
    .text C:\WINDOWS\RTHDCPL.EXE[2108] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 01FA000A
    .text C:\WINDOWS\system32\igfxpers.exe[2156] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E3000A
    .text C:\WINDOWS\system32\igfxpers.exe[2156] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E4000A
    .text C:\Program Files\Battery Meter\BTMeter.exe[2196] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0104000A
    .text C:\Program Files\Battery Meter\BTMeter.exe[2196] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0105000A
    .text C:\Program Files\Wireless Select Switch\WLSS.exe[2236] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00EC000A
    .text C:\Program Files\Wireless Select Switch\WLSS.exe[2236] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00ED000A
    .text C:\WINDOWS\system32\igfxsrvc.exe[2276] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E4000A
    .text C:\WINDOWS\system32\igfxsrvc.exe[2276] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E5000A
    .text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[2300] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E5000A
    .text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[2300] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E6000A
    .text C:\Program Files\iTunes\iTunesHelper.exe[2344] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E6000A
    .text C:\Program Files\iTunes\iTunesHelper.exe[2344] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E7000A
    .text C:\WINDOWS\system32\ctfmon.exe[2404] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D7000A
    .text C:\WINDOWS\system32\ctfmon.exe[2404] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D8000A
    .text C:\Program Files\Java\jre6\bin\jusched.exe[2428] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E3000A
    .text C:\Program Files\Java\jre6\bin\jusched.exe[2428] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E4000A
    .text C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe[2444] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00E0000A
    .text C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe[2444] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E1000A
    .text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[2488] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00EB000A
    .text C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[2488] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00EC000A
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2508] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00DF000A
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2508] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00E0000A
    .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2528] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0125000A
    .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2528] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0126000A
    .text C:\Documents and Settings\K\K.exe[2584] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0125000A
    .text C:\Documents and Settings\K\K.exe[2584] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0126000A
    .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2836] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00D7000A
    .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2836] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00D8000A
    .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[2848] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0155000A
    .text C:\Program Files\OpenOffice.org 3\program\soffice.exe[2848] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0156000A
    .text C:\Program Files\iPod\bin\iPodService.exe[2928] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00C3000A
    .text C:\Program Files\iPod\bin\iPodService.exe[2928] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00C4000A
    .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2976] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0286000A
    .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2976] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0287000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00FB000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00FC000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9261 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DC8A9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED2C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254254 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E40B6CB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E40B5FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E40B668 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E40B4CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E40B530 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E40B72E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E40B592 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED320 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10012230
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10012070
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10012050
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10012030
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] WININET.dll!HttpAddRequestHeadersA 3D94D02E 5 Bytes JMP 0107000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3756] WININET.dll!HttpAddRequestHeadersW 3D94FF29 5 Bytes JMP 0118000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00FB000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00FC000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED2C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E40B6CB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E40B5FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E40B668 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E40B4CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E40B530 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E40B72E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E40B592 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10012230
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10012070
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10012050
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10012030
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] WININET.dll!HttpAddRequestHeadersA 3D94D02E 5 Bytes JMP 0107000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3788] WININET.dll!HttpAddRequestHeadersW 3D94FF29 5 Bytes JMP 0118000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00FB000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00FC000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED2C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E40B6CB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E40B5FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E40B668 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E40B4CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E40B530 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E40B72E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E40B592 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10012230
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10012070
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10012050
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10012030
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] WININET.dll!HttpAddRequestHeadersA 3D94D02E 5 Bytes JMP 0107000A
    .text C:\Program Files\Internet Explorer\Iexplore.exe[3916] WININET.dll!HttpAddRequestHeadersW 3D94FF29 5 Bytes JMP 0118000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00FB000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00FC000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9261 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DC8A9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED2C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254254 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E40B6CB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E40B5FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E40B668 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E40B4CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E40B530 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E40B72E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E40B592 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED320 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 10012230
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10012070
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10012050
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] WS2_32.dll!recv 71AB676F 5 Bytes JMP 10012030
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] WININET.dll!HttpAddRequestHeadersA 3D94D02E 5 Bytes JMP 0107000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[3920] WININET.dll!HttpAddRequestHeadersW 3D94FF29 5 Bytes JMP 0118000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\iexplore.exe[436] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1A7B] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\Program Files\Internet Explorer\Iexplore.exe[3756] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1A7B] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
    IAT C:\Program Files\Internet Explorer\iexplore.exe[3920] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1A7B] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    ---- Processes - GMER 1.0.15 ----

    Library \\?\globalroot\systemroot\system32\UACewhmqibivk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [908] 0x01880000

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 54: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 55: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 56: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 58: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 59: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

    ---- EOF - GMER 1.0.15 ----

    Before it let me copy this, it informed me with a popup: WARNING !!! GMER has found system modification caused by ROOTKIT activity
    Blade81
    Jul 28 2009, 09:45 AM
    Hi,

    Let's see if you're able to run Kaspersky online scanner. Shall give further instructions after that smile.gif
    kr82
    Aug 3 2009, 02:01 AM
    Sorry for the delay and interrupt, the flu hit our household. Too bad RL bugs can't be handled like programmed ones. I have been unsuccessful running the online Kaspersky, but I will keep trying. My computer is one of the very small Dell laptops with a 16gig flash drive as its brain, it is having trouble loading the internet application. Halfway through loading the 67 mb app, it stalls and starts generating popups and bogging my computer down to the point where it freezes and has to be manually rebooted (hold down the power key). I am going to see if I can load Kaspersky onto a flash drive and install it, instead of using the online one. There has to be a way to get past the silly popups and crashes. sad.gif
    Blade81
    Aug 3 2009, 01:53 PM
    QUOTE
    Sorry for the delay and interrupt, the flu hit our household.

    Hi,

    It's ok. Hopefully it wasn't wildly spreading swine flu.

    Anyway, let's pass Kaspersky scanner for now and do some cleaning first.


    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New dds.txt log.

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Blade81
    Aug 25 2009, 05:10 PM
    Due to lack of feedback, this topic has been closed.

    If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

    Everyone else please begin a New Topic.

    Thank You !
    This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
    Invision Power Board © 2001-2010 Invision Power Services, Inc.