Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

system monitor: active keylogger

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

system monitor: active keylogger

Unread postby irving3 » September 25th, 2007, 12:48 am

spy audit says have keylogger. ran norton, adware, spybot, all say good. novice computer user. can anyone help please.
irving3
Active Member
 
Posts: 7
Joined: September 17th, 2007, 12:10 am
Advertisement
Register to Remove

key logger

Unread postby irving3 » September 25th, 2007, 12:58 am

here is my hyjackthis log
Scan saved at 9:32:11 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\dlbtcoms.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customi ... /www.yahoo

.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://red.clientapps.yahoo.com/customi ... http://www.

yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://red.clientapps.yahoo.com/customi ... /www.yahoo

.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -

C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper -

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live

Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event

Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media

Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program

Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo

AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE"

/AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common

Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe"

/a /m "C:\Program Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [DLBTCATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE"

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy

Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] "C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program

Files\Webroot\Washer\WashIdx.exe "Terry"
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google

Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program

Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites -

http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -

C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login -

{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Advanced Searchbar -

{57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar -

{57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -

http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan

Agent 6.6) -

http://housecall65.trendmicro.com/house ... win32/acti

vex/hcImpl.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client

Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {2C15848B-21C0-406A-9902-56C8D90684F3} (alaWeb.clsGetStats) -

file://C:\Win2000\Content\cabs\alaWeb.CAB
O16 - DPF: {5D68B82D-C79F-4FFC-83C0-8D0FC794CEF2} (alaWeb.clsGetStats) -

file://C:\Win2000\Content\cabs\alaWeb.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility

Class) -

http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager)

- https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftup ... ient/muweb

_site.cab?1145679553097
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan

Agent 6.5) -

http://housecall65.trendmicro.com/house ... win32/acti

vex/hcImpl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} -

http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -

http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -

http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -

http://download.games.yahoo.com/games/w ... opcaploade

r_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program

Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program

Files\Common Files\Symantec

Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -

C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\Security

Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) -

Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. -

C:\WINDOWS\system32\wwSecure.exe

--
End of file - 14677 bytes
irving3
Active Member
 
Posts: 7
Joined: September 17th, 2007, 12:10 am

Unread postby Katana » October 5th, 2007, 5:08 pm

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and helpers look for posts with zero replies.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please post a fresh Hijack This log to this thread.
I will be notified and I will get back to you ASAP.


If you are using Notepad, please can you make sure Wordwrap is turned off.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby irving3 » October 10th, 2007, 8:59 pm

Here is a new hijackthis log. I hope I am doing this right. Please forgive the time frame, there was a death in my family.
Scan saved at 5:53:31 PM, on 10/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [YOP] "C:\PROGRA~1\Yahoo!\YOP\yop.exe" /autostart
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinTOTAL Scheduler] C:\WIN2000\guru.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-21-799758032-1172601221-2815446935-1009\..\Run: [Sonic RecordNow!] (User 'Jessica')
O4 - HKUS\S-1-5-21-799758032-1172601221-2815446935-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Jessica')
O4 - HKUS\S-1-5-21-799758032-1172601221-2815446935-1009\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Jessica')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {2C15848B-21C0-406A-9902-56C8D90684F3} (alaWeb.clsGetStats) - file://C:\Win2000\Content\cabs\alaWeb.CAB
O16 - DPF: {5D68B82D-C79F-4FFC-83C0-8D0FC794CEF2} (alaWeb.clsGetStats) - file://C:\Win2000\Content\cabs\alaWeb.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5679553097
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/w ... der_v6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 14781 bytes
irving3
Active Member
 
Posts: 7
Joined: September 17th, 2007, 12:10 am

notepad

Unread postby irving3 » October 10th, 2007, 9:04 pm

I think i turned of wordwrap,but after my last submittal. do you need me to send another log?
irving3
Active Member
 
Posts: 7
Joined: September 17th, 2007, 12:10 am

Unread postby Katana » October 10th, 2007, 9:06 pm

That log is fine :)
A quick look doesn't show any signs of malware, what makes you think there is a keylogger ?

Edit:- Ahh Spy Audit.
Do you have the spy Audit report ?


PS sorry about your bad news :(
My Grandmother died today, so I know it feels bad
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby irving3 » October 13th, 2007, 6:15 pm

Sorry about your loss. Dont know how to aquire copy of log from spy audit. am going to try to contact webroot support during the week. here is a copy of the latest scan.
Infection Level: Dangerous


Manageable Serious Dangerous


What does this mean?
Infections on Your Computer


Trojan Horses


System Monitors


Adware


Tracking Cookies

Found on Your Computer:


0


1


0


1

Identity Theft


PC Corruption


Runaway Pop-up Ads


Sluggish Performance


Behavior Surveillance




Details



Trojan Horses Detected: 0

A Trojan horse is dangerous and can let a hacker control your PC. Even worse, a Trojan may install spyware programs on your computer to steal your information.



System Monitors Detected: 1

A system monitor may be able to view your personal e-mail or instant messages and may gain access to private information such as your passwords and credit card numbers.



System Monitors:

* Active Keylogger



Adware Detected: 0

Adware displays pop-up ads and slows your Internet connection. The presence of adware on your PC can lead to more risky infections. Thank you for your help.
irving3
Active Member
 
Posts: 7
Joined: September 17th, 2007, 12:10 am

Unread postby Katana » October 13th, 2007, 8:58 pm

Unfortunately, without the file or program name that is not much use :(

Lets see if this finds it.

Kaspersky Online Scanner .

Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Please post the log in your reply.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

spysweeper found ldpinch trojan

Unread postby irving3 » October 20th, 2007, 3:17 am

Kaspersky didnt find anything. Updated my spy sweeper and found ldpinch trojan-quarentined same. here are some logs from spysweeper.11:50 PM: Removal process completed. Elapsed time 00:00:01
11:50 PM: Quarantining All Traces: ldpinch trojan
11:50 PM: Removal process initiated
11:47 PM: Traces Found: 1
11:47 PM: Custom Sweep has completed. Elapsed time 00:46:50
11:47 PM: File Sweep Complete, Elapsed Time: 00:43:51
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms73e62145-f78e-45ac-8334-d0e1f2c23d3b.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms0750b9ad-5d50-45ea-b192-baf1d6dc5e8d.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3c3d0adf-ff67-46ee-b7f3-05a8d8f4ffd8.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms753b7ebd-a772-48b2-816f-039e7527957f.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms33373718-b3e1-4f9e-ad4a-5f465d0d381b.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsc40d7d50-d954-4a66-ac5a-8cb882fbd07a.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsc06aaa48-42a4-4f30-aa34-5bfe23d9b46a.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms36568e1e-353e-4adc-b6ab-bad78c5f0fa3.tmp". The operation completed successfully
11:40 PM: Warning: Failed to open file "c:\program files\norton antivirus\savrt\0471nav~.tmp". The operation completed successfully
11:03 PM: Starting File Sweep
11:03 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:03 PM: Starting Cookie Sweep
11:03 PM: Registry Sweep Complete, Elapsed Time:00:00:18
11:03 PM: HKLM\software\microsoft\windows\currentversion\mcd\ (ID = 826065)
11:03 PM: Found Trojan Horse: ldpinch trojan
11:03 PM: Starting Registry Sweep
11:03 PM: Memory Sweep Complete, Elapsed Time: 00:02:37
11:03 PM: ApplicationMinimized - EXIT
11:03 PM: ApplicationMinimized - ENTER
11:00 PM: Starting Memory Sweep
11:00 PM: Start Custom Sweep
11:00 PM: Sweep initiated using definitions version 1014
10:57 PM: License Check Status (0): Success
Keylogger: On
E-mail Attachment: On
10:56 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
10:56 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
10:56 PM: Shield States
10:56 PM: License Check Status (0): Success
10:56 PM: Spyware Definitions: 1014
10:55 PM: Spy Sweeper 5.5.7.103 started
10:55 PM: Spy Sweeper 5.5.7.103 started
10:55 PM: | Start of Session, Friday, October 19, 2007 |
***************
Operation: File Access
Target:
Source: C:\DOCUME~1\TERRY\LOCALS~1\TEMP\IS-VAKCR.TMP\IS-GSPHJ.TMP
10:52 PM: Tamper Detection
10:52 PM: ApplicationMinimized - EXIT
10:52 PM: ApplicationMinimized - ENTER
10:50 PM: Your definitions are up to date.
Keylogger: On
E-mail Attachment: On
10:49 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
10:49 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
10:49 PM: Shield States
10:49 PM: License Check Status (0): Success
10:49 PM: Spyware Definitions: 1014
10:48 PM: Spy Sweeper 5.5.7.48 started
10:48 PM: Spy Sweeper 5.5.7.48 started
10:48 PM: | Start of Session, Friday, October 19, 2007 |
***************
Operation: File Access
Target:
Source: C:\DOCUME~1\TERRY\LOCALS~1\TEMP\IS-OJOJ2.TMP\IS-HIR5P.TMP
10:25 PM: Tamper Detection
10:08 PM: Access to Hosts file blocked for C:\PROGRA~1\NORTON~1\NAVW32.EXE
10:07 PM: Access to Hosts file blocked for C:\PROGRA~1\NORTON~1\NAVW32.EXE
10:06 PM: Access to Hosts file blocked for C:\PROGRA~1\NORTON~1\NAVW32.EXE
10:05 PM: Access to Hosts file blocked for C:\PROGRA~1\NORTON~1\NAVW32.EXE
Operation: File Access
Target:
Source: C:\PROGRA~1\NORTON~1\NAVW32.EXE
9:12 PM: Tamper Detection
8:37 PM: Your spyware definitions have been updated.
8:36 PM: Automated check for program update in progress.
2:28 PM: Warning: Unable to remove cookie c:\documents and settings\jessica\cookies\jessica@trafficmp[1].txt
8:36 PM: ApplicationMinimized - EXIT
8:36 PM: ApplicationMinimized - ENTER
Keylogger: On
E-mail Attachment: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
7:00 PM: Shield States
6:59 PM: Your spyware definitions have been updated.
6:58 PM: Automated check for program update in progress.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
6:44 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
irving3
Active Member
 
Posts: 7
Joined: September 17th, 2007, 12:10 am

keylogger

Unread postby irving3 » October 20th, 2007, 11:43 pm

I did a bug report on 9-25, and just found it on my desktop. I dont know if it will help with this problem. I found and deleted one trojen horse, but things are still wierd. Spy audid still says I have a problem, Kaspersky says there is no problem but I tried to run Trend Micro, the graph thing moved back and forth, but after 3 hours, nothing had changed. Do I just shoot the computer? Anyway, her is the bug report--date/time : 2007-09-25, 20:35:22, 515ms
computer name : WILLIAMS
user name : ~N <admin>
registered owner : Terry
operating ~N : ~q XP ~S Pack 2 build 2600
~N language : English
~N up time : 2 hours 9 minutes
program up time : 2 hours 8 minutes
processor : Intel(R) Pentium(R) 4 CPU 3.00GHz
physical memory : 635/1023 MB (free/total)
free disk space : (C:) 96.52 GB
display mode : 1024x768, 32 bit11:50 PM: Removal process completed. Elapsed time 00:00:01
11:50 PM: Quarantining All Traces: ldpinch trojan
11:50 PM: Removal process initiated
11:47 PM: Traces Found: 1
11:47 PM: Custom Sweep has completed. Elapsed time 00:46:50
11:47 PM: File Sweep Complete, Elapsed Time: 00:43:51
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms73e62145-f78e-45ac-8334-d0e1f2c23d3b.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms0750b9ad-5d50-45ea-b192-baf1d6dc5e8d.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms3c3d0adf-ff67-46ee-b7f3-05a8d8f4ffd8.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms753b7ebd-a772-48b2-816f-039e7527957f.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms33373718-b3e1-4f9e-ad4a-5f465d0d381b.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsc40d7d50-d954-4a66-ac5a-8cb882fbd07a.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssmsc06aaa48-42a4-4f30-aa34-5bfe23d9b46a.tmp". The operation completed successfully
11:41 PM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\ssms36568e1e-353e-4adc-b6ab-bad78c5f0fa3.tmp". The operation completed successfully
11:40 PM: Warning: Failed to open file "c:\program files\norton antivirus\savrt\0471nav~.tmp". The operation completed successfully
11:03 PM: Starting File Sweep
11:03 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:03 PM: Starting Cookie Sweep
11:03 PM: Registry Sweep Complete, Elapsed Time:00:00:18
11:03 PM: HKLM\software\microsoft\windows\currentversion\mcd\ (ID = 826065)
11:03 PM: Found Trojan Horse: ldpinch trojan
11:03 PM: Starting Registry Sweep
11:03 PM: Memory Sweep Complete, Elapsed Time: 00:02:37
11:03 PM: ApplicationMinimized - EXIT
11:03 PM: ApplicationMinimized - ENTER
11:00 PM: Starting Memory Sweep
11:00 PM: Start Custom Sweep
11:00 PM: Sweep initiated using definitions version 1014
10:57 PM: License Check Status (0): Success
Keylogger: On
E-mail Attachment: On
10:56 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
10:56 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
10:56 PM: Shield States
10:56 PM: License Check Status (0): Success
10:56 PM: Spyware Definitions: 1014
10:55 PM: Spy Sweeper 5.5.7.103 started
10:55 PM: Spy Sweeper 5.5.7.103 started
10:55 PM: | Start of Session, Friday, October 19, 2007 |
***************
Operation: File Access
Target:
Source: C:\DOCUME~1\TERRY\LOCALS~1\TEMP\IS-VAKCR.TMP\IS-GSPHJ.TMP
10:52 PM: Tamper Detection
10:52 PM: ApplicationMinimized - EXIT
10:52 PM: ApplicationMinimized - ENTER
10:50 PM: Your definitions are up to date.
Keylogger: On
E-mail Attachment: On
10:49 PM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
10:49 PM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
10:49 PM: Shield States
10:49 PM: License Check Status (0): Success
10:49 PM: Spyware Definitions: 1014
10:48 PM: Spy Sweeper 5.5.7.48 started
10:48 PM: Spy Sweeper 5.5.7.48 started
10:48 PM: | Start of Session, Friday, October 19, 2007 |
***************
Operation: File Access
Target:
Source: C:\DOCUME~1\TERRY\LOCALS~1\TEMP\IS-OJOJ2.TMP\IS-HIR5P.TMP
10:25 PM: Tamper Detection
10:08 PM: Access to Hosts file blocked for C:\PROGRA~1\NORTON~1\NAVW32.EXE
10:07 PM: Access to Hosts file blocked for C:\PROGRA~1\NORTON~1\NAVW32.EXE
10:06 PM: Access to Hosts file blocked for C:\PROGRA~1\NORTON~1\NAVW32.EXE
10:05 PM: Access to Hosts file blocked for C:\PROGRA~1\NORTON~1\NAVW32.EXE
Operation: File Access
Target:
Source: C:\PROGRA~1\NORTON~1\NAVW32.EXE
9:12 PM: Tamper Detection
8:37 PM: Your spyware definitions have been updated.
8:36 PM: Automated check for program update in progress.
2:28 PM: Warning: Unable to remove cookie c:\documents and settings\jessica\cookies\jessica@trafficmp[1].txt
8:36 PM: ApplicationMinimized - EXIT
8:36 PM: ApplicationMinimized - ENTER
Keylogger: On
E-mail Attachment: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: On
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: On
7:00 PM: Shield States
6:59 PM: Your spyware definitions have been updated.
6:58 PM: Automated check for program update in progress.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
6:44 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:06 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSIDRV\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\OverrideConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\FilteredConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BasicConfig
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\ForcedConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\AllocConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
Operation: Registry Access
Target: \SYSTEM\ControlSet001\Enum\Root\LEGACY_SSHRMD\0000\LogConf\BootConfigVector
Source: C:\WINDOWS\SYSTEM32\SERVICES.EXE
6:05 PM: Tamper Detection
process id : $2dc
allocated memory : 64.79 MB
executable : ~A
exec. date/time : 2007-07-19 22:54
version : 3.5.6.56
~f version : 3.0c
callstack crc : $5d878a3f, $071a4a6e, $d5164327
exception number : 1
exception class : EAccessViolation
exception message : Access violation at address 00569025 in module '~A'. Read of address 04F3FFFC.

~R $518 (T~b):
00569025 ~A FastCrcLookup 294 TFastCrcLookup.Find
0056aa01 ~A TraceFileProvider 281 TTraceFileProvider.FilterByIndex
0056a89b ~A TraceFileProvider 250 TTraceFileProvider.FilterByIndex
005d2860 ~A IdentifyFileObj 1270 CheckFile
005d2e29 ~A IdentifyFileObj 1445 TIdentifyFileObj.OnFileFound
005a0c26 ~A CustomFileEnumerator 535 TCustomFileEnumerator.DoOnFileFound
005a0986 ~A CustomFileEnumerator 506 TCustomFileEnumerator.ProcessPartition
005d3c44 ~A IdentifyFileObj 1750 TIdentifyFileObj.SweepDirectories
005d46be ~A IdentifyFileObj 1913 TIdentifyFileObj.SweepSelectedLocations
005d4aa1 ~A IdentifyFileObj 2017 TIdentifyFileObj.Identify
0064a889 ~A ~b 463 SweepFiles
0064b522 ~A ~b 631 T~b.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $4d4 at:
006499ab ~A ~b 201 T~b.~o

modules:
0033~Q ~Piz~r 6.0.5441.0 C:\~I
004~Q0 ~A 3.5.6.56 C:\~j\Webroot\Spy Sweeper
033d~Q ztvunrar3~r C:\~j\Webroot\Spy Sweeper
0482~Q MailShld~r C:\~j\Webroot\Spy Sweeper
0ffd~Q rsaenh~r 5.1.2600.2161 C:\~I
1~Q000 pcre~r 6.1.0.0 C:\~j\Webroot\Spy Sweeper
2~Q000 xpsp2res~r 5.1.2600.2180 C:\~I
4299~Q iertutil~r 7.0.6000.16512 C:\~I
42c1~Q wininet~r 7.0.6000.16512 C:\~I
5ad6~Q vdmdbg~r 5.1.2600.2180 C:\~I
5b0a~Q umdmxfrm~r 5.1.2600.0 C:\~I
5b86~Q netapi32~r 5.1.2600.2976 C:\~I
5cd7~Q serwvdrv~r 5.1.2600.0 C:\~I
5d09~Q comctl32~r 5.82.2900.2982 C:\~I
5edd~Q olepro32~r 5.1.2600.2180 C:\~I
71aa~Q WS2HELP~r 5.1.2600.2180 C:\~I
71ab~Q WS2_32~r 5.1.2600.2180 C:\~I
71ad~Q wsock32~r 5.1.2600.2180 C:\~I
71b2~Q mpr~r 5.1.2600.2180 C:\~I
71bf~Q SAMLIB~r 5.1.2600.2180 C:\~I
75e9~Q SXS~r 5.1.2600.3019 C:\~I
7639~Q IMM32~r 5.1.2600.2180 C:\~I
763b~Q comdlg32~r 6.0.2900.2180 C:\~I
769c~Q userenv~r 5.1.2600.2180 C:\~I
76b4~Q winmm~r 5.1.2600.2180 C:\~I
76bf~Q PSAPI~r 5.1.2600.2180 C:\~I
76c9~Q IMAGEHLP~r 5.1.2600.2180 C:\~I
76d6~Q iphlpapi~r 5.1.2600.2912 C:\~I
76f2~Q dnsapi~r 5.1.2600.2938 C:\~I
76f6~Q WLDAP32~r 5.1.2600.2180 C:\~I
76fd~Q CLBCATQ~r 2001.12.4414.308 C:\~I
7705~Q COMRes~r 2001.12.4414.258 C:\~I
7712~Q oleaut32~r 5.1.2600.3139 C:\~I
773d~Q comctl32~r 6.0.2900.2982 C:\~q\WinSxS\x86_Microsoft.~q.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
774e~Q ole32~r 5.1.2600.2726 C:\~I
7769~Q NTMARTA~r 5.1.2600.2180 C:\~I
7792~Q SETUPAPI~r 5.1.2600.2180 C:\~I
77a8~Q crypt32~r 5.131.2600.2180 C:\~I
77b2~Q MSASN1~r 5.1.2600.2180 C:\~I
77c~Q0 version~r 5.1.2600.2180 C:\~I
77c1~Q msvcrt~r 7.0.2600.2180 C:\~I
77dd~Q ADVAPI32~r 5.1.2600.2180 C:\~I
77e7~Q RPCRT4~r 5.1.2600.2180 C:\~I
77f1~Q GDI32~r 5.1.2600.3159 C:\~I
77f6~Q SHLWAPI~r 6.0.2900.2995 C:\~I
77fe~Q secur32~r 5.1.2600.2180 C:\~I
7c8~Q0 ~H 5.1.2600.3119 C:\~I
7c9~Q0 ~i 5.1.2600.2180 C:\~I
7c9c~Q shell32~r 6.0.2900.3051 C:\~I
7d1e~Q msi~r 3.1.4000.4039 C:\~I
7e0c~Q ztvcabinet~r 5.0.2147.1 C:\~j\Webroot\Spy Sweeper
7e41~Q USER32~r 5.1.2600.3099 C:\~I

processes:
000 Idle
004 ~N ~P
09c smss.exe ~P C:\~I
0d8 csrss.exe ~P C:\~I
0f0 ~T.exe high C:\~I
11c ~Ss.exe ~P C:\~I
128 lsass.exe ~P C:\~I
1c4 svchost.exe ~P C:\~I
204 svchost.exe ~P C:\~I
238 MsMpEng.exe ~P C:\~j\~q Defender
27c aaw~S.exe ~P C:\~j\Lavasoft\Ad-Aware 2007
2c4 svchost.exe ~P C:\~I
2dc ~A ~P C:\~j\Webroot\Spy Sweeper
3d8 Explorer.EXE ~P C:\~q
540 ctfmon.exe ~P C:\~I
4a0 SafeSweeper.exe ~P C:\~j\Webroot\Spy Sweeper
7fc SSU.EXE ~P C:\~j\Webroot\Spy Sweeper

cpu registers:
eax = 050a~Q
ebx = ~Q~Q
ecx = fffffff8
edx = fffa7fff
esi = 00eeaca0
edi = 03f6f130
eip = 00569025
esp = 0548fa18
ebp = 0548fa38

stack dump:
0548fa18 ff 7f fa ff 10 80 05 00 - 00 80 05 00 ff ff 03 00 ................
0548fa28 ff ff ff 01 c0 fe fe 06 - ff ff ff ff 10 29 ee 00 .............)..
0548fa38 88 fa 48 05 06 aa 56 00 - 4c fa 48 05 b4 4c 40 00 ..H...V.L.H..L@.
0548fa48 88 fa 48 05 98 fa 48 05 - b4 4c 40 00 88 fa 48 05 ..H...H..L@...H.
0548fa58 08 fb 5c 00 00 00 00 00 - 00 00 00 00 0a 00 00 00 ..\.............
0548fa68 78 55 40 00 30 f1 f6 03 - 92 fa 48 05 08 fb 5c 00 xU@.0.....H...\.
0548fa78 ea 60 45 00 ec 50 20 00 - 00 00 00 03 50 80 f2 00 .`E..P......P...
0548fa88 bc fa 48 05 a0 a8 56 00 - a4 fa 48 05 c0 fe fe 06 ..H...V...H.....
0548fa98 c8 fa 48 05 b4 4c 40 00 - bc fa 48 05 00 00 00 00 ..H..L@...H.....
0548faa8 32 2f 40 00 81 54 40 00 - ec 50 20 00 5a d5 47 03 2/@..T@..P..Z.G.
0548fab8 50 80 f2 00 20 fb 48 05 - 65 28 5d 00 c0 fe fe 06 P.....H.e(].....
0548fac8 d4 fa 48 05 4b 4e 40 00 - 20 fb 48 05 e0 fa 48 05 ..H.KN@...H...H.
0548fad8 84 4a 40 00 20 fb 48 05 - 2c fb 48 05 b3 2b 5d 00 .J@...H.,.H..+].
0548fae8 20 fb 48 05 30 f1 f6 03 - a0 ac ee 00 08 fb 5c 00 ..H.0.........\.
0548faf8 00 00 00 00 2c fb 48 05 - db 06 5d 00 e3 06 5d 00 ....,.H...]...].
0548fb08 00 00 00 00 00 20 00 00 - c0 fe fe 06 ec 50 20 00 .............P..
0548fb18 00 00 e7 00 64 e3 dd 06 - b8 fb 48 05 2e 2e 5d 00 ....d.....H...].
0548fb28 b8 fb 48 05 38 fb 48 05 - 4d 2e 5d 00 b8 fb 48 05 ..H.8.H.M.]...H.
0548fb38 c8 fb 48 05 3f 2f 5d 00 - b8 fb 48 05 f0 91 08 07 ..H.?/]...H.....
0548fb48 bc 00 24 00 00 00 00 00 - 84 73 19 00 fc cb dd 06 ..$......s......

main ~R ($2e0):
7c90eb94 ~i ~G
7e419416 USER32~r WaitMessage
004c3ad1 ~A Forms TApplication.Idle
004c2f97 ~A Forms TApplication.HandleMessage
005108c2 ~A SvcMgr T~SApplication.Run
006b0414 ~A WRSSSDK 391 ~J

~R $310 (TErrorEvent~R):
7c90eb94 ~i ~G
7c90e9be ~i Nt~K
7c8025c5 ~H ~KEx
7c80252d ~H ~K
00483880 ~A SyncObjs 1242 THandleObject.WaitFor
004d3bef ~A Errors 1344 TErrorEvent~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
006adc1f ~A Errors 1379 ~J

~R $314 (TVolumeInfoRefresher):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
004f9de0 ~A VolumeInfo 275 TVolumeInfoRefresher.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
004f9ca2 ~A VolumeInfo 244 TVolumeInfoRefresher.~o

~R $31c (TCSIDLRefresh~R):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0056619a ~A CSIDLRefresh~R 97 TCSIDLRefresh~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
00566043 ~A CSIDLRefresh~R 57 TCSIDLRefresh~R.~o

~R $330 (T~TMgr):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
005e58ba ~A ~TNotifierMgr 362 T~TMgr.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
005e54f7 ~A ~TNotifierMgr 286 T~TMgr.~o

~R $338:
7c90eb94 ~i ~G
7c90e286 ~i NtReadFile
7c80186f ~H ReadFile
004e9569 ~A madCodeHook PipedIpc~R1
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
004e97e0 ~A madCodeHook ~oPipedIpcQueue

~R $33c:
7c90eb94 ~i ~G
7c90e286 ~i NtReadFile
7c80186f ~H ReadFile
004e9569 ~A madCodeHook PipedIpc~R1
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
004e97e0 ~A madCodeHook ~oPipedIpcQueue

~R $340 (~m7Manager):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068f059 ~A ~tSpyFS 2056 ~m7Manager.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068eebb ~A ~tSpyFS 2002 ~m7Manager.~o

~R $344 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $348 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $34c (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $350 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $354 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $358 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $35c (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $360 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $364 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $368 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $3d4 (TMemManagement~R):
7c90eb94 ~i ~G
7c90e9be ~i Nt~K
7c8025c5 ~H ~KEx
7c80252d ~H ~K
006a4678 ~A AVEngine 3532 TMemManagement~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
006a45c3 ~A AVEngine 3516 TMemManagement~R.~o

~R $3ec (TExternalSignalWatcher): <priority:-1>
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
00634b01 ~A SelfProtectCommon 121 TExternalSignalWatcher.CheckForSignal
00634d98 ~A SelfProtectCommon 189 TExternalSignalWatcher.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
00634dcb ~A SelfProtectCommon 195 TExternalSignalWatcher.~o

~R $3f0 (T~S~s~R):
7c90eb94 ~i ~G
7c90e286 ~i NtReadFile
7c80186f ~H ReadFile
77e37dc7 ADVAPI32~r ~s~SCtrlDispatcherA
00510723 ~A SvcMgr T~S~s~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
005106bb ~A SvcMgr T~S~s~R.~o

~R $3f4:
7c90eb94 ~i ~G
7c90e9be ~i Nt~K
7c8025c5 ~H ~KEx
7c80252d ~H ~K
00474184 ~A ~g T~R.WaitFor
0050fb35 ~A SvcMgr T~S.Do~s
0050fa64 ~A SvcMgr T~S.Main
0050ffbb ~A SvcMgr T~SApplication.Dispatch~SMain
0050fd6a ~A SvcMgr ~SMain
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $3f0 (T~S~s~R) at:
77deb355 ADVAPI32~r

~R $3f8 (T~S~R):
7c90eb94 ~i ~G
7e42e03d USER32~r GetMessageA
0050f2c0 ~A SvcMgr T~S~R.ProcessRequests
006a8385 ~A WRSSSDK~S 287 TsvcWRSSSDK.~S~C
0050f130 ~A SvcMgr T~S~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $3f4 at:
0050f02b ~A SvcMgr T~S~R.~o

~R $3fc (TGlobalSelfProtect~sup):
7c90eb94 ~i ~G
7c90e9be ~i Nt~K
7c8025c5 ~H ~KEx
7c80252d ~H ~K
004f4b33 ~A ~O 450 T~O.GetDriverInitialized
00635740 ~A GlobalSelfProtect 88 TGlobalSelfProtect~sup.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $3f8 (T~S~R) at:
00636561 ~A GlobalSelfProtect 408 Initalize

~R $574:
7c90eb94 ~i ~G
7c90e397 ~i NtReplyWaitReceivePortEx
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $400 at:
77e8760d RPCRT4~r

~R $4d4:
7c90eb94 ~i ~G
7c90e397 ~i NtReplyWaitReceivePortEx
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $574 at:
77e8760d RPCRT4~r

~R $490:
7c90eb94 ~i ~G
7c90e9a9 ~i ~l

~R $4c0:
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $574 at:
769c8951 userenv~r

~R $4b8 (TRestoredFiles~R): <priority:-1>
7c90eb94 ~i ~G
7c90e9be ~i Nt~K
7c8025c5 ~H ~KEx
7c80252d ~H ~K
005fc12a ~A RestoredFileList 317 TRestoredFiles~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $574 at:
005fb26b ~A RestoredFileList 69 TRestoredFiles~R.~o

~R $4bc (TDirectoryWatcher):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
005e325c ~A Watcher 141 ~u
005e32e8 ~A Watcher 162 ~U.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $574 at:
005e2ff7 ~A Watcher 72 ~U.~o

~R $304 (T~tKeylogger~R):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0063324a ~A ~tKeylogger~R 129 T~tKeylogger~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $574 at:
00633017 ~A ~tKeylogger~R 75 T~tKeylogger~R.~o

~R $4f8:
7c90eb94 ~i ~G
7c90e397 ~i NtReplyWaitReceivePortEx
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $4d0 at:
77e8760d RPCRT4~r

~R $4cc (TThrottle~R):
7c90eb94 ~i ~G
7c90d85a ~i NtDelayExecution
7c8023e7 ~H SleepEx
7c80244c ~H Sleep
00580174 ~A IOThrottle 274 TThrottle~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $4d4 at:
005805f7 ~A IOThrottle 383 TThrottle~R.~o

~R $494 (TCallbackMgr~R):
7c90eb94 ~i ~G
7c90d85a ~i NtDelayExecution
7c8023e7 ~H SleepEx
7c80244c ~H Sleep
0059be60 ~A CallbackMgr 287 TCallbackMgr~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $518 (T~b) at:
0059b9ef ~A CallbackMgr 135 TCallbackMgr~R.~o

~R $94 (TNTFSFileEnumerator): <priority:2>
7c90eb94 ~i ~G
7c90e9be ~i Nt~K
7c8025c5 ~H ~KEx
7c80252d ~H ~K
0059c6ee ~A CustomBucket 202 TCustomBucket.AddItem
00404839 ~A ~N 36 @AfterConstruction
0059c9a7 ~A Queue 50 TQueue.Push
0059dc39 ~A DiskQueue 38 TDiskQueue.Push
005a0ce2 ~A CustomFileEnumerator 559 TCustomFileEnumerator.QueueUpItem
005a5150 ~A NTFSFileEnumerator 830 TNTFSFileEnumerator.ProcessFiles
005a774e ~A NTFSFileEnumerator 1418 TNTFSFileEnumerator.Process
005a06ab ~A CustomFileEnumerator 431 TCustomFileEnumerator.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $518 (T~b) at:
0059f616 ~A CustomFileEnumerator 177 TCustomFileEnumerator.~o

hardware:
+ Computer
- ACPI Multiprocessor PC
+ Disk drives
- WDC WD1600JD-75HBB0
+ Display adapters
- NVIDIA GeForce FX 5200 (driver 4.5.2.3)
+ DVD/CD-ROM drives
- HL-DT-ST DVD-ROM GDR8162B
- TEAC DVD+RW DV-W58E
+ Floppy disk controllers
- Standard floppy disk controller
+ Floppy disk drives
- Floppy disk drive
+ Human Interface Devices
- HID-compliant device
- USB Human Interface Device
+ IDE ATA/ATAPI controllers
- Intel(R) 82801EB Ultra ATA Storage Controllers (driver 5.0.1007.0)
- Intel(R) 82801EB Ultra ATA Storage Controllers (driver 5.0.1007.0)
- Primary IDE Channel
- Secondary IDE Channel
+ Imaging devices
- Dell Photo AIO Printer 922 (driver 1.0.0.0)
+ Keyboards
- Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
+ Mice and other pointing devices
- PS/2 Compatible Mouse
+ Modems
- Intel(R) 537EP V9x DFV PCI Modem (driver 2.15.36.0)
+ Network adapters
- Intel(R) PRO/100 VE Network Connection (driver 8.0.21.0)
+ Ports (COM & LPT)
- Communications Port (COM1)
- ECP Printer Port (LPT1)
+ Printers
- Dell Photo AIO Printer 922 (driver 4-9-2004)
+ Processors
- Intel(R) Pentium(R) 4 CPU 3.00GHz
+ Sound, video and game controllers
- Audio Codecs
- Creative SB Live! Series (WDM) (driver 5.12.1.203)
- Game Port for SB Live! Series (driver 4-8-2002)
- Legacy Audio Drivers
- Legacy Video Capture Devices
- Media Control Devices
- SoundMAX Integrated Digital Audio (driver 5.12.1.3600)
- Video Codecs
+ ~N devices
- ACPI Fixed Feature Button
- ACPI Power Button
- Direct memory access controller
- Intel(R) 82801EB LPC Interface Controller - 24D0 (driver 5.0.1006.0)
- Intel(R) 82801EB PCI Bridge - 244E (driver 5.0.1006.0)
- Intel(R) 82801EB SMBus Controller - 24D3 (driver 5.0.1006.0)
- Intel(R) 82865G\PE\P Processor to AGP Controller - 2571 (driver 5.0.1006.0)
- Intel(R) 82865G\PE\P Processor to I/O Controller - 2570 (driver 5.0.1006.0)
- ISAPNP Read Data Port
- Microcode Update Device
- Microsoft ACPI-Compliant ~N
- Microsoft Composite Battery
- Microsoft ~N Management BIOS Driver
- Numeric data processor
- OpenManage Client Instrumentation device driver (driver 7.0.323.0)
- PCI bus
- Plug and Play Software Device Enumerator
- Programmable interrupt controller
- ~N board
- ~N board
- ~N CMOS/real time clock
- ~N speaker
- ~N timer
- Terminal Server Device Redirector
- Terminal Server Keyboard Driver
- Terminal Server Mouse Driver
- Volume Manager
+ Universal Serial Bus controllers
- Intel(R) 82801EB USB Universal Host Controller - 24D2 (driver 5.0.1006.0)
- Intel(R) 82801EB USB Universal Host Controller - 24D4 (driver 5.0.1006.0)
- Intel(R) 82801EB USB Universal Host Controller - 24D7 (driver 5.0.1006.0)
- Intel(R) 82801EB USB Universal Host Controller - 24DE (driver 5.0.1006.0)
- Standard Enhanced PCI to USB Host Controller
- USB Composite Device
- USB Printing Support
- USB Root Hub
- USB Root Hub
- USB Root Hub
- USB Root Hub
- USB Root Hub

disassembling:
[...]
00569002 292 mov eax, [ebp-$1c]
00569005 push eax
00569006 mov eax, [ebp-$c]
00569009 mov ecx, 1
0056900e mov edx, [$57e2b0]
00569014 call -$162231 ($406de8) ; ~N.@DynArraySetLength
00569019 add esp, 4
0056901c 294 mov eax, [ebp-4]
0056901f mov eax, [eax+$20]
00569022 mov edx, [ebp-$20]
00569025 > mov eax, [eax+edx*4]
00569028 mov edx, [ebp-$c]
0056902b mov edx, [edx]
0056902d mov ecx, [ebp-$18]
00569030 mov [edx+ecx*4], eax
00569033 295 dec dword ptr [ebp-$20]
00569036 296 mov eax, [ebp-$c]
00569039 mov eax, [eax]
0056903b mov edx, [ebp-$18]
0056903e cmp dword ptr [eax+edx*4], 0
00569042 jge loc_568ff3
[...]

date/time : 2007-09-25, 20:35:28, 781ms
computer name : WILLIAMS
user name : ~N <admin>
registered owner : Terry
operating ~N : ~q XP ~S Pack 2 build 2600
~N language : English
~N up time : 2 hours 9 minutes
program up time : 2 hours 8 minutes
processor : Intel(R) Pentium(R) 4 CPU 3.00GHz
physical memory : 634/1023 MB (free/total)
free disk space : (C:) 96.52 GB
display mode : 1024x768, 32 bit
process id : $2dc
allocated memory : 64.95 MB
executable : ~A
exec. date/time : 2007-07-19 22:54
version : 3.5.6.56
~f version : 3.0c
callstack crc : $5d878a3f, $071a4a6e, $d5164327
exception number : 2
exception class : EAccessViolation
exception message : Access violation at address 00569025 in module '~A'. Read of address 04F3FFFC.

~R $518 (T~b):
00569025 ~A FastCrcLookup 294 TFastCrcLookup.Find
0056aa01 ~A TraceFileProvider 281 TTraceFileProvider.FilterByIndex
0056a89b ~A TraceFileProvider 250 TTraceFileProvider.FilterByIndex
005d2860 ~A IdentifyFileObj 1270 CheckFile
005d2e29 ~A IdentifyFileObj 1445 TIdentifyFileObj.OnFileFound
005a0c26 ~A CustomFileEnumerator 535 TCustomFileEnumerator.DoOnFileFound
005a0986 ~A CustomFileEnumerator 506 TCustomFileEnumerator.ProcessPartition
005d3c44 ~A IdentifyFileObj 1750 TIdentifyFileObj.SweepDirectories
005d46be ~A IdentifyFileObj 1913 TIdentifyFileObj.SweepSelectedLocations
005d4aa1 ~A IdentifyFileObj 2017 TIdentifyFileObj.Identify
0064a889 ~A ~b 463 SweepFiles
0064b522 ~A ~b 631 T~b.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $4d4 at:
006499ab ~A ~b 201 T~b.~o

modules:
0033~Q ~Piz~r 6.0.5441.0 C:\~I
004~Q0 ~A 3.5.6.56 C:\~j\Webroot\Spy Sweeper
033d~Q ztvunrar3~r C:\~j\Webroot\Spy Sweeper
0482~Q MailShld~r C:\~j\Webroot\Spy Sweeper
0ffd~Q rsaenh~r 5.1.2600.2161 C:\~I
1~Q000 pcre~r 6.1.0.0 C:\~j\Webroot\Spy Sweeper
2~Q000 xpsp2res~r 5.1.2600.2180 C:\~I
4299~Q iertutil~r 7.0.6000.16512 C:\~I
42c1~Q wininet~r 7.0.6000.16512 C:\~I
5ad6~Q vdmdbg~r 5.1.2600.2180 C:\~I
5b0a~Q umdmxfrm~r 5.1.2600.0 C:\~I
5b86~Q netapi32~r 5.1.2600.2976 C:\~I
5cd7~Q serwvdrv~r 5.1.2600.0 C:\~I
5d09~Q comctl32~r 5.82.2900.2982 C:\~I
5edd~Q olepro32~r 5.1.2600.2180 C:\~I
71aa~Q WS2HELP~r 5.1.2600.2180 C:\~I
71ab~Q WS2_32~r 5.1.2600.2180 C:\~I
71ad~Q wsock32~r 5.1.2600.2180 C:\~I
71b2~Q mpr~r 5.1.2600.2180 C:\~I
71bf~Q SAMLIB~r 5.1.2600.2180 C:\~I
75e9~Q SXS~r 5.1.2600.3019 C:\~I
7639~Q IMM32~r 5.1.2600.2180 C:\~I
763b~Q comdlg32~r 6.0.2900.2180 C:\~I
769c~Q userenv~r 5.1.2600.2180 C:\~I
76b4~Q winmm~r 5.1.2600.2180 C:\~I
76bf~Q PSAPI~r 5.1.2600.2180 C:\~I
76c3~Q WINTRUST~r 5.131.2600.2180 C:\~I
76c9~Q IMAGEHLP~r 5.1.2600.2180 C:\~I
76d6~Q iphlpapi~r 5.1.2600.2912 C:\~I
76f2~Q dnsapi~r 5.1.2600.2938 C:\~I
76f6~Q WLDAP32~r 5.1.2600.2180 C:\~I
76fd~Q CLBCATQ~r 2001.12.4414.308 C:\~I
7705~Q COMRes~r 2001.12.4414.258 C:\~I
7712~Q oleaut32~r 5.1.2600.3139 C:\~I
773d~Q comctl32~r 6.0.2900.2982 C:\~q\WinSxS\x86_Microsoft.~q.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
774e~Q ole32~r 5.1.2600.2726 C:\~I
7769~Q NTMARTA~r 5.1.2600.2180 C:\~I
7792~Q SETUPAPI~r 5.1.2600.2180 C:\~I
77a8~Q crypt32~r 5.131.2600.2180 C:\~I
77b2~Q MSASN1~r 5.1.2600.2180 C:\~I
77c~Q0 version~r 5.1.2600.2180 C:\~I
77c1~Q msvcrt~r 7.0.2600.2180 C:\~I
77dd~Q ADVAPI32~r 5.1.2600.2180 C:\~I
77e7~Q RPCRT4~r 5.1.2600.2180 C:\~I
77f1~Q GDI32~r 5.1.2600.3159 C:\~I
77f6~Q SHLWAPI~r 6.0.2900.2995 C:\~I
77fe~Q secur32~r 5.1.2600.2180 C:\~I
7c8~Q0 ~H 5.1.2600.3119 C:\~I
7c9~Q0 ~i 5.1.2600.2180 C:\~I
7c9c~Q shell32~r 6.0.2900.3051 C:\~I
7d1e~Q msi~r 3.1.4000.4039 C:\~I
7e0c~Q ztvcabinet~r 5.0.2147.1 C:\~j\Webroot\Spy Sweeper
7e41~Q USER32~r 5.1.2600.3099 C:\~I

processes:
000 Idle
004 ~N ~P
09c smss.exe ~P C:\~I
0d8 csrss.exe ~P C:\~I
0f0 ~T.exe high C:\~I
11c ~Ss.exe ~P C:\~I
128 lsass.exe ~P C:\~I
1c4 svchost.exe ~P C:\~I
204 svchost.exe ~P C:\~I
238 MsMpEng.exe ~P C:\~j\~q Defender
27c aaw~S.exe ~P C:\~j\Lavasoft\Ad-Aware 2007
2c4 svchost.exe ~P C:\~I
2dc ~A ~P C:\~j\Webroot\Spy Sweeper
3d8 Explorer.EXE ~P C:\~q
540 ctfmon.exe ~P C:\~I
4a0 SafeSweeper.exe ~P C:\~j\Webroot\Spy Sweeper
7fc SSU.EXE ~P C:\~j\Webroot\Spy Sweeper

cpu registers:
eax = 050a~Q
ebx = ~Q~Q
ecx = fffffff8
edx = fffa7fff
esi = 00eeaca0
edi = 03f6f130
eip = 00569025
esp = 0548fa18
ebp = 0548fa38

stack dump:
0548fa18 ff 7f fa ff 10 80 05 00 - 00 80 05 00 ff ff 03 00 ................
0548fa28 ff ff ff 01 f0 b7 82 07 - ff ff ff ff 10 29 ee 00 .............)..
0548fa38 88 fa 48 05 06 aa 56 00 - 4c fa 48 05 b4 4c 40 00 ..H...V.L.H..L@.
0548fa48 88 fa 48 05 98 fa 48 05 - b4 4c 40 00 88 fa 48 05 ..H...H..L@...H.
0548fa58 08 fb 5c 00 00 00 00 00 - 00 00 00 00 0a 00 00 00 ..\.............
0548fa68 78 55 40 00 30 f1 f6 03 - 92 fa 48 05 08 fb 5c 00 xU@.0.....H...\.
0548fa78 ea 60 45 00 64 09 d7 06 - 00 00 00 03 50 80 f2 00 .`E.d.......P...
0548fa88 bc fa 48 05 a0 a8 56 00 - a4 fa 48 05 f0 b7 82 07 ..H...V...H.....
0548fa98 c8 fa 48 05 b4 4c 40 00 - bc fa 48 05 00 00 00 00 ..H..L@...H.....
0548faa8 32 2f 40 00 81 54 40 00 - 64 09 d7 06 5a d5 47 03 2/@..T@.d...Z.G.
0548fab8 50 80 f2 00 20 fb 48 05 - 65 28 5d 00 f0 b7 82 07 P.....H.e(].....
0548fac8 d4 fa 48 05 4b 4e 40 00 - 20 fb 48 05 e0 fa 48 05 ..H.KN@...H...H.
0548fad8 84 4a 40 00 20 fb 48 05 - 2c fb 48 05 b3 2b 5d 00 .J@...H.,.H..+].
0548fae8 20 fb 48 05 30 f1 f6 03 - a0 ac ee 00 08 fb 5c 00 ..H.0.........\.
0548faf8 00 00 00 00 2c fb 48 05 - db 06 5d 00 e3 06 5d 00 ....,.H...]...].
0548fb08 00 00 00 00 00 20 00 00 - f0 b7 82 07 64 09 d7 06 ............d...
0548fb18 00 00 e7 00 a4 07 df 06 - b8 fb 48 05 2e 2e 5d 00 ..........H...].
0548fb28 b8 fb 48 05 38 fb 48 05 - 4d 2e 5d 00 b8 fb 48 05 ..H.8.H.M.]...H.
0548fb38 c8 fb 48 05 3f 2f 5d 00 - b8 fb 48 05 f0 91 08 07 ..H.?/]...H.....
0548fb48 5c 01 21 00 00 00 00 00 - e4 fd 21 00 fc 6b df 06 \.!.......!..k..

main ~R ($2e0):
7c90eb94 ~i ~G
7e419416 USER32~r WaitMessage
004c3ad1 ~A Forms TApplication.Idle
004c2f97 ~A Forms TApplication.HandleMessage
005108c2 ~A SvcMgr T~SApplication.Run
006b0414 ~A WRSSSDK 391 ~J

~R $310 (TErrorEvent~R):
7c90eb94 ~i ~G
7c90e9be ~i Nt~K
7c8025c5 ~H ~KEx
7c80252d ~H ~K
00483880 ~A SyncObjs 1242 THandleObject.WaitFor
004d3bef ~A Errors 1344 TErrorEvent~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
006adc1f ~A Errors 1379 ~J

~R $314 (TVolumeInfoRefresher):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
004f9de0 ~A VolumeInfo 275 TVolumeInfoRefresher.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
004f9ca2 ~A VolumeInfo 244 TVolumeInfoRefresher.~o

~R $31c (TCSIDLRefresh~R):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0056619a ~A CSIDLRefresh~R 97 TCSIDLRefresh~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
00566043 ~A CSIDLRefresh~R 57 TCSIDLRefresh~R.~o

~R $330 (T~TMgr):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
005e58ba ~A ~TNotifierMgr 362 T~TMgr.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
005e54f7 ~A ~TNotifierMgr 286 T~TMgr.~o

~R $338:
7c90eb94 ~i ~G
7c90e286 ~i NtReadFile
7c80186f ~H ReadFile
004e9569 ~A madCodeHook PipedIpc~R1
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
004e97e0 ~A madCodeHook ~oPipedIpcQueue

~R $33c:
7c90eb94 ~i ~G
7c90e286 ~i NtReadFile
7c80186f ~H ReadFile
004e9569 ~A madCodeHook PipedIpc~R1
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
004e97e0 ~A madCodeHook ~oPipedIpcQueue

~R $340 (~m7Manager):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068f059 ~A ~tSpyFS 2056 ~m7Manager.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068eebb ~A ~tSpyFS 2002 ~m7Manager.~o

~R $344 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $348 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $34c (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $350 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $354 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $358 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $35c (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $360 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $364 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $368 (~m7):
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
0068e7ae ~A ~tSpyFS 1877 ~m7.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
0068e62e ~A ~tSpyFS 1824 ~m7.~o

~R $3d4 (TMemManagement~R):
7c90eb94 ~i ~G
7c90e9be ~i Nt~K
7c8025c5 ~H ~KEx
7c80252d ~H ~K
006a4678 ~A AVEngine 3532 TMemManagement~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
006a45c3 ~A AVEngine 3516 TMemManagement~R.~o

~R $3ec (TExternalSignalWatcher): <priority:-1>
7c90eb94 ~i ~G
7c90e9a9 ~i ~l
7c8094dc ~H ~LEx
7c80a070 ~H ~L
00634b01 ~A SelfProtectCommon 121 TExternalSignalWatcher.CheckForSignal
00634d98 ~A SelfProtectCommon 189 TExternalSignalWatcher.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
00634dcb ~A SelfProtectCommon 195 TExternalSignalWatcher.~o

~R $3f0 (T~S~s~R):
7c90eb94 ~i ~G
7c90e286 ~i NtReadFile
7c80186f ~H ReadFile
77e37dc7 ADVAPI32~r ~s~SCtrlDispatcherA
00510723 ~A SvcMgr T~S~s~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~k ($2e0) at:
005106bb ~A SvcMgr T~S~s~R.~o

~R $3f4:
7c90eb94 ~i ~G
7c90e9be ~i Nt~K
7c8025c5 ~H ~KEx
7c80252d ~H ~K
00474184 ~A ~g T~R.WaitFor
0050fb35 ~A SvcMgr T~S.Do~s
0050fa64 ~A SvcMgr T~S.Main
0050ffbb ~A SvcMgr T~SApplication.Dispatch~SMain
0050fd6a ~A SvcMgr ~SMain
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $3f0 (T~S~s~R) at:
77deb355 ADVAPI32~r

~R $3f8 (T~S~R):
7c90eb94 ~i ~G
7e42e03d USER32~r GetMessageA
0050f2c0 ~A SvcMgr T~S~R.ProcessRequests
006a8385 ~A WRSSSDK~S 287 TsvcWRSSSDK.~S~C
0050f130 ~A SvcMgr T~S~R.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $3f4 at:
0050f02b ~A SvcMgr T~S~R.~o

~R $3fc (TGlobalSelfProtect~sup):
7c90eb94 ~i ~G
7c90e9be ~i Nt~K
7c8025c5 ~H ~KEx
7c80252d ~H ~K
004f4b33 ~A ~O 450 T~O.GetDriverInitialized
00635740 ~A GlobalSelfProtect 88 TGlobalSelfProtect~sup.~C
0044fd5b ~A ~f ~M~C
00473b20 ~A ~g ~F
004053d4 ~A ~N 36 ~c
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $3f8 (T~S~R) at:
00636561 ~A GlobalSelfProtect 408 Initalize

~R $574:
7c90eb94 ~i ~G
7c90e397 ~i NtReplyWaitReceivePortEx
0044fc3d ~A ~f ~E
0044fca7 ~A ~f ~e
>> ~od by ~R $400 at:
77e8760d R
irving3
Active Member
 
Posts: 7
Joined: September 17th, 2007, 12:10 am

Unread postby Katana » October 21st, 2007, 7:02 am

11:50 PM: Quarantining All Traces: ldpinch trojan


It doesn't seem to mention what file or registry entry that it is quarantining.
Does the program have a quarantine section where you can view what has been moved ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Katana » October 24th, 2007, 1:36 pm

Do you still need any help ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Gary R » November 4th, 2007, 5:21 am

Due to lack of response this topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 21785
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware