|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-01-2008, 03:53 AM
|
#1 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 11
OS: XP
|
CPU usage @ 100%
*** REDIRECTED FROM WINXP SUPPORT INDICATING MALWARE ISSUE***
Hi - Theres plenty to be said about CPU usage at 100% but it all seems pretty specific to the user and mine is no exception - by the way its taken a good 15 mins and a few IE crashes to get this far! Some background OS XP - SP3 3.4GHZ P4 1GB RAM 200GB HDD No apps open apart from IE CPU Usage 100% PF Usage 502MB (not sure what this is) Top 3 processess eatting CPU usage (give or take) ULCDRSvr.exe. - 45% (I do have Ulead installed & have had for a year or so) WKUFind.exe. - 35% (Seems MS related- so not sure if I should kill it) CSRSS.exe - 21% (Most sites indicate MS related but a few indicate a virus!) I've bought and run a registry cleaner, which took over 24 hours to run and a further 12 to clean, I use Kaspersky Internet Security v8 - all up to date and run Ad-Aware 08 Any thoughts - coz I'm at my wits end (albeit glad this post didn't crash my PC!) Many thanks in advance The GMER text is pasted below as I can't attach it. Info is attached Can't thank anyone enough 4 any assistance GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-10-31 18:02:33 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xAA60481A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xAA604DC6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xAA60682A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xAA6061E0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xAA603F90] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xAA60818C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xAA604BC2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xAA6043D2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xAA6045D2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xAA6064EC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xAA608698] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xAA6046E8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xAA604750] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xAA6063A2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xAA607C50] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xAA60603C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xAA6040F2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xAA6049E8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xAA6081B6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xAA60493E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xAA6047B8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xAA6044BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xAA60429A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xAA607EB8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xAA603C12] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xAA6070B4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xAA603D74] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xAA608568] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xAA603A10] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xAA6066CC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xAA604CC0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xAA607D4A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xAA6081E0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xAA604148] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xAA6082C4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xAA6083F0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xAA607B7C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xAA604A92] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xAA604B04] Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.14 ---- .text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CA4 12 Bytes [ C4, 82, 60, AA, F0, 83, 60, ... ] .text ntoskrnl.exe!IoIsOperationSynchronous 804EAFAE 5 Bytes JMP AA61B3D6 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) .text ntoskrnl.exe!FsRtlCheckLockForReadAccess 804F4593 5 Bytes JMP AA61B01C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ---- User code sections - GMER 1.0.14 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[964] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[964] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [ 70, 11, 41, 6D ] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1828] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1828] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [ 70, 11, 41, 6D ] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[2672] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[2672] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [ 70, 11, 41, 6D ] ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F6DDEDF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F6DDEDF0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\drivers\ws2ifsl.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\usbccgp.sys[NTOSKRNL.EXE!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\point32.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\kbdhid.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F6DDED40] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) ---- User IAT/EAT - GMER 1.0.14 ---- IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238 IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3 IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1 IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe[528] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405238 IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004051D3 IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 004051A1 IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 004055AD IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 004055AD IAT C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[924] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryDirectoryFile] 007A52EC IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 007A52EC IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 007A5238 IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 007A51D3 IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 007A51A1 IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 007A5877 IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 007A52EC IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 007A55AD IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 007A5877 IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 007A5877 IAT C:\WINDOWS\system32\services.exe[1244] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 007A55AD IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00FD52EC IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00FD5238 IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00FD51D3 IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00FD51A1 IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\LSASRV.dll [ntdll.dll!LdrLoadDll] 00FD5238 IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00FD52EC IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrLoadDll] 00FD5238 IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\SAMSRV.dll [ntdll.dll!LdrGetProcedureAddress] 00FD51D3 IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00FD55AD IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00FD5877 IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00FD5877 IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00FD55AD IAT C:\WINDOWS\system32\lsass.exe[1256] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00FD5877 IAT C:\WINDOWS\system32\svchost.exe[1440] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00F951A1 IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00BD52EC IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00BD5238 IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00BD51D3 IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00BD51A1 IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00BD55AD IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00BD5877 IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00BD5877 IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00BD55AD IAT C:\WINDOWS\system32\svchost.exe[1508] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00BD5877 IAT C:\WINDOWS\system32\svchost.exe[1508] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00BD52EC IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 03C852EC IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 03C85238 IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 03C851D3 IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 03C851A1 IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 03C855AD IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 03C85877 IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 03C85877 IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 03C855AD IAT C:\WINDOWS\System32\svchost.exe[1620] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 03C85877 IAT C:\WINDOWS\System32\svchost.exe[1620] @ c:\windows\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 03C852EC IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 006852EC IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00685238 IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 006851D3 IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 006851A1 IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 006855AD IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00685877 IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00685877 IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 006855AD IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00685877 IAT C:\WINDOWS\system32\svchost.exe[1652] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 006852EC IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238 IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3 IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1 IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe[2244] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00B852EC IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00B85238 IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00B851D3 IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00B851A1 IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00B855AD IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00B85877 IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00B852EC IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00B85877 IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00B855AD IAT C:\WINDOWS\System32\alg.exe[2312] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00B85877 IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405238 IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004051D3 IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 004051A1 IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 004055AD IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 004055AD IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\WINDOWS\System32\svchost.exe[2608] @ C:\WINDOWS\System32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238 IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3 IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1 IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe[2620] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405238 IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004051D3 IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 004051A1 IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 004055AD IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\Program Files\Messenger\msmsgs.exe[3000] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 004055AD IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238 IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3 IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1 IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[3168] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238 IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3 IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1 IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\iPod\bin\iPodService.exe[3220] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238 IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3 IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1 IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\Program Files\palmOne\Hotsync.exe[3308] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\Explorer.EXE [USER32.dll!TranslateMessage] 00D85877 IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 00D852EC IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00D85238 IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 00D851D3 IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 00D851A1 IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 00D855AD IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00D85877 IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00D85877 IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00D85877 IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 00D855AD IAT C:\WINDOWS\Explorer.EXE[3404] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 00D852EC IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00405238 IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 004051D3 IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 004051A1 IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 004055AD IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 004052EC IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 004055AD IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3692] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00405877 IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] 00135238 IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] 001351D3 IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateThread] 001351A1 IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\shell32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TranslateMessage] 00135877 IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\WS2HELP.dll [ntdll.dll!NtQueryDirectoryFile] 001352EC IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 001355AD IAT C:\DOCUME~1\Tim\LOCALS~1\Temp\Temporary Directory 1 for gmer[1].zip\gmer.exe[4060] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!TranslateMessage] 00135877 ---- Devices - GMER 1.0.14 ---- AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Threads - GMER 1.0.14 ---- Thread 532:3864 00365125 Thread 532:3084 003A5125 Thread 532:2384 00525125 Thread 2364:3560 00405125 Thread 2364:2956 002A5125 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ... ---- Files - GMER 1.0.14 ---- File C:\WINDOWS\system32\twain_32 0 bytes File C:\WINDOWS\system32\twain_32\local.ds 22803 bytes File C:\WINDOWS\system32\twain_32\user.ds 0 bytes File C:\WINDOWS\system32\twext.exe 52224 bytes executable ---- EOF - GMER 1.0.14 ---- |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
11-01-2008, 11:40 AM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,420
OS: N/A
|
Re: CPU usage @ 100%
Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/comb...o-use-combofix Post the log from ComboFix when you've accomplished that |
|
|
|
|
11-04-2008, 12:34 PM
|
#3 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 11
OS: XP
|
Re: CPU usage @ 100%
sUBs -
Here's the log...I've uninstalled ULead as it seemed to be hogging CPU usage plus another symptom of my troubles is... I am unable to access other users spaces from the initial screen - whoever I click on first icon I can see their desktop but going back to the initial screen, when I click on another users icon it just goes to a blue screen and then reverts back to the screen with the icons. If I log out and go to that user I can enter their desktop but again on switching user on dice. There are no error messages. Log Dump is as follows - Many thanks 4 taking the time to review ComboFix 08-11-03.06 - Tim 2008-11-04 18:11:06.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.536 [GMT 0:00] Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Tim\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\LocalService\Application Data\twain_32 c:\documents and settings\LocalService\Application Data\twain_32\user.ds c:\documents and settings\NetworkService\Application Data\twain_32 c:\documents and settings\NetworkService\Application Data\twain_32\user.ds c:\program files\FunWebProducts c:\windows\system32\twain_32 c:\windows\system32\twain_32\local.ds c:\windows\system32\twain_32\user.ds L:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 ))))))))))))))))))))))))))))))) . 2008-11-04 15:05 . 2008-11-04 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\SITEguard 2008-11-04 15:03 . 2008-11-04 15:03 <DIR> d-------- c:\program files\Common Files\iS3 2008-11-04 15:03 . 2008-11-04 17:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\STOPzilla! 2008-11-02 13:51 . 2008-11-02 13:51 <DIR> d-------- c:\program files\Common Files\Adobe AIR 2008-11-02 13:47 . 2008-11-02 19:34 <DIR> d-------- c:\program files\NOS 2008-11-02 13:47 . 2008-11-02 19:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS 2008-10-31 22:40 . 2008-11-02 13:59 1,750 --a------ c:\windows\system32\%LocalXml% 2008-10-31 19:47 . 2008-10-31 19:47 <DIR> d-------- c:\program files\Lavasoft 2008-10-31 17:25 . 2008-10-31 17:25 250 --a------ c:\windows\gmer.ini 2008-10-31 17:21 . 2008-10-31 17:21 <DIR> d-------- C:\rsit 2008-10-31 17:21 . 2008-10-31 17:21 <DIR> d-------- c:\program files\trend micro 2008-10-31 11:30 . 2008-10-31 11:30 <DIR> d-------- c:\documents and settings\Tim\Application Data\System Tweaker 2008-10-31 11:17 . 2008-10-31 11:19 <DIR> d-------- c:\documents and settings\Sammy 2008-10-29 10:52 . 2008-11-04 17:52 <DIR> d-------- c:\program files\Uniblue 2008-10-27 21:12 . 2004-08-03 22:41 404,990 --a------ c:\windows\system32\drivers\slntamr.sys 2008-10-27 21:12 . 2004-08-03 22:41 404,990 --a--c--- c:\windows\system32\dllcache\slntamr.sys 2008-10-27 21:12 . 2004-08-03 22:41 95,424 --a------ c:\windows\system32\drivers\slnthal.sys 2008-10-27 21:12 . 2004-08-03 22:41 95,424 --a--c--- c:\windows\system32\dllcache\slnthal.sys 2008-10-27 21:12 . 2008-04-14 01:12 73,796 --a------ c:\windows\system32\slserv.exe 2008-10-27 21:12 . 2008-04-14 01:12 73,796 --a--c--- c:\windows\system32\dllcache\slserv.exe 2008-10-27 21:12 . 2008-04-14 01:12 32,866 --a--c--- c:\windows\system32\dllcache\slrundll.exe 2008-10-27 21:12 . 2008-04-14 01:12 32,866 --a------ c:\windows\slrundll.exe 2008-10-24 16:21 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-16 13:52 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-16 13:52 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-16 13:52 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-16 13:52 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-16 13:52 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-10-16 13:52 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-04 19:18 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab 2008-11-04 18:30 950,304 --sha-w c:\windows\system32\drivers\fidbox2.dat 2008-11-04 18:30 4,594,720 --sha-w c:\windows\system32\drivers\fidbox.dat 2008-11-04 18:30 4,328 --sha-w c:\windows\system32\drivers\fidbox2.idx 2008-11-04 18:30 36,976 --sha-w c:\windows\system32\drivers\fidbox.idx 2008-11-02 13:49 --------- d-----w c:\program files\Common Files\Adobe 2008-11-02 13:28 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems 2008-11-01 07:51 96,976 ----a-w c:\windows\system32\drivers\klin.dat 2008-10-31 19:50 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2008-10-31 19:44 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-10-27 21:54 --------- d-----w c:\program files\Google 2008-10-27 21:10 --------- d--h--w c:\program files\InstallShield Installation Information 2008-10-27 21:05 --------- d-----w c:\program files\Abacast 2008-10-20 17:56 9,548 ----a-w c:\documents and settings\Toy\Application Data\wklnhst.dat 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys 2008-09-05 10:17 --------- d-----w c:\documents and settings\All Users\Application Data\Acronis 2008-09-05 10:13 --------- d-----w c:\documents and settings\Toy\Application Data\Nokia Multimedia Player 2008-04-14 00:11 178,688 ----a-r c:\documents and settings\Sam\Application Data\twext.exe 2008-03-24 10:36 0 ----a-w c:\documents and settings\Charlotte\Application Data\wklnhst.dat 2008-03-16 09:14 19,622 ----a-w c:\documents and settings\Tim\Application Data\wklnhst.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2006-11-28 2658304] "TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-09 2595792] "AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-09 909208] "Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-09 136472] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968] c:\documents and settings\All Users\Start Menu\Programs\Startup\ DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-12-30 28672] HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2004-06-09 471040] [HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^Sky Alerts.lnk] path=c:\documents and settings\Tim\Start Menu\Programs\Startup\Sky Alerts.lnk backup=c:\windows\pss\Sky Alerts.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection] --------- 2003-06-09 23:11 50688 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 11:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-07-28 11:51 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX1000] --a------ 2007-04-10 21:46 709992 c:\windows\vVX1000.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 2004-09-16 18:39 69632 c:\windows\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\Streamload\\MediaMax XL\\MediaMax XL.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"= "c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784] R0 tdrpman;Acronis Try&Decide and Restore Points filter;c:\windows\system32\DRIVERS\tdrpman.sys [2008-07-21 368480] R2 TryAndDecideService;Acronis Try And Decide Service;c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2008-04-09 492896] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592] S3 VX1000;VX-1000;c:\windows\system32\DRIVERS\VX1000.sys [2007-04-10 1966312] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{541241c9-e1ec-11dc-9bef-0016e6949159}] \Shell\AutoRun\command - K:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-11-02 c:\windows\Tasks\AdwareAlert Scheduled Scan.job - c:\program files\AdwareAlert\AdwareAlert.exe [] 2008-11-02 c:\windows\Tasks\AdwareAlert Scheduled Scan.job - c:\program files\AdwareAlert [] 2008-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57] 2008-11-03 c:\windows\Tasks\User_Feed_Synchronization-{00AF2119-2240-4640-90C9-E2566154122A}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 11:58] . - - - - ORPHANS REMOVED - - - - Toolbar-SITEguard - (no file) HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\29atcpyr.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-04 19:18:57 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Acronis\Schedule2\schedul2.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Streamload\MediaMax XL\StreamloadService.exe c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2008-11-04 19:26:54 - machine was rebooted [Tim] ComboFix-quarantined-files.txt 2008-11-04 19:26:48 Pre-Run: 149,888,507,904 bytes free Post-Run: 151,337,107,456 bytes free 195 --- E O F --- 2008-10-24 16:35:07 |
|
|
|
|
11-04-2008, 02:01 PM
|
#4 (permalink) | ||
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,420
OS: N/A
|
Re: CPU usage @ 100%
High cpu usage is from the zbot infection as indicated by the GMER scan.
Quote:
Quote:
c:\documents and settings\Sam\Application Data\twext.exe Let's clear loose ends. Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: Code:
@echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "c:\windows\Tasks\AdwareAlert Scheduled Scan.job" "c:\documents and settings\Sam\Application Data\twext.exe" ) do ( del /a/f %%g >nul 2>&1 if exist %%g echo.%%~g>>"%temp%\log.txt" ) if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! nircmd wait 7000 del %0 It should look like this:  Double click on fix.bat & allow it to run Post back to tell me what it says |
||
|
|
|
|
11-04-2008, 02:05 PM
|
#5 (permalink) | |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,420
OS: N/A
|
Re: CPU usage @ 100%
Quote:
|
|
|
|
|
|
11-04-2008, 03:19 PM
|
#6 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 11
OS: XP
|
Re: CPU usage @ 100%
re fix.bat ...."deleted successfully!!"
re registry cleaner, lesson learned...no undo as I've uninstalled it after reading reg cleaner articles...hum...I feel I'm digging a big hole for myself! |
|
|
|
|
11-04-2008, 08:24 PM
|
#7 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,420
OS: N/A
|
Re: CPU usage @ 100%
Would you like to undo the changes it made? If so, we can invoke System Restore to a point before running the Reg cleaner. That also means we need to re-do the ComboFix run.
|
|
|
|
|
11-05-2008, 04:07 AM
|
#8 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 11
OS: XP
|
Re: CPU usage @ 100%
sUBs
V/Good advice - I can run that from the utility within XP and then re-run your Combo fix. I'll re-post the log when I have. Sounds like a plan?? I am not able to do it now but will do when I finish work...Thanks again - your time is appreciated. |
|
|
|
|
11-06-2008, 05:35 PM
|
#9 (permalink) |
|
Registered User
Join Date: Dec 2007
Posts: 11
OS: XP
|
Re: CPU usage @ 100%
sUBs - slight delay as been stuck at work for a day or two (big probs!) -
Question - I've backed everything up (external HDD), do you think I might as well format and reinstall the OS (etc). |
|
|
|
|
11-06-2008, 05:45 PM
|
#10 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,420
OS: N/A
|
Re: CPU usage @ 100%
Well, there's no malware present. We sorted that part out. So reinstalling may seem a bit of a waste.
Then again, a freshly formatted machine really does perform better. But you probably need at least a week to re-install all your other apps & get the machine back to the way you like. Ball is in your court 
|
|
|
|
| Thread Tools | |
|
|
