I think that my computer is infested to a point where I am considering reformatting.
On startup, sometimes the user login buttons don't react and if they do, and I log in, my computer doesn't load explorer.exe and I have to load it manually through the task manager.
Here is a Hijack This log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:50:27 AM, on 3/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\ntps.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\lcyss.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
F:\Programs\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\tcpipmon.exe
C:\WINDOWS\system32\tcpipmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rsbmsc.exe
F:\Programs\iTunes\iTunes.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Downloads\Install\Security\Hijack This.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://89.188.16.10/trafc-2/rfe.php?cmp=nm...mp;lid=http>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
O2 - BHO: (no name) - {282CB562-B5BF-494B-9DED-DEC287D5FD22} - C:\WINDOWS\system32\pmnlm.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\bdvgcdyx.dll
O2 - BHO: (no name) - {F57D8DBE-5520-46F3-8A0A-484F4E6F8F71} - C:\WINDOWS\system32\yayayvs.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3014E~2\Bar888.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\ckyfxaey.dll",setvm
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [E22A87D3] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKLM\..\RunServices: [sklrr7y1698808] C:\WINDOWS\system32\sklrr7y1698808.exe
O4 - HKLM\..\RunServices: [nlkfev71022872] C:\WINDOWS\system32\nlkfev71022872.exe
O4 - HKLM\..\RunServices: [cjnr4r46381370] C:\WINDOWS\system32\cjnr4r46381370.exe
O4 - HKLM\..\RunServices: [nlkfev71529707] C:\WINDOWS\system32\nlkfev71529707.exe
O4 - HKLM\..\RunServices: [cjnr4r46713985] C:\WINDOWS\system32\cjnr4r46713985.exe
O4 - HKLM\..\RunServices: [mlsdf8h2228989] C:\WINDOWS\system32\mlsdf8h2228989.exe
O4 - HKLM\..\RunServices: [nlkfev71527642] C:\WINDOWS\system32\nlkfev71527642.exe
O4 - HKLM\..\RunServices: [dior4f45810081] C:\WINDOWS\system32\dior4f45810081.exe
O4 - HKLM\..\RunServices: [nlkfev71082637] C:\WINDOWS\system32\nlkfev71082637.exe
O4 - HKLM\..\RunServices: [cjnr4r4418460] C:\WINDOWS\system32\cjnr4r4418460.exe
O4 - HKLM\..\RunServices: [tmbs] C:\WINDOWS\system32\tmbs.exe
O4 - HKLM\..\RunServices: [E22A87D3] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fuko] C:\PROGRA~1\COMMON~1\fuko\fukom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Arat] "C:\PROGRA~1\SSTEM3~1\ntvdm.exe" -vt yazb (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ldc] "C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{D014E67D-0710-1033-0502-061230050001}] "C:\Program Files\Common Files\{D014E67D-0710-1033-0502-061230050001}\Update.exe" mc-110-12-0000501 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{D014E67D-0710-1033-0502-061230050001}] "C:\Program Files\Common Files\{D014E67D-0710-1033-0502-061230050001}\Update.exe" mc-110-12-0000501 (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\System32\netdde.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)
O20 - Winlogon Notify: hggdawu - hggdawu.dll (file missing)
O20 - Winlogon Notify: p4reg - C:\WINDOWS\SYSTEM32\p432.dll
O20 - Winlogon Notify: pmnlm - C:\WINDOWS\system32\pmnlm.dll
O20 - Winlogon Notify: qomkjgd - qomkjgd.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: yayayvs - C:\WINDOWS\SYSTEM32\yayayvs.dll
O20 - Winlogon Notify: yaywxut - yaywxut.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Qm9yaXMgQm9ndXNsYXZza3k\command.exe (file missing)
O23 - Service: Data System Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\ntps.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Public Machine - Unknown owner - C:\WINDOWS\system32\lcyss.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\nlkfev7ozjsbktclv.exe (file missing)
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
O23 - Service: Print Spooler Service (xnctyur5toasoeee) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe
--
End of file - 12826 bytes
Any help is appreciated.
Full Version: I have some problems
Your computer is really infected. You can reformat it if you want, but if you want me to help you clean it, that can be done too.
Its probably faster to reformat than clean this up, but its your choice.
If you want to clean this up, follow this guide and come back with everything it asks for:
http://forum.piriform.com/index.php?showtopic=6329
Its probably faster to reformat than clean this up, but its your choice.
If you want to clean this up, follow this guide and come back with everything it asks for:
http://forum.piriform.com/index.php?showtopic=6329
I have decided to clean it. After step one, a lot of problems were already one.
Let's hope the rest is just clean up. I will post a final Hijack This log soon.
Let's hope the rest is just clean up. I will post a final Hijack This log soon.
Hi W/E
If you have the time could you upload some files for me please,
Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.
Run SFP.exe.
Please copy the following lines into the Step 1: Paste Text window:
C:\WINDOWS\system32\rsbmsc.exe
C:\WINDOWS\system32\lcyss.exe
C:\WINDOWS\system32\ntps.exe
C:\WINDOWS\system32\tmbs.exe
C:\WINDOWS\system32\sklrr7y1698808.exe
C:\WINDOWS\system32\nlkfev71022872.exe
C:\WINDOWS\system32\cjnr4r46713985.exe
C:\WINDOWS\system32\nlkfev7ozjsbktclv.exe
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Next please visit SpyKillers forum here
http://www.thespykiller.co.uk/index.php?board=1.0
Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'Files From CCleaners Forum' , please then post a link to this thread and upload the requested files.cab archive from your desktop
Thanks
Andy
http://www.thespykiller.co.uk/index.php?topic=3857.new#new
Did all that.
I went through the whole guide, but couldn't save some of the log files.
Here is the new Hijack This log.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:14:39 AM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\ntps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\lcyss.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
F:\Programs\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
F:\Downloads\Install\Security\Hijack This.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehelper.net/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://89.188.16.10/trafc-2/rfe.php?cmp=nm...mp;lid=http>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [sklrr7y1698808] C:\WINDOWS\system32\sklrr7y1698808.exe
O4 - HKLM\..\RunServices: [nlkfev71022872] C:\WINDOWS\system32\nlkfev71022872.exe
O4 - HKLM\..\RunServices: [cjnr4r46381370] C:\WINDOWS\system32\cjnr4r46381370.exe
O4 - HKLM\..\RunServices: [nlkfev71529707] C:\WINDOWS\system32\nlkfev71529707.exe
O4 - HKLM\..\RunServices: [cjnr4r46713985] C:\WINDOWS\system32\cjnr4r46713985.exe
O4 - HKLM\..\RunServices: [mlsdf8h2228989] C:\WINDOWS\system32\mlsdf8h2228989.exe
O4 - HKLM\..\RunServices: [nlkfev71527642] C:\WINDOWS\system32\nlkfev71527642.exe
O4 - HKLM\..\RunServices: [dior4f45810081] C:\WINDOWS\system32\dior4f45810081.exe
O4 - HKLM\..\RunServices: [nlkfev71082637] C:\WINDOWS\system32\nlkfev71082637.exe
O4 - HKLM\..\RunServices: [cjnr4r4418460] C:\WINDOWS\system32\cjnr4r4418460.exe
O4 - HKLM\..\RunServices: [tmbs] C:\WINDOWS\system32\tmbs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fuko] C:\PROGRA~1\COMMON~1\fuko\fukom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ldc] "C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FF1E172.exe] C:\WINDOWS\TEMP\_A00FF1E172.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{D014E67D-0710-1033-0502-061230050001}] "C:\Program Files\Common Files\{D014E67D-0710-1033-0502-061230050001}\Update.exe" mc-110-12-0000501 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{D014E67D-0710-1033-0502-061230050001}] "C:\Program Files\Common Files\{D014E67D-0710-1033-0502-061230050001}\Update.exe" mc-110-12-0000501 (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\System32\netdde.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)
O20 - Winlogon Notify: hggdawu - hggdawu.dll (file missing)
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
O20 - Winlogon Notify: qomkjgd - qomkjgd.dll (file missing)
O20 - Winlogon Notify: yayayvs - yayayvs.dll (file missing)
O20 - Winlogon Notify: yaywxut - yaywxut.dll (file missing)
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat
O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - C:\WINDOWS\system32\tonlmr32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Data System Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\ntps.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Public Machine - Unknown owner - C:\WINDOWS\system32\lcyss.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\nlkfev7ozjsbktclv.exe (file missing)
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 12277 bytes
I have also attached the AVG Scan Log.
Did all that.
I went through the whole guide, but couldn't save some of the log files.
Here is the new Hijack This log.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:14:39 AM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\ntps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\lcyss.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
F:\Programs\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
F:\Downloads\Install\Security\Hijack This.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehelper.net/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://89.188.16.10/trafc-2/rfe.php?cmp=nm...mp;lid=http>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programs\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [sklrr7y1698808] C:\WINDOWS\system32\sklrr7y1698808.exe
O4 - HKLM\..\RunServices: [nlkfev71022872] C:\WINDOWS\system32\nlkfev71022872.exe
O4 - HKLM\..\RunServices: [cjnr4r46381370] C:\WINDOWS\system32\cjnr4r46381370.exe
O4 - HKLM\..\RunServices: [nlkfev71529707] C:\WINDOWS\system32\nlkfev71529707.exe
O4 - HKLM\..\RunServices: [cjnr4r46713985] C:\WINDOWS\system32\cjnr4r46713985.exe
O4 - HKLM\..\RunServices: [mlsdf8h2228989] C:\WINDOWS\system32\mlsdf8h2228989.exe
O4 - HKLM\..\RunServices: [nlkfev71527642] C:\WINDOWS\system32\nlkfev71527642.exe
O4 - HKLM\..\RunServices: [dior4f45810081] C:\WINDOWS\system32\dior4f45810081.exe
O4 - HKLM\..\RunServices: [nlkfev71082637] C:\WINDOWS\system32\nlkfev71082637.exe
O4 - HKLM\..\RunServices: [cjnr4r4418460] C:\WINDOWS\system32\cjnr4r4418460.exe
O4 - HKLM\..\RunServices: [tmbs] C:\WINDOWS\system32\tmbs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fuko] C:\PROGRA~1\COMMON~1\fuko\fukom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ldc] "C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FF1E172.exe] C:\WINDOWS\TEMP\_A00FF1E172.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{D014E67D-0710-1033-0502-061230050001}] "C:\Program Files\Common Files\{D014E67D-0710-1033-0502-061230050001}\Update.exe" mc-110-12-0000501 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{D014E67D-0710-1033-0502-061230050001}] "C:\Program Files\Common Files\{D014E67D-0710-1033-0502-061230050001}\Update.exe" mc-110-12-0000501 (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\System32\netdde.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)
O20 - Winlogon Notify: hggdawu - hggdawu.dll (file missing)
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
O20 - Winlogon Notify: qomkjgd - qomkjgd.dll (file missing)
O20 - Winlogon Notify: yayayvs - yayayvs.dll (file missing)
O20 - Winlogon Notify: yaywxut - yaywxut.dll (file missing)
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat
O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - C:\WINDOWS\system32\tonlmr32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Data System Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\ntps.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Public Machine - Unknown owner - C:\WINDOWS\system32\lcyss.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\nlkfev7ozjsbktclv.exe (file missing)
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 12277 bytes
I have also attached the AVG Scan Log.
Hi w/e
Only 3 of the files were packed so the others may of already been removed or they are being protected, ntps.exe & lcyss.exe are backdoor trojans and tmbs.exe is corrupt and doesnt run, the two backdoor infections downloaded a very nasty bundle including info stealers and a rootkit (pe386) , it also added a keylogger and replaced iexplore.exe with a modified version, I assume to monitor all Internet activity, if the keylogger file is removed from system32 then iexplore.exe doesnt run so we will have to deal with that part abit later and have them scanned first to see if it has been changed on yours, Id also like you to scan firefox's .exe to make sure that hasnt been modified in the same way
Download SDFix and save it to the desktop
Download this file - combofix.exe and save it to your desktop.
Download Rustbfix from one of these locations:
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
...and save it to your desktop (again )
Please copy these instructions to notepad and save it to your desktop as some of these steps need running in safe mode and others require reboots,
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix) . Please then reboot your computer in Safe Mode by doing the following :
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ht*p://89.188.16.10/trafc-2/rfe.php?cmp=nm...mp;lid=http>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\RunServices: [sklrr7y1698808] C:\WINDOWS\system32\sklrr7y1698808.exe
O4 - HKLM\..\RunServices: [nlkfev71022872] C:\WINDOWS\system32\nlkfev71022872.exe
O4 - HKLM\..\RunServices: [cjnr4r46381370] C:\WINDOWS\system32\cjnr4r46381370.exe
O4 - HKLM\..\RunServices: [nlkfev71529707] C:\WINDOWS\system32\nlkfev71529707.exe
O4 - HKLM\..\RunServices: [cjnr4r46713985] C:\WINDOWS\system32\cjnr4r46713985.exe
O4 - HKLM\..\RunServices: [mlsdf8h2228989] C:\WINDOWS\system32\mlsdf8h2228989.exe
O4 - HKLM\..\RunServices: [nlkfev71527642] C:\WINDOWS\system32\nlkfev71527642.exe
O4 - HKLM\..\RunServices: [dior4f45810081] C:\WINDOWS\system32\dior4f45810081.exe
O4 - HKLM\..\RunServices: [nlkfev71082637] C:\WINDOWS\system32\nlkfev71082637.exe
O4 - HKLM\..\RunServices: [cjnr4r4418460] C:\WINDOWS\system32\cjnr4r4418460.exe
O4 - HKLM\..\RunServices: [tmbs] C:\WINDOWS\system32\tmbs.exe
O4 - HKUS\S-1-5-18\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fuko] C:\PROGRA~1\COMMON~1\fuko\fukom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ldc] "C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FF1E172.exe] C:\WINDOWS\TEMP\_A00FF1E172.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{D014E67D-0710-1033-0502-061230050001}] "C:\Program Files\Common Files\{D014E67D-0710-1033-0502-061230050001}\Update.exe" mc-110-12-0000501 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{D014E67D-0710-1033-0502-061230050001}] "C:\Program Files\Common Files\{D014E67D-0710-1033-0502-061230050001}\Update.exe" mc-110-12-0000501 (User 'Default user')
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)
O20 - Winlogon Notify: hggdawu - hggdawu.dll (file missing)
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
O20 - Winlogon Notify: qomkjgd - qomkjgd.dll (file missing)
O20 - Winlogon Notify: yayayvs - yayayvs.dll (file missing)
O20 - Winlogon Notify: yaywxut - yaywxut.dll (file missing)
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat
O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - C:\WINDOWS\system32\tonlmr32.dll (file missing)
O23 - Service: Data System Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\ntps.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: Remote Public Machine - Unknown owner - C:\WINDOWS\system32\lcyss.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\nlkfev7ozjsbktclv.exe (file missing)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles back on the forum.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall
Next please goto Start > Run > and copy and paste
regedit.exe /e /a %systemdrive%\checkreg.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
Press OK and it will export the information from the registry and save it to a text file named checkreg.txt on C:\Drive, please post the contents of that text file into your next reply
Finally Visit VirusTotal and have this file scanned:
C:\Program Files\Internet Explorer\iexplore.exe
Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, copy and paste the Virus scan results back and let us know if you have any problems finding the file.
Please also have these files scanned and post back the results
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system32\nwprovau.dll
Then post back the SDFix log (Report.txt), Combofix log, Rustbfix log, VirusTotal results for the 3 files above and a new HijackThis log,
Let us know if you have any problems
Andy
Only 3 of the files were packed so the others may of already been removed or they are being protected, ntps.exe & lcyss.exe are backdoor trojans and tmbs.exe is corrupt and doesnt run, the two backdoor infections downloaded a very nasty bundle including info stealers and a rootkit (pe386) , it also added a keylogger and replaced iexplore.exe with a modified version, I assume to monitor all Internet activity, if the keylogger file is removed from system32 then iexplore.exe doesnt run so we will have to deal with that part abit later and have them scanned first to see if it has been changed on yours, Id also like you to scan firefox's .exe to make sure that hasnt been modified in the same way
Download SDFix and save it to the desktop
Download this file - combofix.exe and save it to your desktop.
Download Rustbfix from one of these locations:
http://www.uploads.ejvindh.net/rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe
...and save it to your desktop (again
) Please copy these instructions to notepad and save it to your desktop as some of these steps need running in safe mode and others require reboots,
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix) . Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = ht*p://89.188.16.10/trafc-2/rfe.php?cmp=nm...mp;lid=http>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\RunServices: [sklrr7y1698808] C:\WINDOWS\system32\sklrr7y1698808.exe
O4 - HKLM\..\RunServices: [nlkfev71022872] C:\WINDOWS\system32\nlkfev71022872.exe
O4 - HKLM\..\RunServices: [cjnr4r46381370] C:\WINDOWS\system32\cjnr4r46381370.exe
O4 - HKLM\..\RunServices: [nlkfev71529707] C:\WINDOWS\system32\nlkfev71529707.exe
O4 - HKLM\..\RunServices: [cjnr4r46713985] C:\WINDOWS\system32\cjnr4r46713985.exe
O4 - HKLM\..\RunServices: [mlsdf8h2228989] C:\WINDOWS\system32\mlsdf8h2228989.exe
O4 - HKLM\..\RunServices: [nlkfev71527642] C:\WINDOWS\system32\nlkfev71527642.exe
O4 - HKLM\..\RunServices: [dior4f45810081] C:\WINDOWS\system32\dior4f45810081.exe
O4 - HKLM\..\RunServices: [nlkfev71082637] C:\WINDOWS\system32\nlkfev71082637.exe
O4 - HKLM\..\RunServices: [cjnr4r4418460] C:\WINDOWS\system32\cjnr4r4418460.exe
O4 - HKLM\..\RunServices: [tmbs] C:\WINDOWS\system32\tmbs.exe
O4 - HKUS\S-1-5-18\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fuko] C:\PROGRA~1\COMMON~1\fuko\fukom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ldc] "C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FF1E172.exe] C:\WINDOWS\TEMP\_A00FF1E172.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{D014E67D-0710-1033-0502-061230050001}] "C:\Program Files\Common Files\{D014E67D-0710-1033-0502-061230050001}\Update.exe" mc-110-12-0000501 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{D014E67D-0710-1033-0502-061230050001}] "C:\Program Files\Common Files\{D014E67D-0710-1033-0502-061230050001}\Update.exe" mc-110-12-0000501 (User 'Default user')
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)
O20 - Winlogon Notify: hggdawu - hggdawu.dll (file missing)
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
O20 - Winlogon Notify: qomkjgd - qomkjgd.dll (file missing)
O20 - Winlogon Notify: yayayvs - yayayvs.dll (file missing)
O20 - Winlogon Notify: yaywxut - yaywxut.dll (file missing)
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat
O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - C:\WINDOWS\system32\tonlmr32.dll (file missing)
O23 - Service: Data System Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\ntps.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: Remote Public Machine - Unknown owner - C:\WINDOWS\system32\lcyss.exe
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\nlkfev7ozjsbktclv.exe (file missing)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
- Open the extracted SDFix folder on C:\drive and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - copy and paste the contents of the results file Report.txt into your next reply
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles back on the forum.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall
Next please goto Start > Run > and copy and paste
regedit.exe /e /a %systemdrive%\checkreg.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
Press OK and it will export the information from the registry and save it to a text file named checkreg.txt on C:\Drive, please post the contents of that text file into your next reply
Finally Visit VirusTotal and have this file scanned:
C:\Program Files\Internet Explorer\iexplore.exe
Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, copy and paste the Virus scan results back and let us know if you have any problems finding the file.
Please also have these files scanned and post back the results
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system32\nwprovau.dll
Then post back the SDFix log (Report.txt), Combofix log, Rustbfix log, VirusTotal results for the 3 files above and a new HijackThis log,
Let us know if you have any problems
Andy
SDfix Report:
SDFix: Version 1.75
Run by Spymercinator - Mon 03/26/2007 - 17:26:05.42
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Data System Manager
NETAPI
nlc
Remote Public Machine
TIME
ImagePath:
"C:\WINDOWS\system32\vcmon.exe"
"C:\WINDOWS\system32\ntps.exe"
C:\WINDOWS\system32\mbti.exe
"C:\WINDOWS\system32\lcyss.exe"
C:\WINDOWS\system32\nlkfev7ozjsbktclv.exe
Data System Manager Deleted
NETAPI Deleted
nlc Deleted
Remote Public Machine Deleted
TIME Deleted
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\-80393~1 - Deleted
C:\WINDOWS\system32\lcyss.exe - Deleted
C:\WINDOWS\system32\netstat.com - Deleted
C:\WINDOWS\system32\ntps.exe - Deleted
C:\WINDOWS\system32\taskkill.com - Deleted
C:\WINDOWS\Temp\ma1x1dd1.game - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Boris Boguslavsky\\Downloads\\Install\\Torrents\\utorrent 1.6.exe"="C:\\Boris Boguslavsky\\Downloads\\Install\\Torrents\\utorrent 1.6.exe:*:Enabled:µTorrent"
"C:\\Program Files\\UT2004\\System\\UT2004.exe"="C:\\Program Files\\UT2004\\System\\UT2004.exe:*:Enabled:UT2004"
"C:\\Program Files\\utorrent 1.6.exe"="C:\\Program Files\\utorrent 1.6.exe:*:Enabled:µTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\GigaTribe\\gigatribe.exe"="C:\\Program Files\\GigaTribe\\gigatribe.exe:*:Disabled:gigatribe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\WINDOWS\system32\avisynth.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\Smab.dll
C:\WINDOWS\system32\yv12vfw.dll
C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe
C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\x2.64.exe
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\7E6D4831D5.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18e6249b8450d77cf6ed574f86bc70653\download\BIT1E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\242de31122d71e92d2d0d6941af860fd\BIT19.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2f9842441d37acc66b89543d164cf107\download\BIT20.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5f82b9c25e211d842f46cb17d524e84b\download\BIT1F.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a74cd16b62bee306fe420912d3ca376f\download\BIT1A.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\aaa3621ce6acbc25484a5c1fe5795549\download\BIT1B.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ae3d490425aaa34e68bc42b8e5ff4f4f\download\BIT1C.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\af10ad1ba106dbeb814878bb0bf7578f\download\BIT21.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b75a3f1ceb9b6c91137c6b793414016f\download\BIT22.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f22add2045a3492be9416ce8033af4ea\download\BIT1D.tmp
C:\WINDOWS\system32\mlnmp.tmp
C:\WINDOWS\system32\vyadd.tmp
Finished
Rustbfix Report"
************************* Rustock.b-fix -- By ejvindh *************************
Mon 03/26/2007 17:46:22.93
No Rustock.b-rootkits found
******************************* End of Logfile ********************************
Catchme Report:
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~1.DLL 139264 bytes
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~2.DLL 139264 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2
I need help deleting these two files. I don't know how they got there.
Updated Hijack This log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:47:45 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\QuickTime\qttask.exe
F:\Programs\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
F:\Downloads\Install\Security\Hijack This.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehelper.net/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programs\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fuko] C:\PROGRA~1\COMMON~1\fuko\fukom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ldc] "C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FF1E172.exe] C:\WINDOWS\TEMP\_A00FF1E172.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\System32\netdde.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 9116 bytes
SDFix: Version 1.75
Run by Spymercinator - Mon 03/26/2007 - 17:26:05.42
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Data System Manager
NETAPI
nlc
Remote Public Machine
TIME
ImagePath:
"C:\WINDOWS\system32\vcmon.exe"
"C:\WINDOWS\system32\ntps.exe"
C:\WINDOWS\system32\mbti.exe
"C:\WINDOWS\system32\lcyss.exe"
C:\WINDOWS\system32\nlkfev7ozjsbktclv.exe
Data System Manager Deleted
NETAPI Deleted
nlc Deleted
Remote Public Machine Deleted
TIME Deleted
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\-80393~1 - Deleted
C:\WINDOWS\system32\lcyss.exe - Deleted
C:\WINDOWS\system32\netstat.com - Deleted
C:\WINDOWS\system32\ntps.exe - Deleted
C:\WINDOWS\system32\taskkill.com - Deleted
C:\WINDOWS\Temp\ma1x1dd1.game - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Boris Boguslavsky\\Downloads\\Install\\Torrents\\utorrent 1.6.exe"="C:\\Boris Boguslavsky\\Downloads\\Install\\Torrents\\utorrent 1.6.exe:*:Enabled:µTorrent"
"C:\\Program Files\\UT2004\\System\\UT2004.exe"="C:\\Program Files\\UT2004\\System\\UT2004.exe:*:Enabled:UT2004"
"C:\\Program Files\\utorrent 1.6.exe"="C:\\Program Files\\utorrent 1.6.exe:*:Enabled:µTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\GigaTribe\\gigatribe.exe"="C:\\Program Files\\GigaTribe\\gigatribe.exe:*:Disabled:gigatribe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll
C:\WINDOWS\system32\avisynth.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\Smab.dll
C:\WINDOWS\system32\yv12vfw.dll
C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe
C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\x2.64.exe
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\7E6D4831D5.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18e6249b8450d77cf6ed574f86bc70653\download\BIT1E.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\242de31122d71e92d2d0d6941af860fd\BIT19.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\2f9842441d37acc66b89543d164cf107\download\BIT20.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5f82b9c25e211d842f46cb17d524e84b\download\BIT1F.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\a74cd16b62bee306fe420912d3ca376f\download\BIT1A.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\aaa3621ce6acbc25484a5c1fe5795549\download\BIT1B.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\ae3d490425aaa34e68bc42b8e5ff4f4f\download\BIT1C.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\af10ad1ba106dbeb814878bb0bf7578f\download\BIT21.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\b75a3f1ceb9b6c91137c6b793414016f\download\BIT22.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f22add2045a3492be9416ce8033af4ea\download\BIT1D.tmp
C:\WINDOWS\system32\mlnmp.tmp
C:\WINDOWS\system32\vyadd.tmp
Finished
Rustbfix Report"
************************* Rustock.b-fix -- By ejvindh *************************
Mon 03/26/2007 17:46:22.93
No Rustock.b-rootkits found
******************************* End of Logfile ********************************
Catchme Report:
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~1.DLL 139264 bytes
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~2.DLL 139264 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2
I need help deleting these two files. I don't know how they got there.
Updated Hijack This log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:47:45 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\QuickTime\qttask.exe
F:\Programs\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
F:\Downloads\Install\Security\Hijack This.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehelper.net/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Programs\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fuko] C:\PROGRA~1\COMMON~1\fuko\fukom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ldc] "C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FF1E172.exe] C:\WINDOWS\TEMP\_A00FF1E172.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\System32\netdde.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 9116 bytes
I'll check the logs over now, can you also run Combofix, run the command to export the reg key to a text file and have the files mentioned scanned at VirusTotal
Cheers
Cheers
Complete the rest of the steps from the first post then set Windows to show hidden files and extensions
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide extentions for known file types" option
Click Yes to confirm then OK
Set this back once you have checked for the files by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Run Hijack This and choose Do A System Scan then place a check next to these entries
O4 - HKUS\S-1-5-18\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fuko] C:\PROGRA~1\COMMON~1\fuko\fukom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ldc] "C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FF1E172.exe] C:\WINDOWS\TEMP\_A00FF1E172.exe (User 'SYSTEM')
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Then delete these files:
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\mlnmp.tmp
C:\WINDOWS\system32\vyadd.tmp
C:\Program Files\Ipwindows <--Folder
C:\Program Files\Common files\fuko <-- Folder
Make sure you set windows to show entensions first as there is legit files in system32 with the same name, for example ping.com is bad but ping.exe is genuine, tracert.com is bad and tracert.exe is legit so only delete them if they have the .com extension but dont delete any other .com files from system32 except the ones listed above
Open hijackthis and click Open the Misc Tools section
Then click Delete a file on reboot
In the File Name field, copy and paste this:
C:\WINDOWS\system32\__c003723F.dat
Then click Open
Hijackthis will tell you that this file will be deleted when the system reboots and ask you if you want to reboot now. Click No then repeat the step to delete this file
c:\windows\system32\ldcore.dll
Click No at the reboot prompt then repeat for this file
C:\WINDOWS\System32\netdde.dll
Then allow the system to reboot
After reboot run CCleaner to clear out the temp folders
Regarding these:
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~1.DLL 139264 bytes
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~2.DLL 139264 bytes
There's not much we can do with them at the moment as catchme is showing they are hidden but you could try delete this folder if you can see it and if not then we can remove it abit later when other scanners have been run
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack
Please then complete the remaining steps in the first post and these here then run AVG AntiSpy again but this time click apply all actions when its finished as everything was ignored last time based on the scan log you posted, once they have been removed save the log and post it back with the combofix log, virustotal results and a new HijackThis log then we can continue,
Thanks
Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide extentions for known file types" option
Click Yes to confirm then OK
Set this back once you have checked for the files by opening the same page and pressing the Restore Defaults button the click Apply and OK.
Run Hijack This and choose Do A System Scan then place a check next to these entries
O4 - HKUS\S-1-5-18\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fuko] C:\PROGRA~1\COMMON~1\fuko\fukom.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Ldc] "C:\Documents and Settings\LocalService\My Documents\?ystem\m?dtc.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FF1E172.exe] C:\WINDOWS\TEMP\_A00FF1E172.exe (User 'SYSTEM')
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Then delete these files:
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\mlnmp.tmp
C:\WINDOWS\system32\vyadd.tmp
C:\Program Files\Ipwindows <--Folder
C:\Program Files\Common files\fuko <-- Folder
Make sure you set windows to show entensions first as there is legit files in system32 with the same name, for example ping.com is bad but ping.exe is genuine, tracert.com is bad and tracert.exe is legit so only delete them if they have the .com extension but dont delete any other .com files from system32 except the ones listed above
Open hijackthis and click Open the Misc Tools section
Then click Delete a file on reboot
In the File Name field, copy and paste this:
C:\WINDOWS\system32\__c003723F.dat
Then click Open
Hijackthis will tell you that this file will be deleted when the system reboots and ask you if you want to reboot now. Click No then repeat the step to delete this file
c:\windows\system32\ldcore.dll
Click No at the reboot prompt then repeat for this file
C:\WINDOWS\System32\netdde.dll
Then allow the system to reboot
After reboot run CCleaner to clear out the temp folders
Regarding these:
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~1.DLL 139264 bytes
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~2.DLL 139264 bytes
There's not much we can do with them at the moment as catchme is showing they are hidden but you could try delete this folder if you can see it and if not then we can remove it abit later when other scanners have been run
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack
Please then complete the remaining steps in the first post and these here then run AVG AntiSpy again but this time click apply all actions when its finished as everything was ignored last time based on the scan log you posted, once they have been removed save the log and post it back with the combofix log, virustotal results and a new HijackThis log then we can continue,
Thanks
ComboFix Report:
"Spymercinator" - 07-03-26 20:51:11 Service Pack 2
ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Spymercinator\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\keyboard111.dat
C:\WINDOWS\keyboard121.dat
C:\WINDOWS\b.exe
C:\WINDOWS\764.exe
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\Program Files\Common Files\{3014E~2
C:\Program Files\Common Files\{3014E~1
C:\Program Files\Common Files\{D014E~2
C:\Program Files\Common Files\{D014E~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\Common Files\CROSOF~1.NET
C:\qoobox\purity\Program Files\Common Files\ECURIT~1
C:\qoobox\purity\Program Files\Common Files\ICROSO~1.NET
C:\qoobox\purity\Program Files\Common Files\MBOLS~1
C:\qoobox\purity\Program Files\Common Files\PPPATC~1
C:\qoobox\purity\WINDOWS\DOBE~1
C:\qoobox\purity\WINDOWS\system32\CURITY~1
C:\qoobox\purity\WINDOWS\system32\SCURIT~1
C:\qoobox\purity\WINDOWS\system32\YMBOLS~1
((((((((((((((((((((((((((((((( Files Created from 2007-02-26 to 2007-03-26 ))))))))))))))))))))))))))))))))))
2007-03-26 17:46 <DIR> d-------- C:\Rustbfix
2007-03-26 17:39 <DIR> d-------- C:\quarantine
2007-03-26 17:37 <DIR> d-------- C:\WINDOWS\LastGood
2007-03-26 17:15 1,997 --a------ C:\wjeddu.exe
2007-03-26 17:10 3,268 --a------ C:\aciyus.exe
2007-03-26 13:02 <DIR> d-------- C:\Program Files\iPod
2007-03-25 21:52 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-25 20:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-03-25 20:05 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-25 20:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-25 16:46 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-03-25 14:20 118,798 --a------ C:\WINDOWS\system32\__c0084136.dat
2007-03-25 14:20 1,234,897 ---hs---- C:\WINDOWS\system32\mlnmp.bak1
2007-03-25 14:08 30,222 --a------ C:\WINDOWS\system32\__c003723F.dat
2007-03-24 19:06 123,972 --a------ C:\WINDOWS\system32\ittqpqrb.dll
2007-03-23 15:06 4,649 --a------ C:\WINDOWS\femlhud.exe
2007-03-22 21:25 614,191 --a------ C:\WINDOWS\system32\RegistryCleanerSetup.exe
2007-03-22 19:17 139,776 --a------ C:\WINDOWS\system32\Djwk16.sys
2007-03-20 17:21 <DIR> d-------- C:\Program Files\Common Files\fuko
2007-03-20 17:11 1,243,216 ---hs---- C:\WINDOWS\system32\mlnmp.ini2
2007-03-20 16:57 9,472 --a------ C:\WINDOWS\bjam.dll
2007-03-20 16:57 27,392 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-03-20 16:57 26,624 --a------ C:\WINDOWS\vxddsk.exe
2007-03-20 16:57 25,088 --a------ C:\WINDOWS\cdsm32.dll
2007-03-20 16:57 22,528 --a------ C:\WINDOWS\system32\wml.exe
2007-03-20 16:57 21,760 --a------ C:\WINDOWS\wml.exe
2007-03-20 16:57 20,224 --a------ C:\WINDOWS\voiceip.dll
2007-03-20 16:57 19,456 --a------ C:\WINDOWS\mssvr.exe
2007-03-20 16:57 16,640 --a------ C:\WINDOWS\mspphe.dll
2007-03-20 16:57 13,312 --a------ C:\WINDOWS\swin32.dll
2007-03-20 16:56 26,880 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-03-20 16:56 25,856 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-03-20 16:56 21,248 --a------ C:\WINDOWS\saiemod.dll
2007-03-20 16:56 17,920 --a------ C:\WINDOWS\2020search.dll
2007-03-20 16:55 12,800 --a------ C:\WINDOWS\system32\user_32.dll
2007-03-20 16:55 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-03-18 18:48 <DIR> d-------- C:\Program Files\EA GAMES
2007-03-16 22:47 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Apple Computer
2007-03-15 22:54 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\uTorrent
2007-03-15 19:33 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Sun
2007-03-15 19:31 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Uniblue
2007-03-15 19:21 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Adobe
2007-03-15 19:13 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Acoustica
2007-03-15 19:11 1,167,807 ---hs---- C:\WINDOWS\system32\vyadd.ini2
2007-03-15 18:45 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Registry Booster
2007-03-15 18:43 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Lavasoft
2007-03-13 19:56 4,456,448 --ah----- C:\DOCUME~1\SPYMER~1\NTUSER.DAT
2007-03-13 15:14 4,649 --a------ C:\WINDOWS\fpnmiwpv.exe
2007-03-08 23:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SongbirdVLC
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 19:40 -------- d-------- C:\Program Files\warcraft iii
2007-03-26 17:10 -------- d-------- C:\Program Files\quicktime
2007-03-26 12:56 -------- d-------- C:\Program Files\apple software update
2007-03-25 20:05 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-25 17:37 -------- d-------- C:\Program Files\aevita wipe & delete
2007-03-25 14:20 30222 --a------ C:\WINDOWS\system32\__c003723f.dat
2007-03-25 14:20 118798 --a------ C:\WINDOWS\system32\__c0084136.dat
2007-03-23 16:01 -------- d--h----- C:\Program Files\installshield installation information
2007-03-22 21:48 -------- d-------- C:\Program Files\online services
2007-03-17 14:13 1164012 ---hs---- C:\WINDOWS\system32\vyadd.bak1
2007-03-17 14:12 1165103 ---hs---- C:\WINDOWS\system32\vyadd.bak2
2007-03-15 22:45 -------- d-------- C:\Program Files\last.fm
2007-03-15 19:44 -------- d-------- C:\Program Files\windows media connect 2
2007-03-15 19:44 -------- d-------- C:\Program Files\warrock
2007-03-15 19:44 -------- d-------- C:\Program Files\total commander xp
2007-03-15 19:44 -------- d-------- C:\Program Files\powerdvd
2007-03-15 19:44 -------- d-------- C:\Program Files\movie maker
2007-03-15 19:44 -------- d-------- C:\Program Files\matrixmania screensaver
2007-03-15 19:44 -------- d-------- C:\Program Files\linksys wireless-g usb wireless network monitor
2007-03-15 19:44 -------- d-------- C:\Program Files\icondeveloper
2007-03-15 19:15 -------- d-------- C:\Program Files\google
2007-03-11 19:50 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-02-23 19:24 900 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-02-17 19:49 -------- d-------- C:\Program Files\doom 3
2007-02-13 09:52 -------- d-------- C:\Program Files\trillian
2007-02-11 09:45 -------- d-------- C:\Program Files\thief - deadly shadows
2007-02-10 15:39 -------- d-------- C:\Program Files\electronic arts
2007-02-08 20:38 -------- d-------- C:\Program Files\java
2007-02-06 22:05 -------- d-------- C:\Program Files\microsoft games
2007-02-06 15:19 -------- d-------- C:\Program Files\ubisoft
2007-01-31 17:06 -------- d-------- C:\Program Files\worms armageddon
2007-01-31 07:25 -------- d-------- C:\Program Files\high-logic
2007-01-30 07:12 -------- d-------- C:\Program Files\rockstar games
2007-01-25 20:31 184393 --a------ C:\WINDOWS\war3unin.dat
2007-01-23 21:37 394 --a------ C:\WINDOWS\system32\migsvc.exe
2007-01-23 20:46 394 --a------ C:\WINDOWS\system32\mbosvc.exe
2007-01-17 18:30 2829 --a------ C:\WINDOWS\war3unin.pif
2007-01-17 18:30 139264 --a------ C:\WINDOWS\war3unin.exe
2007-01-13 12:23 66560 --a------ C:\WINDOWS\system32\mgosvc.exe
2007-01-10 20:05 987 --a------ C:\WINDOWS\system32\wvmsi.exe
2006-12-28 14:31 3358 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2006-12-27 17:59 601511 --a------ C:\WINDOWS\vaio clock screen saver.exe
2006-12-27 17:59 40960 --a------ C:\WINDOWS\vaio clock screen saver.dll
2006-12-27 17:59 403760 --a------ C:\WINDOWS\vaio clock screen saver.scr
2006-12-27 17:59 18192 --a------ C:\WINDOWS\vaio clock screen saver.dat
2006-12-26 16:06 2560 --a------ C:\WINDOWS\_msrstrt.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"EPSON Stylus Photo 820 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0EIC1.EXE /P29 \"EPSON Stylus Photo 820 Series\" /O5 \"LPT1:\" /M \"Stylus Photo 820\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"F:\\Programs\\iTunes\\iTunesHelper.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll C:\WINDOWS\System32\netdde.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\ldcore.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""
"{F57D8DBE-5520-46F3-8A0A-484F4E6F8F71}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"IconPackager Repair"="{1799460C-0BC8-4865-B9DF-4A36CD703FF0}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"
"fuko"="C:\\PROGRA~1\\COMMON~1\\fuko\\fukom.exe"
"Ldc"="\"C:\\Documents and Settings\\LocalService\\My Documents\\?ystem\\m?dtc.exe\""
"A00FF1E172.exe"="C:\\WINDOWS\\TEMP\\_A00FF1E172.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c003723F
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
WudfServiceGroup REG_MULTI_SZ WUDFSvc\
bthsvcs REG_MULTI_SZ BthServ\
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\autoplay.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070326-172431-181
O23 - Service: Remote Public Machine - Unknown owner - C:\WINDOWS\system32\lcyss.exe
backup-20070326-172431-907
O23 - Service: Data System Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)
backup-20070326-172431-850
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
backup-20070326-172431-288
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\ntps.exe
backup-20070326-172431-742
O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - C:\WINDOWS\system32\tonlmr32.dll (file missing)
backup-20070326-172431-708
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
backup-20070326-172431-294
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\nlkfev7ozjsbktclv.exe (file missing)
backup-20070326-172431-734
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat
backup-20070326-172431-169
O20 - Winlogon Notify: yaywxut - yaywxut.dll (file missing)
backup-20070326-172431-273
O20 - Winlogon Notify: yayayvs - yayayvs.dll (file missing)
backup-20070326-172431-149
O20 - Winlogon Notify: qomkjgd - qomkjgd.dll (file missing)
backup-20070326-172431-217
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
backup-20070326-172431-255
O20 - Winlogon Notify: hggdawu - hggdawu.dll (file missing)
backup-20070326-172431-235
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)
backup-20070326-172431-274
O4 - HKLM\..\RunServices: [nlkfev71527642] C:\WINDOWS\system32\nlkfev71527642.exe
backup-20070326-172431-765
O4 - HKLM\..\RunServices: [dior4f45810081] C:\WINDOWS\system32\dior4f45810081.exe
backup-20070326-172431-960
O4 - HKLM\..\RunServices: [tmbs] C:\WINDOWS\system32\tmbs.exe
backup-20070326-172431-289
O4 - HKLM\..\RunServices: [nlkfev71082637] C:\WINDOWS\system32\nlkfev71082637.exe
backup-20070326-172431-718
O4 - HKLM\..\RunServices: [cjnr4r4418460] C:\WINDOWS\system32\cjnr4r4418460.exe
backup-20070326-172431-343
O4 - HKLM\..\RunServices: [mlsdf8h2228989] C:\WINDOWS\system32\mlsdf8h2228989.exe
backup-20070326-172431-386
O4 - HKLM\..\RunServices: [nlkfev71022872] C:\WINDOWS\system32\nlkfev71022872.exe
backup-20070326-172431-396
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
backup-20070326-172431-475
O4 - HKLM\..\RunServices: [nlkfev71529707] C:\WINDOWS\system32\nlkfev71529707.exe
backup-20070326-172431-571
O4 - HKLM\..\RunServices: [sklrr7y1698808] C:\WINDOWS\system32\sklrr7y1698808.exe
backup-20070326-172431-674
O4 - HKLM\..\RunServices: [cjnr4r46713985] C:\WINDOWS\system32\cjnr4r46713985.exe
backup-20070326-172431-208
O4 - HKLM\..\RunServices: [cjnr4r46381370] C:\WINDOWS\system32\cjnr4r46381370.exe
backup-20070326-172431-176
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
backup-20070326-172431-791
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://89.188.16.10/trafc-2/rfe.php?cmp=nm...mp;lid=http>
backup-20070324-121637-708
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20070324-121637-886
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20070324-121637-975
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3014E~2\Bar888.dll (file missing)
backup-20070324-121637-676
O2 - BHO: (no name) - {F57D8DBE-5520-46F3-8A0A-484F4E6F8F71} - C:\WINDOWS\system32\yayayvs.dll
backup-20070324-121637-585
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\bdvgcdyx.dll
backup-20070324-121637-484
O2 - BHO: (no name) - {282CB562-B5BF-494B-9DED-DEC287D5FD22} - C:\WINDOWS\system32\pmnlm.dll
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Uniblue SpyEraser.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~1.DLL 139264 bytes
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~2.DLL 139264 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2
********************************************************************
Completion time: 07-03-26 20:53:12
AVG Report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:29:01 PM 3/29/2007
+ Scan result:
HKU\S-1-5-21-796845957-1177238915-839522115-1006\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Marked for delete on rebootUnkown Error
C:\wjeddu.exe -> Downloader.Small.ehs : Marked for delete on rebootUnkown Error
C:\WINDOWS\system32\Djwk16.sys -> Rootkit.Agent.ea : Marked for delete on rebootUnkown Error
:mozilla.160:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.247realmedia : Marked for delete on rebootUnkown Error
:mozilla.159:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.59:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.60:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.64:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.65:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.66:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.67:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.263:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adbrite : Marked for delete on rebootUnkown Error
:mozilla.266:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adbrite : Marked for delete on rebootUnkown Error
:mozilla.223:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Addynamix : Marked for delete on rebootUnkown Error
:mozilla.224:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Addynamix : Marked for delete on rebootUnkown Error
:mozilla.242:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.243:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.245:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.246:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.247:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.248:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.249:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.187:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adtech : Marked for delete on rebootUnkown Error
:mozilla.188:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adtech : Marked for delete on rebootUnkown Error
:mozilla.25:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Advertising : Marked for delete on rebootUnkown Error
:mozilla.28:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Advertising : Marked for delete on rebootUnkown Error
:mozilla.29:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Advertising : Marked for delete on rebootUnkown Error
:mozilla.30:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Advertising : Marked for delete on rebootUnkown Error
:mozilla.32:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Advertising : Marked for delete on rebootUnkown Error
:mozilla.185:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adviva : Marked for delete on rebootUnkown Error
:mozilla.27:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Atdmt : Marked for delete on rebootUnkown Error
:mozilla.189:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Burstbeacon : Marked for delete on rebootUnkown Error
:mozilla.173:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Burstnet : Marked for delete on rebootUnkown Error
:mozilla.174:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Burstnet : Marked for delete on rebootUnkown Error
:mozilla.175:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Burstnet : Marked for delete on rebootUnkown Error
:mozilla.163:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.164:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.165:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.166:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.167:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.168:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.169:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.170:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.171:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.172:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.264:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Clickhype : Marked for delete on rebootUnkown Error
:mozilla.265:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Clickhype : Marked for delete on rebootUnkown Error
:mozilla.529:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Cnn : Marked for delete on rebootUnkown Error
:mozilla.36:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Doubleclick : Marked for delete on rebootUnkown Error
:mozilla.39:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Euroclick : Marked for delete on rebootUnkown Error
:mozilla.41:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Euroclick : Marked for delete on rebootUnkown Error
:mozilla.42:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Euroclick : Marked for delete on rebootUnkown Error
:mozilla.43:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Euroclick : Marked for delete on rebootUnkown Error
:mozilla.148:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.149:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.150:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.151:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.152:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.153:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.220:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Hitbox : Marked for delete on rebootUnkown Error
:mozilla.221:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Hitbox : Marked for delete on rebootUnkown Error
:mozilla.222:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Hitbox : Marked for delete on rebootUnkown Error
:mozilla.208:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Imrworldwide : Marked for delete on rebootUnkown Error
:mozilla.209:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Imrworldwide : Marked for delete on rebootUnkown Error
:mozilla.194:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Intelli-direct : Marked for delete on rebootUnkown Error
:mozilla.70:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Mediaplex : Marked for delete on rebootUnkown Error
:mozilla.71:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Mediaplex : Marked for delete on rebootUnkown Error
:mozilla.325:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Netflame : Marked for delete on rebootUnkown Error
:mozilla.326:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Netflame : Marked for delete on rebootUnkown Error
:mozilla.327:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Netflame : Marked for delete on rebootUnkown Error
:mozilla.195:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Overture : Marked for delete on rebootUnkown Error
:mozilla.20:C:\Documents and Settings\Yuriy Boguslavsky\Application Data\Mozilla\Firefox\Profiles\b1hebmf1.default\cookies.txt -> TrackingCookie.Paypal : Marked for delete on rebootUnkown Error
:mozilla.260:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Paypal : Marked for delete on rebootUnkown Error
:mozilla.31:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Questionmarket : Marked for delete on rebootUnkown Error
:mozilla.33:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Questionmarket : Marked for delete on rebootUnkown Error
:mozilla.34:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Realmedia : Marked for delete on rebootUnkown Error
:mozilla.35:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Realmedia : Marked for delete on rebootUnkown Error
:mozilla.112:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.113:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.114:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.115:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.116:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.117:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.118:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.119:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.120:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.121:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.122:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.123:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.269:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.37:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Ru4 : Marked for delete on rebootUnkown Error
:mozilla.38:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Ru4 : Marked for delete on rebootUnkown Error
:mozilla.40:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Ru4 : Marked for delete on rebootUnkown Error
:mozilla.256:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Statcounter : Marked for delete on rebootUnkown Error
:mozilla.225:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.50:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.51:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.52:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.55:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.56:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.57:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.544:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Toplist : Marked for delete on rebootUnkown Error
:mozilla.147:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tradedoubler : Marked for delete on rebootUnkown Error
:mozilla.100:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.92:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.93:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.94:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.95:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.96:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.97:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.98:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.99:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.311:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafic : Marked for delete on rebootUnkown Error
:mozilla.72:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tribalfusion : Marked for delete on rebootUnkown Error
:mozilla.381:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Webtrends : Marked for delete on rebootUnkown Error
:mozilla.191:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yadro : Marked for delete on rebootUnkown Error
:mozilla.77:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.78:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.79:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.80:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.81:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.82:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.88:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Zedo : Marked for delete on rebootUnkown Error
:mozilla.89:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Zedo : Marked for delete on rebootUnkown Error
:mozilla.90:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Zedo : Marked for delete on rebootUnkown Error
C:\WINDOWS\system32\user_32.dll -> Trojan.Small : Marked for delete on rebootUnkown Error
::Report end
"Spymercinator" - 07-03-26 20:51:11 Service Pack 2
ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Spymercinator\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\keyboard111.dat
C:\WINDOWS\keyboard121.dat
C:\WINDOWS\b.exe
C:\WINDOWS\764.exe
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
C:\Program Files\Common Files\{3014E~2
C:\Program Files\Common Files\{3014E~1
C:\Program Files\Common Files\{D014E~2
C:\Program Files\Common Files\{D014E~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\Common Files\CROSOF~1.NET
C:\qoobox\purity\Program Files\Common Files\ECURIT~1
C:\qoobox\purity\Program Files\Common Files\ICROSO~1.NET
C:\qoobox\purity\Program Files\Common Files\MBOLS~1
C:\qoobox\purity\Program Files\Common Files\PPPATC~1
C:\qoobox\purity\WINDOWS\DOBE~1
C:\qoobox\purity\WINDOWS\system32\CURITY~1
C:\qoobox\purity\WINDOWS\system32\SCURIT~1
C:\qoobox\purity\WINDOWS\system32\YMBOLS~1
((((((((((((((((((((((((((((((( Files Created from 2007-02-26 to 2007-03-26 ))))))))))))))))))))))))))))))))))
2007-03-26 17:46 <DIR> d-------- C:\Rustbfix
2007-03-26 17:39 <DIR> d-------- C:\quarantine
2007-03-26 17:37 <DIR> d-------- C:\WINDOWS\LastGood
2007-03-26 17:15 1,997 --a------ C:\wjeddu.exe
2007-03-26 17:10 3,268 --a------ C:\aciyus.exe
2007-03-26 13:02 <DIR> d-------- C:\Program Files\iPod
2007-03-25 21:52 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-25 20:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-03-25 20:05 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-25 20:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-25 16:46 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-03-25 14:20 118,798 --a------ C:\WINDOWS\system32\__c0084136.dat
2007-03-25 14:20 1,234,897 ---hs---- C:\WINDOWS\system32\mlnmp.bak1
2007-03-25 14:08 30,222 --a------ C:\WINDOWS\system32\__c003723F.dat
2007-03-24 19:06 123,972 --a------ C:\WINDOWS\system32\ittqpqrb.dll
2007-03-23 15:06 4,649 --a------ C:\WINDOWS\femlhud.exe
2007-03-22 21:25 614,191 --a------ C:\WINDOWS\system32\RegistryCleanerSetup.exe
2007-03-22 19:17 139,776 --a------ C:\WINDOWS\system32\Djwk16.sys
2007-03-20 17:21 <DIR> d-------- C:\Program Files\Common Files\fuko
2007-03-20 17:11 1,243,216 ---hs---- C:\WINDOWS\system32\mlnmp.ini2
2007-03-20 16:57 9,472 --a------ C:\WINDOWS\bjam.dll
2007-03-20 16:57 27,392 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-03-20 16:57 26,624 --a------ C:\WINDOWS\vxddsk.exe
2007-03-20 16:57 25,088 --a------ C:\WINDOWS\cdsm32.dll
2007-03-20 16:57 22,528 --a------ C:\WINDOWS\system32\wml.exe
2007-03-20 16:57 21,760 --a------ C:\WINDOWS\wml.exe
2007-03-20 16:57 20,224 --a------ C:\WINDOWS\voiceip.dll
2007-03-20 16:57 19,456 --a------ C:\WINDOWS\mssvr.exe
2007-03-20 16:57 16,640 --a------ C:\WINDOWS\mspphe.dll
2007-03-20 16:57 13,312 --a------ C:\WINDOWS\swin32.dll
2007-03-20 16:56 26,880 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-03-20 16:56 25,856 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-03-20 16:56 21,248 --a------ C:\WINDOWS\saiemod.dll
2007-03-20 16:56 17,920 --a------ C:\WINDOWS\2020search.dll
2007-03-20 16:55 12,800 --a------ C:\WINDOWS\system32\user_32.dll
2007-03-20 16:55 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-03-18 18:48 <DIR> d-------- C:\Program Files\EA GAMES
2007-03-16 22:47 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Apple Computer
2007-03-15 22:54 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\uTorrent
2007-03-15 19:33 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Sun
2007-03-15 19:31 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Uniblue
2007-03-15 19:21 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Adobe
2007-03-15 19:13 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Acoustica
2007-03-15 19:11 1,167,807 ---hs---- C:\WINDOWS\system32\vyadd.ini2
2007-03-15 18:45 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Registry Booster
2007-03-15 18:43 <DIR> d-------- C:\DOCUME~1\SPYMER~1\APPLIC~1\Lavasoft
2007-03-13 19:56 4,456,448 --ah----- C:\DOCUME~1\SPYMER~1\NTUSER.DAT
2007-03-13 15:14 4,649 --a------ C:\WINDOWS\fpnmiwpv.exe
2007-03-08 23:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SongbirdVLC
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 19:40 -------- d-------- C:\Program Files\warcraft iii
2007-03-26 17:10 -------- d-------- C:\Program Files\quicktime
2007-03-26 12:56 -------- d-------- C:\Program Files\apple software update
2007-03-25 20:05 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-25 17:37 -------- d-------- C:\Program Files\aevita wipe & delete
2007-03-25 14:20 30222 --a------ C:\WINDOWS\system32\__c003723f.dat
2007-03-25 14:20 118798 --a------ C:\WINDOWS\system32\__c0084136.dat
2007-03-23 16:01 -------- d--h----- C:\Program Files\installshield installation information
2007-03-22 21:48 -------- d-------- C:\Program Files\online services
2007-03-17 14:13 1164012 ---hs---- C:\WINDOWS\system32\vyadd.bak1
2007-03-17 14:12 1165103 ---hs---- C:\WINDOWS\system32\vyadd.bak2
2007-03-15 22:45 -------- d-------- C:\Program Files\last.fm
2007-03-15 19:44 -------- d-------- C:\Program Files\windows media connect 2
2007-03-15 19:44 -------- d-------- C:\Program Files\warrock
2007-03-15 19:44 -------- d-------- C:\Program Files\total commander xp
2007-03-15 19:44 -------- d-------- C:\Program Files\powerdvd
2007-03-15 19:44 -------- d-------- C:\Program Files\movie maker
2007-03-15 19:44 -------- d-------- C:\Program Files\matrixmania screensaver
2007-03-15 19:44 -------- d-------- C:\Program Files\linksys wireless-g usb wireless network monitor
2007-03-15 19:44 -------- d-------- C:\Program Files\icondeveloper
2007-03-15 19:15 -------- d-------- C:\Program Files\google
2007-03-11 19:50 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-02-23 19:24 900 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-02-17 19:49 -------- d-------- C:\Program Files\doom 3
2007-02-13 09:52 -------- d-------- C:\Program Files\trillian
2007-02-11 09:45 -------- d-------- C:\Program Files\thief - deadly shadows
2007-02-10 15:39 -------- d-------- C:\Program Files\electronic arts
2007-02-08 20:38 -------- d-------- C:\Program Files\java
2007-02-06 22:05 -------- d-------- C:\Program Files\microsoft games
2007-02-06 15:19 -------- d-------- C:\Program Files\ubisoft
2007-01-31 17:06 -------- d-------- C:\Program Files\worms armageddon
2007-01-31 07:25 -------- d-------- C:\Program Files\high-logic
2007-01-30 07:12 -------- d-------- C:\Program Files\rockstar games
2007-01-25 20:31 184393 --a------ C:\WINDOWS\war3unin.dat
2007-01-23 21:37 394 --a------ C:\WINDOWS\system32\migsvc.exe
2007-01-23 20:46 394 --a------ C:\WINDOWS\system32\mbosvc.exe
2007-01-17 18:30 2829 --a------ C:\WINDOWS\war3unin.pif
2007-01-17 18:30 139264 --a------ C:\WINDOWS\war3unin.exe
2007-01-13 12:23 66560 --a------ C:\WINDOWS\system32\mgosvc.exe
2007-01-10 20:05 987 --a------ C:\WINDOWS\system32\wvmsi.exe
2006-12-28 14:31 3358 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2006-12-27 17:59 601511 --a------ C:\WINDOWS\vaio clock screen saver.exe
2006-12-27 17:59 40960 --a------ C:\WINDOWS\vaio clock screen saver.dll
2006-12-27 17:59 403760 --a------ C:\WINDOWS\vaio clock screen saver.scr
2006-12-27 17:59 18192 --a------ C:\WINDOWS\vaio clock screen saver.dat
2006-12-26 16:06 2560 --a------ C:\WINDOWS\_msrstrt.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Netropa\\Multimedia Keyboard\\MMKeybd.exe"
"EPSON Stylus Photo 820 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0EIC1.EXE /P29 \"EPSON Stylus Photo 820 Series\" /O5 \"LPT1:\" /M \"Stylus Photo 820\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"F:\\Programs\\iTunes\\iTunesHelper.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll C:\WINDOWS\System32\netdde.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\ldcore.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""
"{F57D8DBE-5520-46F3-8A0A-484F4E6F8F71}"=""
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"IconPackager Repair"="{1799460C-0BC8-4865-B9DF-4A36CD703FF0}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"IpWins"="C:\\Program Files\\Ipwindows\\ipwins.exe"
"fuko"="C:\\PROGRA~1\\COMMON~1\\fuko\\fukom.exe"
"Ldc"="\"C:\\Documents and Settings\\LocalService\\My Documents\\?ystem\\m?dtc.exe\""
"A00FF1E172.exe"="C:\\WINDOWS\\TEMP\\_A00FF1E172.exe"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c003723F
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
WudfServiceGroup REG_MULTI_SZ WUDFSvc\
bthsvcs REG_MULTI_SZ BthServ\
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\autoplay.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070326-172431-181
O23 - Service: Remote Public Machine - Unknown owner - C:\WINDOWS\system32\lcyss.exe
backup-20070326-172431-907
O23 - Service: Data System Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)
backup-20070326-172431-850
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
backup-20070326-172431-288
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\ntps.exe
backup-20070326-172431-742
O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - C:\WINDOWS\system32\tonlmr32.dll (file missing)
backup-20070326-172431-708
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
backup-20070326-172431-294
O23 - Service: Time Service (Time) - Unknown owner - C:\WINDOWS\system32\nlkfev7ozjsbktclv.exe (file missing)
backup-20070326-172431-734
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat
backup-20070326-172431-169
O20 - Winlogon Notify: yaywxut - yaywxut.dll (file missing)
backup-20070326-172431-273
O20 - Winlogon Notify: yayayvs - yayayvs.dll (file missing)
backup-20070326-172431-149
O20 - Winlogon Notify: qomkjgd - qomkjgd.dll (file missing)
backup-20070326-172431-217
O20 - Winlogon Notify: p4reg - p432.dll (file missing)
backup-20070326-172431-255
O20 - Winlogon Notify: hggdawu - hggdawu.dll (file missing)
backup-20070326-172431-235
O20 - Winlogon Notify: ddayv - C:\WINDOWS\system32\ddayv.dll (file missing)
backup-20070326-172431-274
O4 - HKLM\..\RunServices: [nlkfev71527642] C:\WINDOWS\system32\nlkfev71527642.exe
backup-20070326-172431-765
O4 - HKLM\..\RunServices: [dior4f45810081] C:\WINDOWS\system32\dior4f45810081.exe
backup-20070326-172431-960
O4 - HKLM\..\RunServices: [tmbs] C:\WINDOWS\system32\tmbs.exe
backup-20070326-172431-289
O4 - HKLM\..\RunServices: [nlkfev71082637] C:\WINDOWS\system32\nlkfev71082637.exe
backup-20070326-172431-718
O4 - HKLM\..\RunServices: [cjnr4r4418460] C:\WINDOWS\system32\cjnr4r4418460.exe
backup-20070326-172431-343
O4 - HKLM\..\RunServices: [mlsdf8h2228989] C:\WINDOWS\system32\mlsdf8h2228989.exe
backup-20070326-172431-386
O4 - HKLM\..\RunServices: [nlkfev71022872] C:\WINDOWS\system32\nlkfev71022872.exe
backup-20070326-172431-396
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
backup-20070326-172431-475
O4 - HKLM\..\RunServices: [nlkfev71529707] C:\WINDOWS\system32\nlkfev71529707.exe
backup-20070326-172431-571
O4 - HKLM\..\RunServices: [sklrr7y1698808] C:\WINDOWS\system32\sklrr7y1698808.exe
backup-20070326-172431-674
O4 - HKLM\..\RunServices: [cjnr4r46713985] C:\WINDOWS\system32\cjnr4r46713985.exe
backup-20070326-172431-208
O4 - HKLM\..\RunServices: [cjnr4r46381370] C:\WINDOWS\system32\cjnr4r46381370.exe
backup-20070326-172431-176
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
backup-20070326-172431-791
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://89.188.16.10/trafc-2/rfe.php?cmp=nm...mp;lid=http>
backup-20070324-121637-708
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
backup-20070324-121637-886
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
backup-20070324-121637-975
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3014E~2\Bar888.dll (file missing)
backup-20070324-121637-676
O2 - BHO: (no name) - {F57D8DBE-5520-46F3-8A0A-484F4E6F8F71} - C:\WINDOWS\system32\yayayvs.dll
backup-20070324-121637-585
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\bdvgcdyx.dll
backup-20070324-121637-484
O2 - BHO: (no name) - {282CB562-B5BF-494B-9DED-DEC287D5FD22} - C:\WINDOWS\system32\pmnlm.dll
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Uniblue SpyEraser.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~1.DLL 139264 bytes
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack\WB5E.F.R.I-C\Stardock WindowBlinds 5 Enhanced.Final.Retail.Incl-Crack+VistaXP.Skin\VistaXP Theme\VistaXP_WB\Extras\Horizontal ShellStyle\SHELLS~2.DLL 139264 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2
********************************************************************
Completion time: 07-03-26 20:53:12
AVG Report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:29:01 PM 3/29/2007
+ Scan result:
HKU\S-1-5-21-796845957-1177238915-839522115-1006\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Marked for delete on rebootUnkown Error
C:\wjeddu.exe -> Downloader.Small.ehs : Marked for delete on rebootUnkown Error
C:\WINDOWS\system32\Djwk16.sys -> Rootkit.Agent.ea : Marked for delete on rebootUnkown Error
:mozilla.160:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.247realmedia : Marked for delete on rebootUnkown Error
:mozilla.159:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.59:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.60:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.64:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.65:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.66:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.67:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.2o7 : Marked for delete on rebootUnkown Error
:mozilla.263:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adbrite : Marked for delete on rebootUnkown Error
:mozilla.266:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adbrite : Marked for delete on rebootUnkown Error
:mozilla.223:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Addynamix : Marked for delete on rebootUnkown Error
:mozilla.224:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Addynamix : Marked for delete on rebootUnkown Error
:mozilla.242:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.243:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.245:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.246:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.247:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.248:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.249:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adrevolver : Marked for delete on rebootUnkown Error
:mozilla.187:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adtech : Marked for delete on rebootUnkown Error
:mozilla.188:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adtech : Marked for delete on rebootUnkown Error
:mozilla.25:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Advertising : Marked for delete on rebootUnkown Error
:mozilla.28:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Advertising : Marked for delete on rebootUnkown Error
:mozilla.29:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Advertising : Marked for delete on rebootUnkown Error
:mozilla.30:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Advertising : Marked for delete on rebootUnkown Error
:mozilla.32:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Advertising : Marked for delete on rebootUnkown Error
:mozilla.185:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Adviva : Marked for delete on rebootUnkown Error
:mozilla.27:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Atdmt : Marked for delete on rebootUnkown Error
:mozilla.189:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Burstbeacon : Marked for delete on rebootUnkown Error
:mozilla.173:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Burstnet : Marked for delete on rebootUnkown Error
:mozilla.174:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Burstnet : Marked for delete on rebootUnkown Error
:mozilla.175:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Burstnet : Marked for delete on rebootUnkown Error
:mozilla.163:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.164:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.165:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.166:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.167:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.168:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.169:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.170:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.171:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.172:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Casalemedia : Marked for delete on rebootUnkown Error
:mozilla.264:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Clickhype : Marked for delete on rebootUnkown Error
:mozilla.265:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Clickhype : Marked for delete on rebootUnkown Error
:mozilla.529:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Cnn : Marked for delete on rebootUnkown Error
:mozilla.36:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Doubleclick : Marked for delete on rebootUnkown Error
:mozilla.39:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Euroclick : Marked for delete on rebootUnkown Error
:mozilla.41:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Euroclick : Marked for delete on rebootUnkown Error
:mozilla.42:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Euroclick : Marked for delete on rebootUnkown Error
:mozilla.43:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Euroclick : Marked for delete on rebootUnkown Error
:mozilla.148:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.149:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.150:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.151:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.152:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.153:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Fastclick : Marked for delete on rebootUnkown Error
:mozilla.220:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Hitbox : Marked for delete on rebootUnkown Error
:mozilla.221:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Hitbox : Marked for delete on rebootUnkown Error
:mozilla.222:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Hitbox : Marked for delete on rebootUnkown Error
:mozilla.208:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Imrworldwide : Marked for delete on rebootUnkown Error
:mozilla.209:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Imrworldwide : Marked for delete on rebootUnkown Error
:mozilla.194:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Intelli-direct : Marked for delete on rebootUnkown Error
:mozilla.70:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Mediaplex : Marked for delete on rebootUnkown Error
:mozilla.71:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Mediaplex : Marked for delete on rebootUnkown Error
:mozilla.325:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Netflame : Marked for delete on rebootUnkown Error
:mozilla.326:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Netflame : Marked for delete on rebootUnkown Error
:mozilla.327:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Netflame : Marked for delete on rebootUnkown Error
:mozilla.195:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Overture : Marked for delete on rebootUnkown Error
:mozilla.20:C:\Documents and Settings\Yuriy Boguslavsky\Application Data\Mozilla\Firefox\Profiles\b1hebmf1.default\cookies.txt -> TrackingCookie.Paypal : Marked for delete on rebootUnkown Error
:mozilla.260:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Paypal : Marked for delete on rebootUnkown Error
:mozilla.31:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Questionmarket : Marked for delete on rebootUnkown Error
:mozilla.33:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Questionmarket : Marked for delete on rebootUnkown Error
:mozilla.34:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Realmedia : Marked for delete on rebootUnkown Error
:mozilla.35:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Realmedia : Marked for delete on rebootUnkown Error
:mozilla.112:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.113:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.114:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.115:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.116:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.117:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.118:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.119:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.120:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.121:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.122:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.123:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.269:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Revsci : Marked for delete on rebootUnkown Error
:mozilla.37:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Ru4 : Marked for delete on rebootUnkown Error
:mozilla.38:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Ru4 : Marked for delete on rebootUnkown Error
:mozilla.40:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Ru4 : Marked for delete on rebootUnkown Error
:mozilla.256:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Statcounter : Marked for delete on rebootUnkown Error
:mozilla.225:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.50:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.51:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.52:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.55:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.56:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.57:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tacoda : Marked for delete on rebootUnkown Error
:mozilla.544:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Toplist : Marked for delete on rebootUnkown Error
:mozilla.147:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tradedoubler : Marked for delete on rebootUnkown Error
:mozilla.100:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.92:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.93:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.94:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.95:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.96:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.97:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.98:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.99:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafficmp : Marked for delete on rebootUnkown Error
:mozilla.311:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Trafic : Marked for delete on rebootUnkown Error
:mozilla.72:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Tribalfusion : Marked for delete on rebootUnkown Error
:mozilla.381:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Webtrends : Marked for delete on rebootUnkown Error
:mozilla.191:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yadro : Marked for delete on rebootUnkown Error
:mozilla.77:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.78:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.79:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.80:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.81:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.82:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Yieldmanager : Marked for delete on rebootUnkown Error
:mozilla.88:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Zedo : Marked for delete on rebootUnkown Error
:mozilla.89:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Zedo : Marked for delete on rebootUnkown Error
:mozilla.90:C:\Documents and Settings\Spymercinator\Application Data\Mozilla\Firefox\Profiles\46zgx14y.default\cookies.txt -> TrackingCookie.Zedo : Marked for delete on rebootUnkown Error
C:\WINDOWS\system32\user_32.dll -> Trojan.Small : Marked for delete on rebootUnkown Error
::Report end
Hi w/e
Thanks for the log, Id still like to get results from VirusTotal for the files I mentioned in the second reply as one of the files you uploaded replaced iexplore.exe on my system with a modified version, after removing the keylogger it was modified to start then iexplore.exe wouldnt run but its difficult to know if it was able to replace yours until you have it scanned, Id also like to get the registry export which I mentioned in the second post but will add that into this this reply again, there's lots of work to do as your system is badly infected so we may as well carry on then go back to scanning the files abit later, if you have any questions or problems with any of the steps please just let me know.
Please download VundoFix.exe to your desktop.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.
Please download The Avenger by Swandog46 to your Desktop
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Now, start The Avenger program by clicking on its icon on your desktop.
Goto Start > Run > and copy and paste this
cmd /c regedit /e /a %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" && notepad %systemdrive%\regresult.txt
Press OK and it will export a reg key and write it into a textfile named regresult.txt, this will then open with notepad, please copy and paste the contents of that text file back on here,
Finally please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Copy and paste the content of that report into your next reply.
Please then post back the Vundofix log, Avenger log, Smitfraudfix log, Registry export and a new HijackThis log
Thanks
Thanks for the log, Id still like to get results from VirusTotal for the files I mentioned in the second reply as one of the files you uploaded replaced iexplore.exe on my system with a modified version, after removing the keylogger it was modified to start then iexplore.exe wouldnt run but its difficult to know if it was able to replace yours until you have it scanned, Id also like to get the registry export which I mentioned in the second post but will add that into this this reply again, there's lots of work to do as your system is badly infected so we may as well carry on then go back to scanning the files abit later, if you have any questions or problems with any of the steps please just let me know.
Please download VundoFix.exe to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt into your next reply.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.
Please download The Avenger by Swandog46 to your Desktop
- Click on Avenger.zip to open the file
- Extract avenger.exe to your desktop
CODE
Files to delete:
C:\aciyus.exe
C:\wjeddu.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\wml.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\2020search.dll
C:\WINDOWS\fpnmiwpv.exe
C:\WINDOWS\femlhud.exe
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\SYSTEM32\p432.dll
C:\WINDOWS\system32\bdvgcdyx.dll
C:\WINDOWS\system32\yayayvs.dll
C:\WINDOWS\system32\ckyfxaey.dll
C:\WINDOWS\system32\ittqpqrb.dll
C:\WINDOWS\system32\tmbs.exe
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\System32\netdde.dll
C:\WINDOWS\system32\mlnmp.tmp
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.ini2
C:\WINDOWS\system32\migsvc.exe
C:\WINDOWS\system32\mbosvc.exe
C:\WINDOWS\system32\mgosvc.exe
C:\WINDOWS\system32\vyadd.tmp
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\__c003723F.dat
C:\WINDOWS\system32\__c0084136.dat
C:\WINDOWS\system32\RegistryCleanerSetup.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\user_32.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\wvmsi.exe
C:\WINDOWS\TEMP\_A00FF1E172.exe
C:\WINDOWS\system32\Djwk16.sys
Folders to delete:
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack
C:\Program Files\Ipwindows
C:\PROGRA~1\COMMON~1\fuko
C:\WINDOWS\Qm9yaXMgQm9ndXNsYXZza3k
C:\Program Files\Network Monitor
C:\aciyus.exe
C:\wjeddu.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\wml.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\2020search.dll
C:\WINDOWS\fpnmiwpv.exe
C:\WINDOWS\femlhud.exe
C:\WINDOWS\system32\MSIXU.DLL
C:\WINDOWS\system32\WER8274.DLL
C:\WINDOWS\system32\pmnlm.dll
C:\WINDOWS\SYSTEM32\p432.dll
C:\WINDOWS\system32\bdvgcdyx.dll
C:\WINDOWS\system32\yayayvs.dll
C:\WINDOWS\system32\ckyfxaey.dll
C:\WINDOWS\system32\ittqpqrb.dll
C:\WINDOWS\system32\tmbs.exe
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\System32\netdde.dll
C:\WINDOWS\system32\mlnmp.tmp
C:\WINDOWS\system32\mlnmp.bak1
C:\WINDOWS\system32\mlnmp.ini2
C:\WINDOWS\system32\migsvc.exe
C:\WINDOWS\system32\mbosvc.exe
C:\WINDOWS\system32\mgosvc.exe
C:\WINDOWS\system32\vyadd.tmp
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\__c003723F.dat
C:\WINDOWS\system32\__c0084136.dat
C:\WINDOWS\system32\RegistryCleanerSetup.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\user_32.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\wvmsi.exe
C:\WINDOWS\TEMP\_A00FF1E172.exe
C:\WINDOWS\system32\Djwk16.sys
Folders to delete:
C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack
C:\Program Files\Ipwindows
C:\PROGRA~1\COMMON~1\fuko
C:\WINDOWS\Qm9yaXMgQm9ndXNsYXZza3k
C:\Program Files\Network Monitor
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Now, start The Avenger program by clicking on its icon on your desktop.
- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Paste the text copied to clipboard into this window by pressing (Ctrl+V).
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
- It will Restart your computer.
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Goto Start > Run > and copy and paste this
cmd /c regedit /e /a %systemdrive%\regresult.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" && notepad %systemdrive%\regresult.txt
Press OK and it will export a reg key and write it into a textfile named regresult.txt, this will then open with notepad, please copy and paste the contents of that text file back on here,
Finally please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Copy and paste the content of that report into your next reply.
Please then post back the Vundofix log, Avenger log, Smitfraudfix log, Registry export and a new HijackThis log
Thanks
Sorry, Here are the Virus Total logs. I found that the logs looked kind of messy when I copy/paste them here, so instead I took a screenshot.
iexplore.exe:
firefox.exe:
nwprovau.dll:
[codebox]Then delete these files:
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\mlnmp.tmp
C:\WINDOWS\system32\vyadd.tmp
C:\Program Files\Ipwindows <--Folder
C:\Program Files\Common files\fuko <-- Folder[/codebox]
When you, told me to do that, I went into the folder, but the only com files I could find were these:
(Extensions were showing and hidden files were also visible.)
Now, I will execute the latest instructions. I will post back soon.
iexplore.exe:
firefox.exe:
nwprovau.dll:
[codebox]Then delete these files:
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\mlnmp.tmp
C:\WINDOWS\system32\vyadd.tmp
C:\Program Files\Ipwindows <--Folder
C:\Program Files\Common files\fuko <-- Folder[/codebox]
When you, told me to do that, I went into the folder, but the only com files I could find were these:
(Extensions were showing and hidden files were also visible.)
Now, I will execute the latest instructions. I will post back soon.
VundoFix Log:
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 9:56:03 AM 3/31/2007
Listing files found while scanning....
C:\WINDOWS\system32\yayayvs.dll
Beginning removal...
Performing Repairs to the registry.
Done!
Avenger Log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ruuhrwow
*******************
Script file located at: \??\C:\Program Files\qjxqvqyq.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\aciyus.exe deleted successfully.
File C:\wjeddu.exe not found!
Deletion of file C:\wjeddu.exe failed!
Could not process line:
C:\wjeddu.exe
Status: 0xc0000034
File C:\WINDOWS\bjam.dll deleted successfully.
File C:\WINDOWS\vxddsk.exe deleted successfully.
File C:\WINDOWS\cdsm32.dll deleted successfully.
File C:\WINDOWS\wml.exe deleted successfully.
File C:\WINDOWS\voiceip.dll deleted successfully.
File C:\WINDOWS\mssvr.exe deleted successfully.
File C:\WINDOWS\mspphe.dll deleted successfully.
File C:\WINDOWS\swin32.dll deleted successfully.
File C:\WINDOWS\saiemod.dll deleted successfully.
File C:\WINDOWS\2020search.dll deleted successfully.
File C:\WINDOWS\fpnmiwpv.exe not found!
Deletion of file C:\WINDOWS\fpnmiwpv.exe failed!
Could not process line:
C:\WINDOWS\fpnmiwpv.exe
Status: 0xc0000034
File C:\WINDOWS\femlhud.exe not found!
Deletion of file C:\WINDOWS\femlhud.exe failed!
Could not process line:
C:\WINDOWS\femlhud.exe
Status: 0xc0000034
File C:\WINDOWS\system32\MSIXU.DLL deleted successfully.
File C:\WINDOWS\system32\WER8274.DLL deleted successfully.
File C:\WINDOWS\system32\pmnlm.dll not found!
Deletion of file C:\WINDOWS\system32\pmnlm.dll failed!
Could not process line:
C:\WINDOWS\system32\pmnlm.dll
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\p432.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\p432.dll failed!
Could not process line:
C:\WINDOWS\SYSTEM32\p432.dll
Status: 0xc0000034
File C:\WINDOWS\system32\bdvgcdyx.dll not found!
Deletion of file C:\WINDOWS\system32\bdvgcdyx.dll failed!
Could not process line:
C:\WINDOWS\system32\bdvgcdyx.dll
Status: 0xc0000034
File C:\WINDOWS\system32\yayayvs.dll not found!
Deletion of file C:\WINDOWS\system32\yayayvs.dll failed!
Could not process line:
C:\WINDOWS\system32\yayayvs.dll
Status: 0xc0000034
File C:\WINDOWS\system32\ckyfxaey.dll not found!
Deletion of file C:\WINDOWS\system32\ckyfxaey.dll failed!
Could not process line:
C:\WINDOWS\system32\ckyfxaey.dll
Status: 0xc0000034
File C:\WINDOWS\system32\ittqpqrb.dll not found!
Deletion of file C:\WINDOWS\system32\ittqpqrb.dll failed!
Could not process line:
C:\WINDOWS\system32\ittqpqrb.dll
Status: 0xc0000034
File C:\WINDOWS\system32\tmbs.exe deleted successfully.
File C:\WINDOWS\system32\ldcore.dll not found!
Deletion of file C:\WINDOWS\system32\ldcore.dll failed!
Could not process line:
C:\WINDOWS\system32\ldcore.dll
Status: 0xc0000034
File C:\WINDOWS\System32\netdde.dll not found!
Deletion of file C:\WINDOWS\System32\netdde.dll failed!
Could not process line:
C:\WINDOWS\System32\netdde.dll
Status: 0xc0000034
File C:\WINDOWS\system32\mlnmp.tmp deleted successfully.
File C:\WINDOWS\system32\mlnmp.bak1 deleted successfully.
File C:\WINDOWS\system32\mlnmp.ini2 deleted successfully.
File C:\WINDOWS\system32\migsvc.exe deleted successfully.
File C:\WINDOWS\system32\mbosvc.exe deleted successfully.
File C:\WINDOWS\system32\mgosvc.exe deleted successfully.
File C:\WINDOWS\system32\vyadd.tmp deleted successfully.
File C:\WINDOWS\system32\vyadd.ini2 deleted successfully.
File C:\WINDOWS\system32\vyadd.bak1 deleted successfully.
File C:\WINDOWS\system32\vyadd.bak2 deleted successfully.
File C:\WINDOWS\system32\__c003723F.dat not found!
Deletion of file C:\WINDOWS\system32\__c003723F.dat failed!
Could not process line:
C:\WINDOWS\system32\__c003723F.dat
Status: 0xc0000034
File C:\WINDOWS\system32\__c0084136.dat deleted successfully.
File C:\WINDOWS\system32\RegistryCleanerSetup.exe deleted successfully.
File C:\WINDOWS\system32\vxddsk.exe deleted successfully.
File C:\WINDOWS\system32\wml.exe deleted successfully.
File C:\WINDOWS\system32\user_32.dll not found!
Deletion of file C:\WINDOWS\system32\user_32.dll failed!
Could not process line:
C:\WINDOWS\system32\user_32.dll
Status: 0xc0000034
File C:\WINDOWS\system32\gtv_sd.bin deleted successfully.
File C:\WINDOWS\system32\wvmsi.exe deleted successfully.
File C:\WINDOWS\TEMP\_A00FF1E172.exe not found!
Deletion of file C:\WINDOWS\TEMP\_A00FF1E172.exe failed!
Could not process line:
C:\WINDOWS\TEMP\_A00FF1E172.exe
Status: 0xc0000034
File C:\WINDOWS\system32\Djwk16.sys not found!
Deletion of file C:\WINDOWS\system32\Djwk16.sys failed!
Could not process line:
C:\WINDOWS\system32\Djwk16.sys
Status: 0xc0000034
Folder C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack deleted successfully.
Folder C:\Program Files\Ipwindows not found!
Deletion of folder C:\Program Files\Ipwindows failed!
Could not process line:
C:\Program Files\Ipwindows
Status: 0xc0000034
Folder C:\PROGRA~1\COMMON~1\fuko deleted successfully.
Folder C:\WINDOWS\Qm9yaXMgQm9ndXNsYXZza3k deleted successfully.
Folder C:\Program Files\Network Monitor not found!
Deletion of folder C:\Program Files\Network Monitor failed!
Could not process line:
C:\Program Files\Network Monitor
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
SmitFraudFix Log:
SmitFraudFix v2.162
Scan done at 10:18:18.56, Sat 03/31/2007
Run from C:\Documents and Settings\Spymercinator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spymercinator
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spymercinator\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SPYMER~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll C:\\WINDOWS\\System32\\netdde.dll C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL c:\\windows\\system32\\ldcore.dll"
"LoadAppInit_DLLs"=dword:00000001
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"Startup"="MCPSystemStartup"
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Linksys Wireless-G USB Network Adapter - Packet Scheduler Miniport
DNS Server Search Order: 68.87.72.130
DNS Server Search Order: 68.87.77.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{34972676-7A6A-4D95-BBFC-20891BEDB8E7}: NameServer=68.87.72.130,68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{34972676-7A6A-4D95-BBFC-20891BEDB8E7}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B177810D-F9ED-4BA0-A281-AA352EF0E78A}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Regresult Log:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll C:\\WINDOWS\\System32\\netdde.dll C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL c:\\windows\\system32\\ldcore.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"LoadAppInit_DLLs"=dword:00000001
Updated Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:20:21 AM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Spymercinator\Start Menu\Security\Hijack This.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehelper.net/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34972676-7A6A-4D95-BBFC-20891BEDB8E7}: NameServer = 68.87.72.130,68.87.77.130
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\System32\netdde.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 8500 bytes
VundoFix V6.3.18
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 9:56:03 AM 3/31/2007
Listing files found while scanning....
C:\WINDOWS\system32\yayayvs.dll
Beginning removal...
Performing Repairs to the registry.
Done!
Avenger Log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ruuhrwow
*******************
Script file located at: \??\C:\Program Files\qjxqvqyq.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\aciyus.exe deleted successfully.
File C:\wjeddu.exe not found!
Deletion of file C:\wjeddu.exe failed!
Could not process line:
C:\wjeddu.exe
Status: 0xc0000034
File C:\WINDOWS\bjam.dll deleted successfully.
File C:\WINDOWS\vxddsk.exe deleted successfully.
File C:\WINDOWS\cdsm32.dll deleted successfully.
File C:\WINDOWS\wml.exe deleted successfully.
File C:\WINDOWS\voiceip.dll deleted successfully.
File C:\WINDOWS\mssvr.exe deleted successfully.
File C:\WINDOWS\mspphe.dll deleted successfully.
File C:\WINDOWS\swin32.dll deleted successfully.
File C:\WINDOWS\saiemod.dll deleted successfully.
File C:\WINDOWS\2020search.dll deleted successfully.
File C:\WINDOWS\fpnmiwpv.exe not found!
Deletion of file C:\WINDOWS\fpnmiwpv.exe failed!
Could not process line:
C:\WINDOWS\fpnmiwpv.exe
Status: 0xc0000034
File C:\WINDOWS\femlhud.exe not found!
Deletion of file C:\WINDOWS\femlhud.exe failed!
Could not process line:
C:\WINDOWS\femlhud.exe
Status: 0xc0000034
File C:\WINDOWS\system32\MSIXU.DLL deleted successfully.
File C:\WINDOWS\system32\WER8274.DLL deleted successfully.
File C:\WINDOWS\system32\pmnlm.dll not found!
Deletion of file C:\WINDOWS\system32\pmnlm.dll failed!
Could not process line:
C:\WINDOWS\system32\pmnlm.dll
Status: 0xc0000034
File C:\WINDOWS\SYSTEM32\p432.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\p432.dll failed!
Could not process line:
C:\WINDOWS\SYSTEM32\p432.dll
Status: 0xc0000034
File C:\WINDOWS\system32\bdvgcdyx.dll not found!
Deletion of file C:\WINDOWS\system32\bdvgcdyx.dll failed!
Could not process line:
C:\WINDOWS\system32\bdvgcdyx.dll
Status: 0xc0000034
File C:\WINDOWS\system32\yayayvs.dll not found!
Deletion of file C:\WINDOWS\system32\yayayvs.dll failed!
Could not process line:
C:\WINDOWS\system32\yayayvs.dll
Status: 0xc0000034
File C:\WINDOWS\system32\ckyfxaey.dll not found!
Deletion of file C:\WINDOWS\system32\ckyfxaey.dll failed!
Could not process line:
C:\WINDOWS\system32\ckyfxaey.dll
Status: 0xc0000034
File C:\WINDOWS\system32\ittqpqrb.dll not found!
Deletion of file C:\WINDOWS\system32\ittqpqrb.dll failed!
Could not process line:
C:\WINDOWS\system32\ittqpqrb.dll
Status: 0xc0000034
File C:\WINDOWS\system32\tmbs.exe deleted successfully.
File C:\WINDOWS\system32\ldcore.dll not found!
Deletion of file C:\WINDOWS\system32\ldcore.dll failed!
Could not process line:
C:\WINDOWS\system32\ldcore.dll
Status: 0xc0000034
File C:\WINDOWS\System32\netdde.dll not found!
Deletion of file C:\WINDOWS\System32\netdde.dll failed!
Could not process line:
C:\WINDOWS\System32\netdde.dll
Status: 0xc0000034
File C:\WINDOWS\system32\mlnmp.tmp deleted successfully.
File C:\WINDOWS\system32\mlnmp.bak1 deleted successfully.
File C:\WINDOWS\system32\mlnmp.ini2 deleted successfully.
File C:\WINDOWS\system32\migsvc.exe deleted successfully.
File C:\WINDOWS\system32\mbosvc.exe deleted successfully.
File C:\WINDOWS\system32\mgosvc.exe deleted successfully.
File C:\WINDOWS\system32\vyadd.tmp deleted successfully.
File C:\WINDOWS\system32\vyadd.ini2 deleted successfully.
File C:\WINDOWS\system32\vyadd.bak1 deleted successfully.
File C:\WINDOWS\system32\vyadd.bak2 deleted successfully.
File C:\WINDOWS\system32\__c003723F.dat not found!
Deletion of file C:\WINDOWS\system32\__c003723F.dat failed!
Could not process line:
C:\WINDOWS\system32\__c003723F.dat
Status: 0xc0000034
File C:\WINDOWS\system32\__c0084136.dat deleted successfully.
File C:\WINDOWS\system32\RegistryCleanerSetup.exe deleted successfully.
File C:\WINDOWS\system32\vxddsk.exe deleted successfully.
File C:\WINDOWS\system32\wml.exe deleted successfully.
File C:\WINDOWS\system32\user_32.dll not found!
Deletion of file C:\WINDOWS\system32\user_32.dll failed!
Could not process line:
C:\WINDOWS\system32\user_32.dll
Status: 0xc0000034
File C:\WINDOWS\system32\gtv_sd.bin deleted successfully.
File C:\WINDOWS\system32\wvmsi.exe deleted successfully.
File C:\WINDOWS\TEMP\_A00FF1E172.exe not found!
Deletion of file C:\WINDOWS\TEMP\_A00FF1E172.exe failed!
Could not process line:
C:\WINDOWS\TEMP\_A00FF1E172.exe
Status: 0xc0000034
File C:\WINDOWS\system32\Djwk16.sys not found!
Deletion of file C:\WINDOWS\system32\Djwk16.sys failed!
Could not process line:
C:\WINDOWS\system32\Djwk16.sys
Status: 0xc0000034
Folder C:\Boris Boguslavsky\Downloads\Install\Customization\Object Desktop\WindowBlinds\Window Blinds 5 Vista Theme Crack + WB5 + Crack deleted successfully.
Folder C:\Program Files\Ipwindows not found!
Deletion of folder C:\Program Files\Ipwindows failed!
Could not process line:
C:\Program Files\Ipwindows
Status: 0xc0000034
Folder C:\PROGRA~1\COMMON~1\fuko deleted successfully.
Folder C:\WINDOWS\Qm9yaXMgQm9ndXNsYXZza3k deleted successfully.
Folder C:\Program Files\Network Monitor not found!
Deletion of folder C:\Program Files\Network Monitor failed!
Could not process line:
C:\Program Files\Network Monitor
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
SmitFraudFix Log:
SmitFraudFix v2.162
Scan done at 10:18:18.56, Sat 03/31/2007
Run from C:\Documents and Settings\Spymercinator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spymercinator
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Spymercinator\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SPYMER~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll C:\\WINDOWS\\System32\\netdde.dll C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL c:\\windows\\system32\\ldcore.dll"
"LoadAppInit_DLLs"=dword:00000001
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"Startup"="MCPSystemStartup"
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Linksys Wireless-G USB Network Adapter - Packet Scheduler Miniport
DNS Server Search Order: 68.87.72.130
DNS Server Search Order: 68.87.77.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{34972676-7A6A-4D95-BBFC-20891BEDB8E7}: NameServer=68.87.72.130,68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{34972676-7A6A-4D95-BBFC-20891BEDB8E7}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B177810D-F9ED-4BA0-A281-AA352EF0E78A}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78}: DhcpNameServer=192.168.10.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Regresult Log:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll C:\\WINDOWS\\System32\\netdde.dll C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL c:\\windows\\system32\\ldcore.dll"
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
"LoadAppInit_DLLs"=dword:00000001
Updated Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:20:21 AM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Spymercinator\Start Menu\Security\Hijack This.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehelper.net/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34972676-7A6A-4D95-BBFC-20891BEDB8E7}: NameServer = 68.87.72.130,68.87.77.130
O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\System32\netdde.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 8500 bytes
Thanks w/e,
Its great to see it didnt add the info stealer on your system, thats the thing with backdoor trojans , you can never predict how they will act as they can change the commands at any time, I got a nasty bundle from the file you uploaded but its nice to see that wasnt added to yours, regarding the .com files, you can ignore that part now as combofix removed them when it was used
I'll wait for the latest results from the last post then we can see how things look
EDIT: You posted them as I was typing I'll check them over and reply again
Cheers
Andy
Its great to see it didnt add the info stealer on your system, thats the thing with backdoor trojans , you can never predict how they will act as they can change the commands at any time, I got a nasty bundle from the file you uploaded but its nice to see that wasnt added to yours, regarding the .com files, you can ignore that part now as combofix removed them when it was used
I'll wait for the latest results from the last post then we can see how things look
EDIT: You posted them as I was typing
I'll check them over and reply again Cheers
Andy
Great Work w/e,
Thats looking so much better
You can delete Vundofix, Smitfraudfix, SDFix, RustbFix, just keep Combofix for now incase we need it again, you should delete SDFix as it contains backups of the trojan files it removed inside its folder,
Run Hijack This and choose Do A System Scan then place a check next to these entries
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat (file missing)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.
Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg (or right click and choose Merge) and allow it to be merged into the registry which will modify the AppInit_DLLs entry to remove the trojan entries,
Next generate a report of the Add/Remove screen entries:
Open Hijackthis, and click the Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.Click OK Now under select a target to scan: This program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Save the file to your desktop. Copy and paste that information in your next post. Please then post back the Dr.Web results, Kaspersky results, Uninstall List and a new HijackThis log
Cheers
Thats looking so much better
You can delete Vundofix, Smitfraudfix, SDFix, RustbFix, just keep Combofix for now incase we need it again, you should delete SDFix as it contains backups of the trojan files it removed inside its folder,
Run Hijack This and choose Do A System Scan then place a check next to these entries
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O20 - Winlogon Notify: __c003723F - C:\WINDOWS\system32\__c003723F.dat (file missing)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.
CODE
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="wbsys.dll C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"
Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg (or right click and choose Merge) and allow it to be merged into the registry which will modify the AppInit_DLLs entry to remove the trojan entries,
Next generate a report of the Add/Remove screen entries:
Open Hijackthis, and click the Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'No to all' if it asks if you want to cure/move the file.
- When the scan has finished, in the menu, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- post the contents of the log from Dr.Web you saved previously in your next reply.
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
Scan Mail Bases
- Select My Computer
- Now click on the Save as Text button:
Cheers
Arghh. It's taking forever. Probably since I have 2 hard drives. It's been running for an hour and ten minutes and it's only 13 percent done.
EDIT: Only 2 percent to go.
EDIT: Only 2 percent to go.
Ok, here we go:
Dr.Web CureIt Log:
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.7.1;Probably BACKDOOR.Trojan;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
Kaspersky Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 31, 2007 7:04:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/03/2007
Kaspersky Anti-Virus database records: 289471
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
F:\
Scan Statistics:
Total number of scanned objects: 163312
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:29:53
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_BORIS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_BORIS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\f54ebfb5331a78746084de3466601ccc_a01843b4-618a-470d-8376-a41042ef547f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070331_Time-161839203_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070331_Time-161839203_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Spymercinator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\History\History.IE5\MSHist012007033120070401\index.dat Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Temp\alm.log Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Temp\amt.log Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Temp\Photoshop Temp709501208 Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Spymercinator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Spymercinator\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{22801585-5516-4E05-8A16-D95D0902EB5A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Uninstall List:
Ad-Aware SE Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer 1.1
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS
Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 7.0.9
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AdwareFilter
Amadis DVD to iPod Converter V1.2.5
Amadis iPod/PSP/3GP/MP4/AVI Video Converter V1.0.1
Apple Software Update
Autodesk DWF Viewer
AVG Anti-Spyware 7.5
Battlefield 2: Deluxe Edition
Battlefield 2142
CCleaner (remove only)
Chessmaster 10th Edition
CorelDRAW Graphics Suite X3
Doom 3
DOOM 3: Resurrection of Evil
eMule Plus 1.2b
EN
EPSON Printer Software
Far Cry
FEAR
FEAR Extraction Point
FEARCombat
Flash Decompiler
FontCreator 5.5
FontNav
GlowingWorld 3.1
Google Talk (remove only)
GTA San Andreas
Half-Life
HijackThis 2.0.0
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IconDeveloper Professional
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Lavasoft Reghance 2.1
Linksys Wireless-G USB Network Adapter
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
MainType 2.0
MatrixMania Screensaver
McAfee VirusScan Enterprise
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft XML Parser and SDK
Mozilla Firefox (2.0.0.3)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB927977)
Nero 6 Ultra Edition
NVIDIA Drivers
PowerDVD
PowerISO
QuickTime
Realtek AC'97 Audio
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Smart Office Keyboard
SnagIt 8
SpeechRedist
Star Wars Battlefront II
Star Wars Republic Commando
SUPERAntiSpyware Free Edition
Thief - Deadly Shadows
Tom Clancy's Splinter Cell Chaos Theory
Total Commander 6.03a XP
Trillian
Tweak-SE plug-in for Ad-Aware SE
Unreal Tournament 2004
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Update Manager
UT2004 Editor's Choice Edition Mod Installer
VBA
WarRock
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Xfire (remove only)
Zune Desktop Theme
Updated Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:06:26 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Spymercinator\Start Menu\Security\Hijack This\Hijack This.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehelper.net/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34972676-7A6A-4D95-BBFC-20891BEDB8E7}: NameServer = 68.87.72.130,68.87.77.130
O20 - AppInit_DLLs: wbsys.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 8201 bytes
Also, can I delete the registry entry I made in notepad from my desktop?
Dr.Web CureIt Log:
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.7.1;Probably BACKDOOR.Trojan;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;
Kaspersky Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 31, 2007 7:04:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/03/2007
Kaspersky Anti-Virus database records: 289471
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
F:\
Scan Statistics:
Total number of scanned objects: 163312
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:29:53
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_BORIS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_BORIS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\f54ebfb5331a78746084de3466601ccc_a01843b4-618a-470d-8376-a41042ef547f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070331_Time-161839203_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20070331_Time-161839203_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Spymercinator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\History\History.IE5\MSHist012007033120070401\index.dat Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Temp\alm.log Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Temp\amt.log Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Temp\Photoshop Temp709501208 Object is locked skipped
C:\Documents and Settings\Spymercinator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Spymercinator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Spymercinator\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\browser.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{22801585-5516-4E05-8A16-D95D0902EB5A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Uninstall List:
Ad-Aware SE Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer 1.1
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS
Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 7.0.9
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AdwareFilter
Amadis DVD to iPod Converter V1.2.5
Amadis iPod/PSP/3GP/MP4/AVI Video Converter V1.0.1
Apple Software Update
Autodesk DWF Viewer
AVG Anti-Spyware 7.5
Battlefield 2: Deluxe Edition
Battlefield 2142
CCleaner (remove only)
Chessmaster 10th Edition
CorelDRAW Graphics Suite X3
Doom 3
DOOM 3: Resurrection of Evil
eMule Plus 1.2b
EN
EPSON Printer Software
Far Cry
FEAR
FEAR Extraction Point
FEARCombat
Flash Decompiler
FontCreator 5.5
FontNav
GlowingWorld 3.1
Google Talk (remove only)
GTA San Andreas
Half-Life
HijackThis 2.0.0
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IconDeveloper Professional
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Lavasoft Reghance 2.1
Linksys Wireless-G USB Network Adapter
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
MainType 2.0
MatrixMania Screensaver
McAfee VirusScan Enterprise
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft XML Parser and SDK
Mozilla Firefox (2.0.0.3)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB927977)
Nero 6 Ultra Edition
NVIDIA Drivers
PowerDVD
PowerISO
QuickTime
Realtek AC'97 Audio
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Smart Office Keyboard
SnagIt 8
SpeechRedist
Star Wars Battlefront II
Star Wars Republic Commando
SUPERAntiSpyware Free Edition
Thief - Deadly Shadows
Tom Clancy's Splinter Cell Chaos Theory
Total Commander 6.03a XP
Trillian
Tweak-SE plug-in for Ad-Aware SE
Unreal Tournament 2004
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Update Manager
UT2004 Editor's Choice Edition Mod Installer
VBA
WarRock
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Xfire (remove only)
Zune Desktop Theme
Updated Hijack This Log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:06:26 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Spymercinator\Start Menu\Security\Hijack This\Hijack This.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehelper.net/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34972676-7A6A-4D95-BBFC-20891BEDB8E7}: NameServer = 68.87.72.130,68.87.77.130
O20 - AppInit_DLLs: wbsys.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 8201 bytes
Also, can I delete the registry entry I made in notepad from my desktop?
Hi w/e
Looking Good
Yes you can delete the regfix we made, also delete the C:\Avenger folder and Dr.Web's cureit, goto your Add/Remove screen (Start > Control Panel > Add or Remove Programs) and remove these
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Leave J2SE Runtime Environment 5.0 Update 11 on the system, its common for them to leave older versions when it updates and they can take up alot of space so we are just removing the older versions that have been left behind as they are no use to you.
Remove the HijackThis backups as they are not needed, Open HijackThis click Open the Misc tools section, Click Backups, click Delete All then click Yes at the prompt,
Check your Antivirus software is working ok with this link below, this is a harmless test file but all Antivirus software should detect and block it when you attempt to download it,
http://www.eicar.org/download/eicar.com
Click the link and try save the file to your desktop, you should then be alerted by your Antivirus program that its detected the EICAR test string, if it does then its fine and your AV is working correctly, just then make sure the AV is updating fine as I want to be sure its not been damaged by the infections, if it doesnt detect the file and your able to download it let us know,
Finally run a couple of rootkit scanners to make sure there is nothing hidden on your system
Download GMER from Here
Unzip it and start GMER.exe. Click the rootkit-tab and click scan.
Once done, click the Copy button. This will copy the results to clipboard.
You can then right click into a notepad file or straight back on here and choose Paste to post the results back.
Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Cheers
Andy
Looking Good
Yes you can delete the regfix we made, also delete the C:\Avenger folder and Dr.Web's cureit, goto your Add/Remove screen (Start > Control Panel > Add or Remove Programs) and remove these
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Leave J2SE Runtime Environment 5.0 Update 11 on the system, its common for them to leave older versions when it updates and they can take up alot of space so we are just removing the older versions that have been left behind as they are no use to you.
Remove the HijackThis backups as they are not needed, Open HijackThis click Open the Misc tools section, Click Backups, click Delete All then click Yes at the prompt,
Check your Antivirus software is working ok with this link below, this is a harmless test file but all Antivirus software should detect and block it when you attempt to download it,
http://www.eicar.org/download/eicar.com
Click the link and try save the file to your desktop, you should then be alerted by your Antivirus program that its detected the EICAR test string, if it does then its fine and your AV is working correctly, just then make sure the AV is updating fine as I want to be sure its not been damaged by the infections, if it doesnt detect the file and your able to download it let us know,
Finally run a couple of rootkit scanners to make sure there is nothing hidden on your system
Download GMER from Here
Unzip it and start GMER.exe. Click the rootkit-tab and click scan.
Once done, click the Copy button. This will copy the results to clipboard.
You can then right click into a notepad file or straight back on here and choose Paste to post the results back.
Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.
Cheers
Andy
Ok, here it is:
GMER Log:
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-01 10:41:46
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT sptd.sys ZwCreateKey
SSDT 86794109 ZwCreateThread
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F625762C 5 Bytes JMP 874351C8
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 8754D1E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 867B4328
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_CREATE 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_CLOSE 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_READ 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_WRITE 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_QUERY_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_SET_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_QUERY_VOLUME_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_DIRECTORY_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_DEVICE_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_LOCK_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_CLEANUP 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_PNP 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_CREATE 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_CLOSE 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_READ 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_WRITE 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_QUERY_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_SET_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_QUERY_VOLUME_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_DIRECTORY_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_DEVICE_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_LOCK_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_CLEANUP 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_PNP 866E36C0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_CREATE 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_CLOSE 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_READ 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_WRITE 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_DEVICE_CONTROL 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\USBSTOR \Device�00008f IRP_MJ_POWER 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_SYSTEM_CONTROL 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_PNP 872473F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EFBE085A] avgtdi.sys
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CREATE 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CLOSE 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_POWER 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_PNP 8750F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 8754F1E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CREATE 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CLOSE 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_POWER 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_PNP 875101E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EFBE085A] avgtdi.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 875BF1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8738C1E8
Device \Driver\nvatabus \Device�000080 IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\nvatabus \Device�000081 IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 8683C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 8683C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 8683C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 8683C980
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EFBE085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EFBE085A] avgtdi.sys
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CREATE 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CLOSE 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_POWER 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_PNP 8750F1E8
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_CREATE 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_CLOSE 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_POWER 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_PNP 8750F1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_CREATE 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_CLOSE 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_INTERNAL_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_CLEANUP 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_PNP 8683C980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 8673E490
Device \Driver\nvatabus \Device\NvAta1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EFBE085A] avgtdi.sys
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_CREATE 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_CLOSE 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_POWER 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_PNP 875101E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_CREATE 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_CLOSE 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_INTERNAL_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_CLEANUP 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_PNP 8683C980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 8673E490
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 875BF1E8
Device \Driver\USBSTOR \Device�00008c IRP_MJ_CREATE 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_CLOSE 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_READ 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_WRITE 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_DEVICE_CONTROL 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\USBSTOR \Device�00008c IRP_MJ_POWER 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_SYSTEM_CONTROL 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_PNP 872473F0
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 867B4328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 867B8328
---- EOF - GMER 1.0.12 ----
Blacklight Log:
04/01/07 10:42:15 [Info]: BlackLight Engine 1.0.61 initialized
04/01/07 10:42:15 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/01/07 10:42:15 [Note]: 7019 4
04/01/07 10:42:15 [Note]: 7005 0
04/01/07 10:42:17 [Note]: 7006 0
04/01/07 10:42:17 [Note]: 7011 3792
04/01/07 10:42:18 [Note]: 7026 0
04/01/07 10:42:18 [Note]: 7026 0
04/01/07 10:42:19 [Note]: FSRAW library version 1.7.1021
04/01/07 10:50:52 [Note]: 7007 0
I deleted the Old JACA updates and the file you told me to download was blocked by AVG Anti-Virus.
Here is an updated Hijack This log if you need it:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:53:57 AM, on 4/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Spymercinator\Start Menu\Security\Hijack This\Hijack This.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehelper.net/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34972676-7A6A-4D95-BBFC-20891BEDB8E7}: NameServer = 68.87.72.130,68.87.77.130
O20 - AppInit_DLLs: wbsys.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 9066 bytes
GMER Log:
GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-01 10:41:46
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT sptd.sys ZwCreateKey
SSDT 86794109 ZwCreateThread
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
---- Kernel code sections - GMER 1.0.12 ----
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F625762C 5 Bytes JMP 874351C8
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[504] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\FrameworkService.exe[820] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe[924] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\services.exe[1144] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\lsass.exe[1156] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1488] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1544] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1608] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\system32\svchost.exe[1624] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 3700737C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 3700733E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 370074F0 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 37007436 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 370074B2 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 370073F8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!PeekNamedPipe 7C85F90F 5 Bytes JMP 370073BA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 37007474 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 3700752E C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WININET.dll!InternetReadFile 771CABAC 5 Bytes JMP 3700779A C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WININET.dll!InternetOpenA 771CC859 5 Bytes JMP 37007816 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WININET.dll!InternetOpenUrlA 771D06CD 5 Bytes JMP 370077D8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WS2_32.dll!select 71AB2DC0 5 Bytes JMP 37007626 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 3700756C C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WS2_32.dll!bind 71AB3E00 5 Bytes JMP 370075E8 C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WS2_32.dll!send 71AB428A 5 Bytes JMP 370075AA C:\WINDOWS\system32\EntApi.dll
.text C:\WINDOWS\explorer.exe[3792] WS2_32.dll!recv 71AB615A 5 Bytes JMP 37007664 C:\WINDOWS\system32\EntApi.dll
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 8754D1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 8754D1E8
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CREATE 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLOSE 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_WRITE 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_INFORMATION 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_INFORMATION 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_EA 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_EA 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FLUSH_BUFFERS 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_QUERY_VOLUME_INFORMATION 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SET_VOLUME_INFORMATION 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DIRECTORY_CONTROL 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_FILE_SYSTEM_CONTROL 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_DEVICE_CONTROL 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_SHUTDOWN 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_LOCK_CONTROL 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_CLEANUP 867B4328
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_PNP 867B4328
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_CREATE 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_CLOSE 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_READ 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_WRITE 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_QUERY_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_SET_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_QUERY_VOLUME_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_DIRECTORY_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_DEVICE_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_LOCK_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_CLEANUP 866E36C0
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_PNP 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_CREATE 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_CLOSE 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_READ 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_WRITE 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_QUERY_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_SET_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_QUERY_VOLUME_INFORMATION 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_DIRECTORY_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_DEVICE_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_LOCK_CONTROL 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_CLEANUP 866E36C0
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_PNP 866E36C0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_CREATE 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_CLOSE 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_READ 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_WRITE 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_DEVICE_CONTROL 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\USBSTOR \Device�00008f IRP_MJ_POWER 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_SYSTEM_CONTROL 872473F0
Device \Driver\USBSTOR \Device�00008f IRP_MJ_PNP 872473F0
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EFBE085A] avgtdi.sys
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CREATE 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CLOSE 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_POWER 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_PNP 8750F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 8754F1E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 8754F1E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CREATE 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CLOSE 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_POWER 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 875101E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_PNP 875101E8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EFBE085A] avgtdi.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_PNP 875BF1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 8738C1E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 8738C1E8
Device \Driver\nvatabus \Device�000080 IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\nvatabus \Device�000081 IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 8683C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 8683C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 8683C980
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 8683C980
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 8683C980
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EFBE085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EFBE085A] avgtdi.sys
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CREATE 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CLOSE 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_POWER 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_PNP 8750F1E8
Device \Driver\nvatabus \Device\NvAta0 IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_CREATE 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_CLOSE 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_POWER 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 8750F1E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_PNP 8750F1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_CREATE 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_CLOSE 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_INTERNAL_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_CLEANUP 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{34972676-7A6A-4D95-BBFC-20891BEDB8E7} IRP_MJ_PNP 8683C980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 8673E490
Device \Driver\nvatabus \Device\NvAta1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EFBE085A] avgtdi.sys
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_CREATE 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_CLOSE 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_POWER 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL 875101E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_PNP 875101E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_CREATE 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_CLOSE 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_INTERNAL_DEVICE_CONTROL 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_CLEANUP 8683C980
Device \Driver\NetBT \Device\NetBT_Tcpip_{DF0AA5B2-902B-4F8C-BEEA-C7B185FB1F78} IRP_MJ_PNP 8683C980
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 8673E490
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 8673E490
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 875BF1E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 875BF1E8
Device \Driver\USBSTOR \Device�00008c IRP_MJ_CREATE 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_CLOSE 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_READ 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_WRITE 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_DEVICE_CONTROL 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_INTERNAL_DEVICE_CONTROL [F77ECD60] sfsync02.sys
Device \Driver\USBSTOR \Device�00008c IRP_MJ_POWER 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_SYSTEM_CONTROL 872473F0
Device \Driver\USBSTOR \Device�00008c IRP_MJ_PNP 872473F0
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP 867B4328
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP 867B4328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 867B8328
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 867B8328
---- EOF - GMER 1.0.12 ----
Blacklight Log:
04/01/07 10:42:15 [Info]: BlackLight Engine 1.0.61 initialized
04/01/07 10:42:15 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/01/07 10:42:15 [Note]: 7019 4
04/01/07 10:42:15 [Note]: 7005 0
04/01/07 10:42:17 [Note]: 7006 0
04/01/07 10:42:17 [Note]: 7011 3792
04/01/07 10:42:18 [Note]: 7026 0
04/01/07 10:42:18 [Note]: 7026 0
04/01/07 10:42:19 [Note]: FSRAW library version 1.7.1021
04/01/07 10:50:52 [Note]: 7007 0
I deleted the Old JACA updates and the file you told me to download was blocked by AVG Anti-Virus.
Here is an updated Hijack This log if you need it:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:53:57 AM, on 4/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Spymercinator\Start Menu\Security\Hijack This\Hijack This.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thehelper.net/forums/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150149836514
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34972676-7A6A-4D95-BBFC-20891BEDB8E7}: NameServer = 68.87.72.130,68.87.77.130
O20 - AppInit_DLLs: wbsys.dll C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 9066 bytes
Thanks,
You should avoid having more than one Antivirus program installed as they can use alot of system resources and if they conflict with each other they can causes crashes and make the system alot less secure, as you have McAfee and AVG installed you should consider uninstalling one of them so there is only one Antivirus program installed and providing real time protection.
Apart from that its looking good, how's things running now ?
Andy
Everything's working much better. I uninstalled McAfee and kept AVG.
Thanks a lot for helping.
Thanks a lot for helping.
If you did remove McAfee, they have a removal tool here you may also want to run which makes sure all of its components have been removed and nothing is left on the system
http://download.mcafee.com/products/licens...atches/MCPR.exe
QUOTE
Double-click MCPR.exe.
Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed. (Do not double-click MCPR.exe again.) The program will begin the cleanup.
Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
The machine must reboot to complete the un-installation. Reboot now? [y.n]
Press Y on the keyboard.
Wait for the computer to restart.
Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed. (Do not double-click MCPR.exe again.) The program will begin the cleanup.
Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
The machine must reboot to complete the un-installation. Reboot now? [y.n]
Press Y on the keyboard.
Wait for the computer to restart.
You can delete any remaining tools we used such as Combofix as they are not needed now, I'll add afew steps to help avoid more infections
Clear your System Restore points now the machine is clean again
Click Start Menu > All Programs > Accessories > System Tools > SystemRestore
Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.
Next goto Start Menu > Run > type
cleanmgr
Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup
In order to protect yourself against spyware, consider installing and running the following free programs:
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" feature.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
- Avoid illegal sites like cracks, warez etc.. because that's where most malware is present.
- Don't click on links inside popups, Messenger programs or spam email messages.
- Download free software only from sites you know and trust.
Please make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/
Please also read Tony Klein's excellent article: How I got Infected in the First Place
These steps will lower the chances of getting more malware issues but let us know if you have any questions or problems anytime.
Happy Surfing
Andy
Ok, Thank you. This has seriously improved my computer's performance.
Your welcome w/e, I'm glad we could help
Andy
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.