View Full Version : Please Help Cant get clean!
Everytime I connect to the internet without even opening up a browser my computer gets infected with the same virus:sad:. I clean my computer with SpyBot then Malwarebytes and rescan to make sure it is clean. After I cleaned my computer I think it would be safe to go back online but when I do my computer is infected be all the same files again please help. This virus spead to two other computers but only this one is online. I think that the other computers are also infected but SpyBot and MalwareBytes dont find anything. Any help would be nice:)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:45 PM, on 4/26/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\tcpsvcs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\wfxsnt40.exe
H:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\TEMP\vyhoz8l3.exe
C:\WINNT\TEMP\vyhoz8l3.exe
C:\WINNT\explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\wfxsnt40.exe
H:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINNT\Welcome.exe
C:\WINNT\TEMP\337184272.exe
C:\WINNT\TEMP\402809272.exe
C:\WINNT\dhcp\svchost.exe
C:\WINNT\system32\3361\SVCHOST.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zzzHPSETUP] I:\Setup.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QAGENT] H:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINNT\system32\3361\SVCHOST.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINNT\TEMP\402809272.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: PGPtray.lnk = G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .php: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217109214875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\system32\jksahfo93wjfkd.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINNT\dhcp\svchost.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT\system32\PGPsdkServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE
--
End of file - 7449 bytes
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
This virus spead to two other computers but only this one is online.
Are the other computers also W2K machines ?
This machine appears to be quite heavily infected, so the cleaning process may take a few runs.
Download and Run SD Fix
Please download SDFix( by andymanchesta ) (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
[b][color=red]Please do not run any other tools or scans whilst I am helping you
MY Computer got so slow and needed to print out some documents so i cleaned it up as much as I could using SpyBot and MalwareBytes Anti-Malware they both say it is clean so i am not using my internet on that computer because i know it will get infected if i do.
Are the other computers also W2K machines ?
No they are both XP one Sp3 the other sp2 (sp2 is extremly slow at login about 5 min when the user desktop image shows) I cleaned them both but i have a felling they will both get infected when they connect to the internet.
I wont be able to give you a fresh HJT log till tommorow.
I can get the log and post it on the infected computer but ill have to clean it again.
Do you have a Router ?
if so, it's possible that the router has been altered to send you to the infected sites.
Reset your Router
Make sure you have any information you need for reconnection before you continue ( You may need settings from your Internet Service Provider)
You need to reset your router to it's factory default settings.
Whilst your router is switched on, press the reset button (It may be a small hole that requires a pin)
When the router has finished it's reset, the first thing you need to do is set the password protection on it.
(This will help prevent this problem happening again.)
Please post the SDFix and Combofix logs rather than a fresh HJT log.
Do you have a Router ?
if so, it's possible that the router has been altered to send you to the infected sites.
I have dial-up. All I have to do is connect to the internet without opening a browser and the viruses just come in.
Reset your Router
Um I don't think i have a router. All I know is that I hook up the phone line into the back of the computer. It might be a modem. I use a phone cable and not a lan (Ethernet?) cable.
Please post the SDFix and Combofix logs rather than a fresh HJT log.
Yesterday I got a fresh HJT log and it is a lot different then the one I gave you So should I just do the SDFix and Combofix scans anyway?
So should I just do the SDFix and Combofix scans anyway?
Yes please
Um Before I run Combofix the totorial says to install recovery console. Is there one for W2K or should Combo Fix get it for me? If I let ComboFix get it for me I have to connect and then the viruses will just come in (assuming they will) Should I just do it anyway? (Sorry for asking to run twice I just wnat to make sure my computer wont get wrecked).
Sorry for asking to run twice I just wnat to make sure my computer wont get wrecked
That's fine, I would rather you ask if you aren't sure about something :)
There isn't a Recovery Console download for W2K,
it is assumed that anyone with a W2K machine has the original install disc.
it is assumed that anyone with a W2K machine has the original install disc.
Uh oh I cant find the install disc. It is improtant to have it for this right? Well ill look for the disk again and try to find it.
I already went ahead and ran the SDFix so here is the log.
SDFix: Version 1.240
Run by Administrator on Thu 04/30/2009 at 10:40p
Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINNT\system32\20.tmp - Deleted
C:\WINNT\system32\23.tmp - Deleted
C:\WINNT\system32\16.tmp - Deleted
C:\WINNT\system32\10.tmp - Deleted
C:\WINNT\system32\19.tmp - Deleted
C:\WINNT\system32\TFTP1400 - Deleted
C:\WINNT\system32\TFTP1556 - Deleted
C:\WINNT\system32\TFTP432 - Deleted
C:\WINNT\system32\TFTP480 - Deleted
C:\WINNT\system32\TFTP1856 - Deleted
C:\WINNT\system32\TFTP1020 - Deleted
C:\WINNT\system32\TFTP1340 - Deleted
C:\WINNT\system32\TFTP1896 - Deleted
Folder C:\WINNT\system32\286858 - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 22:47:05
Windows 5.0.2195 Service Pack 4 FAT NTAPI
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Fri 9 Mar 2007 27,648 ..SH. --- "C:\WINNT\system32\AVSredirect.dll"
Fri 24 Apr 2009 2,413 ...H. --- "C:\WINNT\system32\mmsg32.DLL"
Fri 24 Apr 2009 0 ...H. --- "C:\WINNT\system32\ms2chk.DLL"
Fri 24 Apr 2009 3,979 ...H. --- "C:\WINNT\system32\mspnd.DLL"
Fri 24 Apr 2009 4,394 ...H. --- "C:\WINNT\system32\msdone.DLL"
Mon 26 Jan 2009 1,740,632 ..SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 ..SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Thu 5 Mar 2009 2,279,424 ..SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 21 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 21 Mar 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Mon 2 Mar 2009 34,687,840 ...H. --- "C:\WINNT\SoftwareDistribution\Download\aea86f697630fd3ef941f71c2127cfcf\BIT57B.tmp"
Thu 2 Feb 2006 488,448 ...H. --- "C:\Documents and Settings\Administrator\Application Data\Microsoft\Word\~WRL2578.tmp"
Finished!
I needed to reinstall a printer (i needed it) because of the virus. Thought you should know
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:04 PM, on 4/30/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\tcpsvcs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\wfxsnt40.exe
H:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\system32\mrtMngr.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\taskmgr.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
O2 - BHO: C:\WINNT\system32\jksahfo93wjfkd.dll - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\system32\jksahfo93wjfkd.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zzzHPSETUP] I:\Setup.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QAGENT] H:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINNT\TEMP\1256108730.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: PGPtray.lnk = G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .php: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217109214875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\system32\jksahfo93wjfkd.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT\system32\PGPsdkServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE
--
End of file - 6885 bytes
Uh oh I cant find the install disc. It is improtant to have it for this right?
It's only important if things don't go as planned.
At the last count, 1 out of approx 2 million runs there are problems using Combofix.
I would still like to see a Combofix log, but if you would rather not then we can try something else.
How are things running after using SDFix ?
How are things running after using SDFix ?
The Computer is running very smoothly. Ill go ahead and run combo fix i backed every up. so
I found the W2K installation disc and ran ComboFix but I got an error message (http://s630.photobucket.com/albums/uu25/bithpq/?action=view¤t=screenshot.jpg) and ComboFix i think deleted itself.
I followed the instructions on the message but the same error came up again.
That's not good.
That message usually only appears if you have a file infector on your machine.
We need to confirm the situation before proceeding.
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
C:\WINNT\System32\smss.exe
Click Submit/Send File
Please do the same for the following file
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\taskmgr.exe
If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)
You don't need to post any that don't show infection, and if they all show the same one then just post one report
ok i did a scan of the listed items. There is a problem. svchost.exe and taskmgr.exe will not scan on both scanners. taskmgr was scanned for a little while and then stopped at the second scanner. Panda said that taskmgr was a suspicious file. as for svchost it just wouldn't scan.
Upload a File
Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)
Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\taskmgr.exe
Go to spykiller (http://thespykiller.co.uk/index.php?board=1.0)
Please start a new thread Titled File/s for Katana and give the following information
Name:-- Your name
Subject:-- File for Katana
In the main text window please put the following link
http://forums.spybot.info/showthread.php?p=309444#post309444
you may also add any comments you wish
then press attach and upload the zip/cab file that was created.
Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files
You can now delete SFP (exe and Zip) along with the .cab file that was created
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
Please Download GMER to your desktop
Download GMER (http://www.gmer.net/gmer.zip) and extract it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
Name:-- Your name
Subject:-- File for Katana
Ha um... Do I put for Name: Bithpq or Your name?
Well That way a silly question I could have thought a little more about what was asked.:funny:
Files are being uploaded
I had to re-run RSIT because it stopped responding.
Logfile of random's system information tool 1.06 (written by random/random)
Run by Administrator at 2009-05-02 20:49:06
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 8 GB (45%) free of 18 GB
Total RAM: 254 MB (2% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:08 PM, on 5/2/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\tcpsvcs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\wfxsnt40.exe
H:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
C:\WINNT\system32\mrtMngr.EXE
G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\taskmgr.exe
L:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\A.tmp
C:\WINNT\System32\reader_s.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zzzHPSETUP] I:\Setup.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QAGENT] H:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINNT\TEMP\1256108730.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
O4 - Global Startup: PGPtray.lnk = G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYCA
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O12 - Plugin for .php: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217109214875
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AE7F335-2004-46AE-BB36-3D10DD971B3B}: NameServer = 142.161.130.154 142.161.2.154
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\system32\jksahfo93wjfkd.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT\system32\PGPsdkServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE
--
End of file - 7438 bytes
======Scheduled tasks folder======
C:\WINNT\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\WINNT\tasks\Ad-Aware Update (Weekly).job
C:\WINNT\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1178916134.job
C:\WINNT\tasks\AppleSoftwareUpdate.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 303104]
"zzzHPSETUP"=I:\Setup.exe []
"IgfxTray"=C:\WINNT\s [2009-03-14 146]
"HotKeysCmds"=C:\WINNT\s [2009-03-14 146]
"WinFaxAppPortStarter"=C:\WINNT\system32\wfxsnt40.exe [2000-02-14 43008]
"QAGENT"=H:\Program Files\QUICKENW\QAGENT.EXE [2001-08-01 114688]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2279424]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDBitSet]
C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
C:\Program Files\HP DVD\Umbrella\DVDTray.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINNT\s [2009-03-14 146]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hpppta]
D:\Program Files\HP Scanner\PrecisionScan\hpppta.exe /ICON []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINNT\s [2009-03-14 146]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Net-It Launcher]
C:\WINNT\s [2009-03-14 146]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
C:\WINNT\s [2009-03-14 146]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
D:\Program Files\WordPerfect11\Programs\QFSCHD110.EXE [2003-02-25 98367]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SymTray - Norton SystemWorks]
C:\Program Files\Common Files\Symantec Shared\Symtray.exe [2002-08-29 106576]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UIUCU]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 131072]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
C:\WINNT\system32\wfxsnt40.exe [2000-02-14 43008]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
Controller.LNK - C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
PGPtray.lnk - G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINNT\system32\igfxsrvc.dll [2005-10-19 348160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nwprovau]
C:\WINNT\system32\nwprovau.dll [2006-08-31 140048]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\s [2009-03-14 146]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"=C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 38400]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Documents and Settings\Administrator\Local Settings\Application Data\zchMiB.exe"="C:\Documents and Settings\Administrator\Local Settings\Application Data\zchMiB.exe:*:Enabled:Windows Time Synchronization"
"C:\Documents and Settings\Administrator\Local Settings\Application Data\websvr.exe"="C:\Documents and Settings\Administrator\Local Settings\Application Data\websvr.exe:*:Enabled:WinSvrHost32"
"C:\WINNT\system32\3361\svchost.exe"="C:\WINNT\system32\3361\svchost.exe:*:Enabled:SVCHOST.EXE"
"\??\C:\WINNT\system32\winlogon.exe"="\??\C:\WINNT\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
======List of files/folders created in the last 1 months======
2009-05-02 20:16:53 ----D---- C:\rsit
2009-05-02 19:42:21 ----A---- C:\WINNT\system32\B.tmp
2009-05-01 16:48:43 ----D---- C:\Qoobox
2009-05-01 16:48:38 ----A---- C:\Bug.txt
2009-04-30 22:32:05 ----D---- C:\WINNT\ERUNT
2009-04-30 22:21:17 ----D---- C:\SDFix
2009-04-26 13:00:57 ----A---- C:\WINNT\IE4 Error Log.txt
2009-04-25 14:51:46 ----D---- C:\Program Files\Trend Micro
2009-04-22 22:06:01 ----D---- C:\WINNT\system32\DRVSTORE
2009-04-19 18:48:02 ----A---- C:\dndi.txt
2009-04-19 17:01:59 ----A---- C:\WINNT\ntbtlog.txt
2009-04-16 19:40:51 ----D---- C:\Documents and Settings\Administrator\Application Data\BitTorrent
2009-04-14 21:37:54 ----N---- C:\WINNT\system32\tcpd.exe
2009-04-14 21:37:54 ----N---- C:\WINNT\system32\AUTMGR.EXE
2009-04-14 21:37:51 ----N---- C:\WINNT\system32\kernel32_check.dll
2009-04-14 21:37:50 ----N---- C:\WINNT\system32\tcpcon.dll
2009-04-14 21:37:50 ----N---- C:\WINNT\system32\Packer.dll
2009-04-14 21:37:50 ----N---- C:\WINNT\system32\iphy.dll
2009-04-14 21:37:50 ----N---- C:\WINNT\system32\fiplock.dll
2009-04-14 21:37:50 ----N---- C:\WINNT\system32\fhpatch.dll
2009-04-14 21:35:49 ----D---- C:\WINNT\system32\3361
2009-04-14 20:33:49 ----N---- C:\WINNT\system32\unrar.dll
2009-04-14 20:33:47 ----N---- C:\WINNT\system32\yv12vfw.dll
2009-04-14 20:33:47 ----N---- C:\WINNT\system32\xvidvfw.dll
2009-04-14 20:33:47 ----N---- C:\WINNT\system32\vp7vfw.dll
2009-04-14 20:33:47 ----N---- C:\WINNT\system32\vp6vfw.dll
2009-04-14 20:33:47 ----N---- C:\WINNT\system32\huffyuv.dll
2009-04-14 20:33:46 ----N---- C:\WINNT\system32\qt-dx331.dll
2009-04-14 20:33:46 ----N---- C:\WINNT\system32\dpl100.dll
2009-04-14 20:33:44 ----N---- C:\WINNT\system32\ff_vfw.dll
2009-04-14 20:33:42 ----N---- C:\WINNT\system32\pthreadGC2.dll
2009-04-14 20:33:41 ----D---- C:\Program Files\K-Lite Codec Pack
2009-04-05 21:28:42 ----HD---- C:\WINNT\$NtUninstallKB967715$
2009-04-05 21:24:56 ----HD---- C:\WINNT\$NtUninstallKB960225$
2009-04-05 21:03:06 ----HD---- C:\WINNT\$NtUninstallKB958690$
2009-04-05 20:01:47 ----N---- C:\WINNT\system32\javaws.exe
2009-04-05 20:01:47 ----N---- C:\WINNT\system32\javaw.exe
2009-04-05 20:01:47 ----N---- C:\WINNT\system32\java.exe
2009-04-04 16:20:40 ----N---- C:\WINNT\system32\wbhelp2.dll
======List of files/folders modified in the last 1 months======
2009-05-02 19:23:36 ----A---- C:\WINNT\win.ini
2009-05-02 19:19:58 ----A---- C:\WINNT\ModemLog_Generic - HCF PCI Modem.txt
2009-05-02 18:59:16 ----A---- C:\WINNT\SchedLgU.Txt
2009-04-27 17:58:56 ----A---- C:\WINNT\SYSTEM.INI
2009-04-21 23:03:32 ----A---- C:\WINNT\wininit.ini
2009-04-16 19:28:28 ----A---- C:\WINNT\system32\dfrg.msc
2009-04-14 21:37:52 ----A---- C:\WINNT\system32\kernel32.dll
2009-04-14 21:36:06 ----N---- C:\WINNT\OEWABLog.txt
2009-04-05 21:25:08 ----N---- C:\WINNT\imsins.BAK
2009-04-05 21:14:50 ----N---- C:\WINNT\system32\PerfStringBackup.INI
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 AFS2K;AFS2k; C:\WINNT\s [2009-03-14 146]
R1 Aspi32;Aspi32; C:\WINNT\s [2009-03-14 146]
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\s [2009-03-14 146]
R1 Cdralw2k;Cdralw2k; C:\WINNT\s [2009-03-14 146]
R1 cdudf;cdudf; C:\WINNT\s [2009-03-14 146]
R1 ifdcacf;ifdcacf; C:\WINNT\S [2009-03-14 146]
R1 OMCI;OMCI; C:\WINNT\S [2009-03-14 146]
R1 PQNTDrv;PQNTDrv; C:\WINNT\s [2009-03-14 146]
R1 pwd_2K;pwd_2K; C:\WINNT\s [2009-03-14 146]
R1 UdfReadr;UdfReadr; C:\WINNT\s [2009-03-14 146]
R2 BrPar;BrPar; C:\WINNT\S [2009-03-14 146]
R2 hidusb;Microsoft HID Class Driver; C:\WINNT\S [2009-03-14 146]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.6; C:\WINNT\s [2009-03-14 146]
R2 mdmxsdk;mdmxsdk; C:\WINNT\s [2009-03-14 146]
R2 mrtRate;mrtRate; C:\WINNT\s [2009-03-14 146]
R2 Nbf;NetBEUI Protocol; C:\WINNT\S [2009-03-14 146]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINNT\S [2009-03-14 146]
R2 NwlnkNb;NWLink NetBIOS; C:\WINNT\S [2009-03-14 146]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINNT\S [2009-03-14 146]
R2 PfModNT;PfModNT; \??\C:\WINNT\system32\drivers\PfModNT.sys []
R2 PGPdisk;PGPdisk; C:\WINNT\s [2009-03-14 146]
R2 PGPsdkDriver;PGPsdkDriver; C:\WINNT\S [2009-03-14 146]
R3 aeaudio;aeaudio; C:\WINNT\s [2009-03-14 146]
R3 catchme;catchme; \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys []
R3 GEARAspiWDM;GEARAspiWDM; C:\WINNT\S [2009-03-14 146]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINNT\s [2009-03-14 146]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINNT\s [2009-03-14 146]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINNT\s [2009-03-14 146]
R3 ialm;ialm; C:\WINNT\s [2009-03-14 146]
R3 mmc_2K;mmc_2K; C:\WINNT\s [2009-03-14 146]
R3 mouhid;Mouse HID Driver; C:\WINNT\S [2009-03-14 146]
R3 NPDriver;Norton Unerase Protection Driver; \??\C:\WINNT\system32\Drivers\NPDRIVER.SYS []
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver; C:\WINNT\s [2009-03-14 146]
R3 NWRDR;NetWare Rdr; C:\WINNT\S [2009-03-14 146]
R3 pfc;Padus ASPI Shell; C:\WINNT\s [2009-03-14 146]
R3 PSched;QoS Packet Scheduler; C:\WINNT\S [2009-03-14 146]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINNT\S [2009-03-14 146]
R3 smwdm;smwdm; C:\WINNT\s [2009-03-14 146]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\S [2009-03-14 146]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINNT\s [2009-03-14 146]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\S [2009-03-14 146]
R3 usbhub20;USB 2.0 Root Hub Support; C:\WINNT\S [2009-03-14 146]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\S [2009-03-14 146]
R3 usbscan;USB Scanner Driver; C:\WINNT\S [2009-03-14 146]
R3 USBSTOR;USB Mass Storage Driver; C:\WINNT\S [2009-03-14 146]
R3 vitra;vitra; C:\WINNT\S [2009-03-14 146]
R3 Winachcf;Winachcf; C:\WINNT\s [2009-03-14 146]
S1 btq4e2d;btq4e2d; C:\WINNT\S [2009-03-14 146]
S1 khf1ef1;khf1ef1; C:\WINNT\S [2009-03-14 146]
S1 mjh72ef;mjh72ef; C:\WINNT\S [2009-03-14 146]
S1 oljf514;oljf514; C:\WINNT\S [2009-03-14 146]
S1 qol051c;qol051c; C:\WINNT\S [2009-03-14 146]
S1 rom4d24;rom4d24; C:\WINNT\S [2009-03-14 146]
S1 romaa7b;romaa7b; C:\WINNT\S [2009-03-14 146]
S1 spn31b9;spn31b9; C:\WINNT\S [2009-03-14 146]
S1 sqn2e9a;sqn2e9a; C:\WINNT\S [2009-03-14 146]
S1 sqn5992;sqn5992; C:\WINNT\S [2009-03-14 146]
S2 SecDrv;SecDrv; \??\C:\WINNT\system32\drivers\SECDRV.SYS []
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINNT\s [2009-03-14 146]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINNT\s [2009-03-14 146]
S3 bcm4sbe5;Broadcom 440x 10/100 Integrated Controller Driver; C:\WINNT\s [2009-03-14 146]
S3 CCDECODE;Closed Caption Decoder; C:\WINNT\s [2009-03-14 146]
S3 dvd_2K;dvd_2K; C:\WINNT\s [2009-03-14 146]
S3 ENIMSR;ENIMSR; \??\C:\PROGRA~1\MTS\ENTERN~1\app\ENIMSR.SYS []
S3 FETNDISB;D-Link DFE-530TX PCI Fast Ethernet Adapter Driver Service; C:\WINNT\s [2009-03-14 146]
S3 MPE;BDA MPE Filter; C:\WINNT\s [2009-03-14 146]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINNT\s [2009-03-14 146]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINNT\s [2009-03-14 146]
S3 NTSTAP1;NTSTAP1; \??\C:\PROGRA~1\MTS\ENTERN~1\app\NTSTAP1.SYS []
S3 NTSTAP2;NTSTAP2; \??\C:\PROGRA~1\MTS\ENTERN~1\app\NTSTAP2.SYS []
S3 RAWESR;RAWESR; \??\C:\PROGRA~1\MTS\ENTERN~1\app\RAWESR.SYS []
S3 restore;restore; \??\C:\WINNT\system32\drivers\restore.sys []
S3 SDdriver;SDdriver; \??\C:\WINNT\system32\Drivers\sddriver.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINNT\s [2009-03-14 146]
S3 streamip;BDA IPSink; C:\WINNT\s [2009-03-14 146]
S3 TAPBIND;TAPBIND; \??\C:\PROGRA~1\MTS\ENTERN~1\app\TAPBIND1.SYS []
S3 UIUSys;Conexant Setup API; C:\WINNT\s [2009-03-14 146]
S3 Winacpci;Winacpci; C:\WINNT\S [2009-03-14 146]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINNT\s [2009-03-14 146]
S4 IntelIde;IntelIde; C:\WINNT\s [2009-03-14 146]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 NProtectService;Norton Unerase Protection; C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [2002-08-14 155648]
R2 NwSapAgent;SAP Agent; C:\WINNT\S [2009-03-14 146]
R2 PPPoEService;PPPoE Service; C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe [2000-07-11 69632]
R2 SimpTcp;Simple TCP/IP Services; C:\WINNT\S [2009-03-14 146]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 StiSvc;Still Image Service; C:\WINNT\s [2009-03-14 146]
R2 wfxsvc;WinFax PRO; C:\WINNT\s [2009-03-14 146]
S2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-05-15 100032]
S2 Irmon;Irmon; C:\WINNT\S [2009-03-14 146]
S2 LexBceS;LexBce Server; C:\WINNT\s [2009-03-14 146]
S2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
S2 NWCWorkstation;Client Service for NetWare; C:\WINNT\S [2009-03-14 146]
S2 PGPsdkServ;PGPsdkService; C:\WINNT\s [2009-03-14 146]
S2 Speed Disk service;Speed Disk service; C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe [2002-08-14 192545]
S3 aspnet_state;ASP.NET State Service; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-07-27 501048]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-05-15 2086592]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINNT\s [2009-03-14 146]
S3 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\S [2009-03-14 146]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
-----------------EOF-----------------
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
info.txt was not minimized or opened.
I have a few other drives (partitions) should I scan those too?
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-02 22:06:33
Windows 5.0.2195 Service Pack 4
---- Kernel code sections - GMER 1.0.15 ----
.text ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
---- User code sections - GMER 1.0.15 ----
.text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\winlogon.exe[224] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FF84493
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FF84522
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FF84518
.text C:\WINNT\system32\services.exe[256] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FF84570
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\lsass.exe[268] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Java\jre6\bin\jqs.exe[524] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE[652] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\System32\svchost.exe[704] C:\WINNT\System32\svchost.exe section is writeable [0x01001000, 0x14A8, 0xE0000060]
.rsrc C:\WINNT\System32\svchost.exe[704] C:\WINNT\System32\svchost.exe section is executable [0x01004000, 0x6400, 0xE0000040]
.text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\System32\svchost.exe[704] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe[724] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\regsvc.exe[768] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\System32\tcpsvcs.exe[788] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[804] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\stisvc.exe[816] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\WFXSVC.EXE[852] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Symantec\WinFax\WFXMOD32.EXE[908] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\Explorer.EXE[960] Explorer.EXE 00408199 5 Bytes [FF, 15, 70, 11, 40]
.text C:\WINNT\Explorer.EXE[960] C:\WINNT\Explorer.EXE section is writeable [0x00401000, 0x19546, 0xE0000060]
.reloc C:\WINNT\Explorer.EXE[960] C:\WINNT\Explorer.EXE section is executable [0x0043C000, 0x8000, 0xE2000040]
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\WINNT\Explorer.EXE[960] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\Explorer.EXE[960] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\WINNT\Explorer.EXE[960] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\WINNT\Explorer.EXE[960] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\WINNT\Explorer.EXE[960] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\WINNT\Explorer.EXE[960] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\WINNT\system32\svchost.exe[1032] C:\WINNT\system32\svchost.exe section is writeable [0x01001000, 0x14A8, 0xE0000060]
.rsrc C:\WINNT\system32\svchost.exe[1032] C:\WINNT\system32\svchost.exe section is executable [0x01004000, 0x6400, 0xE0000040]
.text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\svchost.exe[1032] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\WINNT\system32\wfxsnt40.exe[1128] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\QuickTime\qttask.exe[1136] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text H:\Program Files\QUICKENW\QAGENT.EXE[1148] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe[1180] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\WINNT\system32\hkcmd.exe[1188] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\system32\hkcmd.exe[1188] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\WINNT\system32\hkcmd.exe[1188] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\WINNT\system32\hkcmd.exe[1188] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\WINNT\system32\hkcmd.exe[1188] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\WINNT\system32\hkcmd.exe[1188] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Documents and Settings\Administrator\Desktop\gmer.exe[1196] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Java\jre6\bin\jusched.exe[1212] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\WINNT\system32\VT100.EXE[1224] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\system32\VT100.EXE[1224] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\WINNT\system32\VT100.EXE[1224] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\WINNT\system32\VT100.EXE[1224] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\WINNT\system32\VT100.EXE[1224] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\WINNT\system32\VT100.EXE[1224] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[1228] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1248] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe[1276] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Symantec\WinFax\WFXCTL32.EXE[1304] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!LdrLoadDll 77F85B2C 5 Bytes JMP 7FFA5090
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe[1352] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] WS2_32.DLL!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] WS2_32.DLL!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe[1364] WS2_32.DLL!send 75031BCC 5 Bytes JMP 7FFA57EC
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtCreateFile 77F88278 5 Bytes CALL 7FFA4493
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtCreateProcess 77F88308 5 Bytes CALL 7FFA4522
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtEnumerateValueKey 77F88448 5 Bytes JMP 7FFA511C
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtOpenFile 77F886AC 5 Bytes CALL 7FFA4518
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtQueryDirectoryFile 77F8883C 5 Bytes JMP 7FFA5324
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtQueryInformationProcess 77F888CC 5 Bytes CALL 7FFA4570
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtQuerySystemInformation 77F889DC 5 Bytes JMP 7FFA5420
.text C:\WINNT\system32\mrtMngr.EXE[1420] ntdll.dll!NtVdmControl 77F88EE8 5 Bytes JMP 7FFA53A4
.text C:\WINNT\system32\mrtMngr.EXE[1420] USER32.dll!GetWindowTextA 77E176C6 5 Bytes JMP 7FFA58A4
.text C:\WINNT\system32\mrtMngr.EXE[1420] USER32.dll!GetWindowTextW 77E2F254 5 Bytes JMP 7FFA59D8
.text C:\WINNT\system32\mrtMngr.EXE[1420] WS2_32.dll!WSARecv 7503138E 5 Bytes CALL 7FFA574C
.text C:\WINNT\system32\mrtMngr.EXE[1420] WS2_32.dll!WSASend 75031525 5 Bytes CALL 7FFA5650
.text C:\WINNT\system32\mrtMngr.EXE[1420] WS2_32.dll!send 75031BCC 5 Bytes JMP 7FFA57EC
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINNT\Explorer.EXE[960] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 PGPsdk.sys (PGP Software Development Kit NT Driver/PGP Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
---- Threads - GMER 1.0.15 ----
Thread System [8:160] 8156A470
---- Processes - GMER 1.0.15 ----
Process C:\WINNT\system32\VT100.EXE (*** hidden *** ) 1224
Library C:\WINNT\system32\VT100.EXE (*** hidden *** ) @ C:\WINNT\system32\VT100.EXE [1224] 0x00400000
---- Files - GMER 1.0.15 ----
File C:\WINNT\system32\VT100.EXE
File C:\WINNT\system32\mmsg32.DLL
File C:\WINNT\system32\ms2chk.DLL
File C:\WINNT\system32\mspnd.DLL
File C:\WINNT\system32\msdone.DLL
File C:\Documents and Settings\Administrator\Local Settings\Temp\mmsg32.DLL
File C:\Documents and Settings\Administrator\Local Settings\Temp\ms2chk.DLL
File C:\Documents and Settings\Administrator\Local Settings\Temp\mspnd.DLL
File C:\Documents and Settings\Administrator\Local Settings\Temp\msdone.DLL
---- EOF - GMER 1.0.15 ----
oh another thing this (http://i630.photobucket.com/albums/uu25/bithpq/screenshot2.jpg) window poped up for two things while i ran gmer
Svchost.exe & TASKMGR.EXE
http://www.virustotal.com/analisis/d84b2253b184c7f7a679e8cb071a1978
Antivirus Version Last Update Result
AntiVir 7.9.0.160 2009.05.02 W32/Virut.Gen
Authentium 5.1.2.4 2009.05.02 W32/Virut.AI!Generic
Avast 4.8.1335.0 2009.05.02 Win32:Vitro
AVG 8.5.0.327 2009.05.02 Win32/Virut
BitDefender 7.2 2009.05.02 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.05.02 W32.Virut.G
DrWeb 4.44.0.09170 2009.05.02 Win32.Virut.56
eTrust-Vet 31.6.6487 2009.05.02 Win32/Virut.17408
F-Prot 4.4.4.56 2009.05.02 W32/Virut.AI!Generic
F-Secure 8.0.14470.0 2009.05.02 Virus.Win32.Virut.ce
Fortinet 3.117.0.0 2009.05.02 W32/Virut.CE
GData 19 2009.05.02 Win32.Virtob.Gen.12
Kaspersky 7.0.0.125 2009.05.02 Virus.Win32.Virut.ce
McAfee 5603 2009.05.02 W32/Virut.n.gen
McAfee+Artemis 5603 2009.05.02 W32/Virut.n.gen
McAfee-GW-Edition 6.7.6 2009.05.02 Win32.Virut.Gen
Microsoft 1.4602 2009.05.02 Virus:Win32/Virut.BM
NOD32 4049 2009.05.01 Win32/Virut.NBP
Rising 21.27.41.00 2009.05.01 Win32.Virut.bm
Sophos 4.41.0 2009.05.02 W32/Scribble-B
Sunbelt 3.2.1858.2 2009.05.02 Virus.Win32.Virut.ce (v)
Symantec 1.4.4.12 2009.05.02 W32.Virut.CF
TheHacker 6.3.4.1.317 2009.05.02 W32/Virut.gen2
TrendMicro 8.950.0.1092 2009.05.01 PE_VIRUX.F-1
ViRobot 2009.5.1.1717 2009.05.01 Win32.Virut.AL
VirusBuster 4.6.5.0 2009.05.02 Win32.Virut.Y.Gen
This machine needs to be formatted.
This system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.
Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.
Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.
Recent variants also modify htm, html, asp and php files.
Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.
See miekiemoes' blog for similar comments here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
Ok ill be formating the computer at around the end of the week. I am looking forward to formatting the computer. Get rid of some old programs. Afterall it is a used computer. I might install XP.
Do you know how virut can spread? How do I tell if a .exe, .scr and htm, html, php and what ever other files have been patched or infected or corrupted?
A file can only be patched/corrupted by running it right or do i have to just access it?
Is it possible to grab .exe files over network? Or will that infect them too (because they are accessed).
Scince I will be formating what are some fire walls that you recomend? Or any other programs that will help keep my computer clean and running at its best?
1) I might install XP.
2) Do you know how virut can spread?
3) How do I tell if a .exe, .scr and htm, html, php and what ever other files have been patched or infected or corrupted?
4) A file can only be patched/corrupted by running it right or do i have to just access it?
5) Is it possible to grab .exe files over network? Or will that infect them too (because they are accessed).
1) Good idea, W2k is not getting any younger ;)
2) Very easily via :- usb drives, cracks, keygens, P2P, shared folders, networks, you name it Virut can use
3) You can scan single files at Virustotal (http://www.virustotal.com/en/indexf.html), or an entire machine at Kaspersky ( http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
)
4) Just accessing a file can infect it.
5) There is a high risk that any machine accessed via a network will also be infected.
I try not to recommend Firewalls, they are quite a "personal" thing ie. level of security over amount of warnings.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
Happy surfing K'
1)I try not to recommend Firewalls, they are quite a "personal" thing ie. level of security over amount of warnings.
I never liked them but I just wondered if there was one that was less anoying. If you know what I mean.
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
These will take a long time on dial-up right? Do they have to upload and scan for each file?
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
HA of course!:bigthumb:
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Doesent SD Shreder do the same thing?
Another thing. If I plug a flash drive into a Virut infected computer and the flash drive has no files that can be infected by virut. Then plug it into a clean computer will the clean computer get infected?
1) I never liked them but I just wondered if there was one that was less anoying. If you know what I mean.
2) These will take a long time on dial-up right? Do they have to upload and scan for each file?
3) Doesent SD Shreder do the same thing?
4) Another thing. If I plug a flash drive into a Virut infected computer and the flash drive has no files that can be infected by virut. Then plug it into a clean computer will the clean computer get infected?
1) They are all annoying in their own way, and I know exactly what you mean.
The problem is, that the more annoying it is then the better job it is doing ;)
2) Yes, it will take a while on dial-up.
3) You need to update Spybot :police:
Spybot-S&D 1.5 does not support the Secure Shredder anymore.
There is a simple reason, the Secure Shredder is outdated
and so it is not really "secure" without any enhancements.
4) Some versions of Virut are designed to detect the presence of a USB drive and infect it specifically for this purpose.
They are all annoying in their own way, and I know exactly what you mean.
The problem is, that the more annoying it is then the better job it is doing ;)
:funny:
Yes, it will take a while on dial-up.
So it does upload?
You need to update Spybot :police:
Always I get e-mail notifacations
Some versions of Virut are designed to detect the presence of a USB drive and infect it specifically for this purpose.
So even though there is no .exe .scr .htm .html .asp .php files?
1) So it does upload?
2) So even though there is no .exe .scr .htm .html .asp .php files?
1) yes, you upload files to VirusTotal
2) Correct. USB drives have an Autorun.inf file which is detected by the infection.
Correct. USB drives have an Autorun.inf file which is detected by the infection.
So the Autorun.inf is what infects the other computer? or does the virus configure the Autorun? If autorun is disabled on a computer is it safe or Im I at risk? Also is there a way to get rid of the Autorun without wrecking the Flash-Drive?
If the Flash-Drive's Autorun is "infected" do I have to format my flash drive?
I will be formating the Computer soon and I just realized that I dont know how to format a computer. Also is there some thing that will happen to the computer's hardware if I format it?
Autorun.inf is used by the virus to run an infected file that is dropped on the USB
If autorun is disabled on a computer, then it won't run the infected file.
You can clean USB drives with the following tool
Panda USB and AutoRun Vaccine
Please visit Panda USB and AutoRun Vaccine (http://research.pandasecurity.com/archive/Panda-USB-and-AutoRun-Vaccine.aspx)
Download and use the tool to vacinate your computer and also any USB drives you have.
This will help prevent infection in the future.
----------------------------------------------------------- -----------------------------------------------------------
Here is a check list of items that you will need for a reformat.
1 - Backup Your Data
Copy all your data to a separate drive, CD, DVD, etc.
It may be a good idea to check the files that you backup with an online scanner, you don't want to be reinfected.
http://www.kaspersky.com/virusscanner
2 - Back Up Your Drivers
Particularly important if your computer was not delivered with driver CDs
Driver Genius Pro finds updates and backs up your drivers into an exe installer - very simple to re-install
Or there's the free DriverMax from http://www.innovative-sol.com
3 - Download Programs, Installers, and Updates
Make sure you have all the programs you will need to re-install such as an Antivirus, a Firewall, and, if not included on the installation disk, Microsoft's Service Pack 2 for Windows XP.
Take note of all the product keys and serial numbers. These may be on boxes, CDs, or in emails.
4 - Make Sure You Can Get Back Online
Check that you have modem drivers, set up instructions, and log-in details.
5 - Boot From The Windows CD and Install
Physically disconnect your internet cable between the computer and the modem/router
If your computer isn't set to boot from CD, look for the option to enter the BIOS setup during startup - usually Del, F1 or F2
In the BIOS, look for the option to change the order of boot devices
Select the CD drive as the first option
Save and exit
6 - Reload Drivers
Once the Windows installation is complete, re-load the drivers you save in 2 above
7 - Install Security Programs
Install your Antivirus, Firewall, and other security programs
8 - Install Any Microsoft Updates
Reconnect your computer to the internet and go to the Microsoft Updates site: http://update.microsoft.com/microsoftupdate
Download and install any required updates
9 - Install Any Programs
Finally, install any programs you need to run
If you have any questions, don't hesitate to ask.
I have postponed format till later. I am wondering, I have a few programs that arent infected and i cant replace them so If I back them up and scan them with virus total after would that be ok?
1) I have a few programs that arent infected
2) I have postponed format till later.
3) so If I back them up and scan them with virus total after would that be ok?
1) How do you know ?
2) Chances are that by the time you get around to it any files that weren't infected will be.
3) Not really.
It's nearly two weeks since I told you that a reformat was needed.
By now I suspect that almost all your system files are infected.
Every file that you move will be prone to infection.
Virut is vicious, it really isn't worth taking the risk of transferring any files that may be infected.
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.