View Full Version : Help remove WayPointCash
Dear Forum members
I have a problem with the pop ups:
1. WayPointCash
2. em.gad and fp.gad
I used to have lots of spywares. I installed some antispy software and removed every thing but these two ones. I tried the advice at many forums but nothing worked with these.
Can you plz help me remove these two !
Here is a list of the softwares that I have:
HijackThis
ccleaner
GetRunKey
ShowNew
Spybot
AdAware PE
Windows Defender
KillBox
Avgas
I will appreciate your help and input.
Here is the HJT report in case it is needed. I'm ready to provide any other logs as needed:
Logfile of HijackThis v1.99.1
Scan saved at 06:21:49 ?, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\soundman.exe
C:\LifeView FlyVideo\RecSche.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mwsrvacc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RecSche] C:\LifeView FlyVideo\RecSche.exe /Startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera LTI301P
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [regsvc] C:\Program Files\registry\regsvc32.exe
O4 - HKLM\..\Run: [HTTPServer] C:\Program Files\Spytech Software\SpyAnywhere\SpyAnywhere.exe
O4 - HKLM\..\Run: [JGQQ] C:\WINDOWS\system32\Sys\JGQQ.exe
O4 - HKLM\..\Run: [PRQV] C:\WINDOWS\system32\Sys\PRQV.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\mwsrvacc.exe /run
O4 - HKCU\..\Run: [Tok-Cirrhatus-2355] "C:\Documents and Settings\NASRI\Local Settings\Application Data\br5733on.exe"
O4 - HKCU\..\Run: [regsvc] C:\Program Files\registry\regsvc32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F4D3335-3194-4167-85AE-E7325F2695EF} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1068_em_XP.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164213056468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2F3600C-5740-451B-8597-54D4FC2AAB2B}: NameServer = 212.14.224.1 212.14.234.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
----------------------------
Hi thameen
Open HijackThis, click do a system scan only and checkmark these:
O4 - HKLM\..\Run: [regsvc] C:\Program Files\registry\regsvc32.exe
O4 - HKLM\..\Run: [JGQQ] C:\WINDOWS\system32\Sys\JGQQ.exe
O4 - HKLM\..\Run: [PRQV] C:\WINDOWS\system32\Sys\PRQV.exe
O4 - HKCU\..\Run: [Tok-Cirrhatus-2355] "C:\Documents and Settings\NASRI\Local Settings\Application Data\br5733on.exe"
O4 - HKCU\..\Run: [regsvc] C:\Program Files\registry\regsvc32.exe
O16 - DPF: {5F4D3335-3194-4167-85AE-E7325F2695EF} - http://scripts.dlv4.com/binaries/ega...1068_em_XP.cab
Close all windows including browser and press fix checked
Delete if present:
C:\Program Files\registry\regsvc32.exe
C:\WINDOWS\system32\Sys
C:\Documents and Settings\NASRI\Local Settings\Application Data\br5733on.exe
C:\WINDOWS\system32\mwsrvacc.exe
Empty Recycle Bin
Download and unzip BFU.zip from here (http://www.merijn.org/files/bfu.zip).
Run the program and click the Web button as shown by the blue arrow below:
http://www.malwareremoval.com/images/bfuonlinescript5lf.jpg
Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/EGDACCESS.bfu
Execute the script by clicking the Execute button.
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
Then reboot and post a new HijackThis log.
Hi Shaba
Thank you for replying to my post and for your time analyzing my case.
I did remove the lines in HJT that you recommended.
I too found C:\WINDOWS\system32\mwsrvacc.exe and deleted it.
I also used the small software BFU.
I then rebooted the PC and connected to the net. The pop up <fp.gad-network.com> appeared instantly. It apeared few times in less than a minute.
I then took this HJT log:
Thank you for your time.
Thameen
---------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:52:02 ?, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\soundman.exe
C:\LifeView FlyVideo\RecSche.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HJT\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RecSche] C:\LifeView FlyVideo\RecSche.exe /Startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera LTI301P
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HTTPServer] C:\Program Files\Spytech Software\SpyAnywhere\SpyAnywhere.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164213056468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2F3600C-5740-451B-8597-54D4FC2AAB2B}: NameServer = 212.14.224.1 212.14.234.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
------------------------------------------------
Hi
We need then more research:
Download WinPFind2.exe (http://download.bleepingcomputer.com/oldtimer/winpfind2.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind2 on your desktop.
Open the WinPFind2 folder and double-click on winpfind2.exe to start the program.
Keep the standard settings.
In the AddOn-Options group click the checkboxes for
HKCU_IEDesktop.def
Jobs.def
Policies.def
SID_Run_Policies.def
to select them.
Now click the Run All Scans button on the toolbar.
When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button to post the information back here and I will review it when it comes in.
Dear Shaba. Here is the WinPFind scan as per your instructions, the log is too long for this forum, so I will post it in two parts:
Logfile created on: 24/11/2006 04:05:44 Õ
WinPFind2 by OldTimer - Version 1.0.15 Folder = C:\Documents and Settings\NASRI\Desktop\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
< Processes (Non-Microsoft Only) >
c:\program files\symantec\liveupdate\aluschedulersvc.exe - (Symantec Corporation )
c:\program files\widcomm\bluetooth software\bin\btwdins.exe - (WIDCOMM, Inc. )
c:\program files\common files\symantec shared\ccapp.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\ccevtmgr.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\ccsetmgr.exe - (Symantec Corporation )
c:\program files\grisoft\avg anti-spyware 7.5\guard.exe - (Anti-Malware Development a.s. )
c:\windows\system32\hkcmd.exe - (Intel Corporation )
c:\windows\system32\igfxpers.exe - (Intel Corporation )
c:\windows\system32\igfxtray.exe - (Intel Corporation )
c:\program files\norton antivirus\navapsvc.exe - (Symantec Corporation )
c:\program files\common files\real\update_ob\realsched.exe - (RealNetworks, Inc. )
c:\lifeview flyvideo\recsche.exe - ( )
c:\windows\soundman.exe - (Realtek Semiconductor Corp. )
c:\program files\common files\symantec shared\spbbc\spbbcsvc.exe - (Symantec Corporation )
c:\windows\vm_sti.exe - (VM. )
c:\documents and settings\nasri\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )
c:\program files\yahoo!\messenger\ymsgr_tray.exe - (Yahoo! Inc. )
< Registry Entries >
[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.yahoo.com/
HKLM->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM->Main\\Default_Page_URL - http://www.yahoo.com/
HKLM->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - http://google.com/
HKCU->Main\\Search Bar - http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
HKCU->Main\\Search Page - http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
HKCU->URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = Reg Data - Key not found (File not found)
HKCU->Internet Settings\\ProxyEnable - 0
[>> BHO's <<]
{53707962-6F74-2D53-2644-206D7942484F} - = C:\PROGRA~1\SPYBOT~1\SDHelper.dll (Safer Networking Limited )
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - Yahoo! IE Services Button = C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc. )
{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\program files\google\googletoolbar1.dll (Google Inc. )
{BDF3E430-B101-42AD-A544-FADC6B084872} - CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation )
[>> Internet Explorer Bars, Toolbars and Extensions <<]
[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation )
[HKLM-> Internet Explorer ToolBars]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc. )
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation )
[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc. )
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Norton AntiVirus = C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation )
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar = Reg Data - Key not found (File not found)
[HKCU-> Internet Explorer CmdMapping]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - 8192 - Reg Data - Value does not exist
{CCA281CA-C863-46ef-9331-5C8D4460577F} - 8195 - @btrez.dll,-4017
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - 8193 - Yahoo! Messenger
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 - Windows Messenger
NextId - 8196
[HKLM-> Internet Explorer Extensions]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - ButtonText: Yahoo! Services = Reg Data - Value does not exist (File not found)
{CCA281CA-C863-46ef-9331-5C8D4460577F} - ButtonText: @btrez.dll,-4015 = C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ( )
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - ButtonText: Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc. )
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )
[HKCU-> Internet Explorer Menu Extensions]
&Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm (File not found)
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 (Microsoft Corporation )
Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ( )
Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm (File not found)
Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm (File not found)
Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm (File not found)
[>> Approved Shell Extensions (Non-Microsoft only) <<]
[HKLM-> Approved Shell Extensions]
- = Reg Data - Key not found (File not found)
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} - Autoplay for SlideShow = Reg Data - Key not found (File not found)
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data - Key not found (File not found)
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found)
{5464D816-CF16-4784-B9F3-75C0DB52B499} - Yahoo! Mail = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll (Yahoo! Inc. )
{6af09ec9-b429-11d4-a1fb-0090960218cb} - My Bluetooth Places = C:\WINDOWS\system32\btneighborhood.dll (WIDCOMM, Inc. )
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data - Key not found (File not found)
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data - Key not found (File not found)
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data - Key not found (File not found)
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\system32\hticons.dll (Hilgraeve, Inc. )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc. )
[>> ContextMenuHandlers (Non-Microsoft only) <<]
[HKLM-> ContextMenuHandlers]
* - AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s. )
* - Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation )
* - Yahoo! Mail - {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll (Yahoo! Inc. )
Directory - AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s. )
Directory\Background - igfxcui - {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} = C:\WINDOWS\system32\igfxpph.dll (Intel Corporation )
Folder - Symantec.Norton.Antivirus.IEContextMenu - {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll (Symantec Corporation )
[>> ColumnHandlers (Non-Microsoft only) <<]
[HKLM-> ColumnHandlers]
[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINDOWS\system32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - txtfile
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - %SystemRoot%\system32\NOTEPAD.EXE %1
[>> Registry Run Keys <<]
HKLM->Run\\!AVG Anti-Spyware - "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized (Anti-Malware Development a.s. )
HKLM->Run\\BigDogPath - C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera LTI301P (VM. )
HKLM->Run\\ccApp - "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation )
HKLM->Run\\Cmaudio - RunDll32 cmicnfg.cpl,CMICtrlWnd (File not found)
HKLM->Run\\igfxhkcmd - C:\WINDOWS\system32\hkcmd.exe (Intel Corporation )
HKLM->Run\\igfxpers - C:\WINDOWS\system32\igfxpers.exe (Intel Corporation )
HKLM->Run\\igfxtray - C:\WINDOWS\system32\igfxtray.exe (Intel Corporation )
HKLM->Run\\RecSche - C:\LifeView FlyVideo\RecSche.exe /Startup ( )
HKLM->Run\\SoundMan - soundman.exe (Realtek Semiconductor Corp. )
HKLM->Run\\Symantec NetDriver Monitor - C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer (Symantec Corporation )
HKLM->Run\\TkBellExe - "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1
HKCU->Run\\ctfmon.exe - C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation )
HKCU->Run\\MSMSGS - "C:\Program Files\Messenger\msmsgs.exe" /background (Microsoft Corporation )
HKCU->Run\\MsnMsgr - "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (Microsoft Corporation )
HKCU->Run\\Tok-Cirrhatus - (File not found)
HKCU->Run\\Yahoo! Pager - "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (Yahoo! Inc. )
[>> Miscellaneous Startup Keys <<]
[AppInit DLLs]
AppInit_DLL - (File not found)
[Image File Execution Options]
Your Image File Name Here without a path - Debugger = ntsd -d
[Shell Service Object Delay Load]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation )
[Shell Execute Hooks]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s. )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )
[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation )
[SafeBoot Option]
[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -
[HKCU Command Processor AutoRun]
[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;
[PendingFileRenameOperations]
[FileRenameOperations]
[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -
[>> Disabled MSConfig Items <<]
[>> User Agent Post Platform <<]
SV1 -
--To be continued ---->
[>> Winlogon <<]
HMLM->AltDefaultDomainName - JABA-8345EAAE63
HMLM->AltDefaultUserName - NASRI
HMLM->AutoAdminLogon - Reg Data - Value does not exist
HMLM->DefaultDomainName - JABA-8345EAAE63
HMLM->DefaultUserName - NASRI
HKLM->Shell - explorer.exe (Microsoft Corporation )
HKLM->System - (File not found)
HMLM->UserInit - C:\WINDOWS\system32\userinit.exe, (Microsoft Corporation )
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\igfxcui - igfxdev.dll (Intel Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )
[>> DNS Name Servers <<]
{09997DE0-7DA7-44E5-9B65-39E44CB73C98} - ()
{C1E5CD5B-1C39-4DCE-A4D6-C88CAE447971} - ()
[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 (Tcpip) - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 (NTDS) - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 (Network Location Awareness (NLA) Namespace) - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found)
msdaipp - (File not found)
[>> Protocol Filters (Non-Microsoft only) <<]
< Services (Non-Microsoft Only) >
Automatic LiveUpdate Scheduler (Automatic LiveUpdate Scheduler) - "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
AVG Anti-Spyware Guard (AVG Anti-Spyware Guard) - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s. ) [Automatic - Running - Win32, running in it's own process]
Bluetooth Service (btwdins) - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (WIDCOMM, Inc. ) [Automatic - Running - Win32, running in it's own process]
Symantec Event Manager (ccEvtMgr) - "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Symantec Settings Manager (ccSetMgr) - "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Norton AntiVirus Auto-Protect Service (navapsvc) - "C:\Program Files\Norton AntiVirus\navapsvc.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Symantec SPBBCSvc (SPBBCSvc) - "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
< Files >
Auto-Start Folders
HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Date = 14/08/2002 09:06:24 ã | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 03/11/2006 05:27:46 ã | Attr = HS])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe (Google [Ver = 1.4.661.11671.beta | Size = 114616 bytes | Date = 13/11/2006 01:41:24 Õ | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation [Ver = 10.0.2609 | Size = 83360 bytes | Date = 13/02/2001 01:01:04 Õ | Attr = ])
HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup
HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\NASRI\Start Menu\Programs\Startup
C:\Documents and Settings\NASRI\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 03/11/2006 05:27:46 ã | Attr = HS])
HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup
Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - explorer.exe
Miscellaneous Folders
AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/11/2006 09:20:58 Õ | Attr = HS])
C:\Documents and Settings\All Users\Application Data\events.log - ( [Ver = | Size = 4647 bytes | Date = 14/11/2006 05:51:54 Õ | Attr = ])
C:\Documents and Settings\All Users\Application Data\satmp.tmp - ( [Ver = | Size = 17337 bytes | Date = 14/11/2006 05:50:50 Õ | Attr = ])
CurrentUser ApplicationData Folder
C:\Documents and Settings\NASRI\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 03/11/2006 09:20:58 Õ | Attr = HS])
C:\Documents and Settings\NASRI\Application Data\GDIPFONTCACHEV1.DAT - ( [Ver = | Size = 50200 bytes | Date = 12/11/2006 10:51:34 Õ | Attr = ])
Program Files Folder
Common Files Folder
DPF files
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164213056468
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
Hosts file = 734 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright (c) 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -
< Add On's >
>>>>Output for AddOn file HKCU_IEDesktop.def<<<<
KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 1
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 2
Desktop\Components\0\\Position - 2C 00 00 00 CC 00 00 00 00 00 00 00 34 03 00 00 E2 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 04 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 FF FF 00 00 FF FF 00 00 FF FF FF FF FF FF FF FF 04 00 00 00
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 6A 02 00 00 23 00 00 00 A4 00 00 00 9A 00 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\WallpaperFileTime - 4C E8 5B C0 AA 09 C7 01
Desktop\General\\WallpaperLocalFileTime - 4C A8 38 B2 67 09 C7 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 0
Desktop\General\\Wallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\ComponentsPositioned - 1
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 04 00 00 E2 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -
>>>>Output for AddOn file Jobs.def<<<<
DIR - C:\WINDOWS\tasks\*.* - Parameters = Include SubFolders
C:\WINDOWS\tasks\At1.job - ( [Ver = | Size = 424 bytes | Date = 23/11/2006 05:08:02 ã | Attr = ])
C:\WINDOWS\tasks\At2.job - ( [Ver = | Size = 424 bytes | Date = 23/11/2006 11:03:02 Õ | Attr = ])
C:\WINDOWS\tasks\desktop.ini - ( [Ver = | Size = 65 bytes | Date = 22/08/2001 07:00:00 ã | Attr = RH ])
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - NASRI.job - ( [Ver = | Size = 530 bytes | Date = 13/11/2006 05:27:02 Õ | Attr = ])
C:\WINDOWS\tasks\SA.DAT - ( [Ver = | Size = 6 bytes | Date = 24/11/2006 03:53:30 Õ | Attr = H ])
>>>>Output for AddOn file Policies.def<<<<
KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1
KEY - HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer - Include SUBKEYS
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer not found. -
KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 145
policies\Explorer\\NoFolderOptions - 0
policies\System -
policies\System\\DisableRegistryTools - 0
policies\System\\DisableCMD - 0
KEY - HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer - Include SUBKEYS
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer not found. -
>>>>Output for AddOn file SID_Run_Policies.def<<<<
KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\CTFMON.EXE - C:\WINDOWS\system32\CTFMON.EXE
KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\CTFMON.EXE - C:\WINDOWS\system32\CTFMON.EXE
KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145
Policies\Explorer\\NoFolderOptions - 0
Policies\System -
Policies\System\\DisableRegistryTools - 0
Policies\System\\DisableCMD - 0
KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145
Policies\Explorer\\NoFolderOptions - 0
Policies\System -
Policies\System\\DisableRegistryTools - 0
Policies\System\\DisableCMD - 0
< End of report >
Hi
Still more research needed
Create a Startup List
Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Check off the 2 boxes next to the Box that says "Generate StartupList log"
Copy and past the StartupList from the notepad into your next post
* Download GMER from
here (http://www.gmer.net/gmer.zip):
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.
Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
Send:
- startuplist
- gmer log
Thank you again Shaba. It is indded very nice of you to give me your attention and your time. I do appreciate both.
Here is the startup scan, in the next scan it is the GMER log:
!. StartUp Scan
StartupList report, 25/11/2006, 05:41:32 ?
StartupList version: 1.52.2
Started from : C:\Program Files\HJT\analyse.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\soundman.exe
C:\LifeView FlyVideo\RecSche.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\analyse.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
igfxtray = C:\WINDOWS\system32\igfxtray.exe
igfxhkcmd = C:\WINDOWS\system32\hkcmd.exe
igfxpers = C:\WINDOWS\system32\igfxpers.exe
SoundMan = soundman.exe
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
RecSche = C:\LifeView FlyVideo\RecSche.exe /Startup
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
BigDogPath = C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera LTI301P
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Yahoo! Pager = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Tok-Cirrhatus =
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\gbsaver.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
--------------------------------------------------
Enumerating Task Scheduler jobs:
At1.job
At2.job
Norton AntiVirus - Scan my computer - NASRI.job
--------------------------------------------------
Enumerating Download Program Files:
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164213056468
[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
--------------------------------------------------
End of report, 6,021 bytes
Report generated in 0.047 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
-----------------------------------------------------------
Dear Shaba. Although I turned off Word Wrap in the Txt file, but the format here in the post was crampy. I apologize for the inconvenience.
GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-25 05:51:22
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT 82224A30 ZwConnectPort
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 82125C70 ZwOpenThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\SOUNDMAN.EXE[112] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\SOUNDMAN.EXE[112] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\SOUNDMAN.EXE[112] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\SOUNDMAN.EXE[112] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\SOUNDMAN.EXE[112] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\SOUNDMAN.EXE[112] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\SOUNDMAN.EXE[112] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\SOUNDMAN.EXE[112] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\alg.exe[416] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\alg.exe[416] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\alg.exe[416] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\alg.exe[416] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\igfxtray.exe[468] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F61EC1
.text C:\WINDOWS\system32\igfxtray.exe[468] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F61C62
.text C:\WINDOWS\system32\igfxtray.exe[468] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F61A0B
.text C:\WINDOWS\system32\igfxtray.exe[468] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F6191B
.text C:\WINDOWS\system32\igfxtray.exe[468] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F62C34
.text C:\WINDOWS\system32\igfxtray.exe[468] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F62BA6
.text C:\WINDOWS\system32\igfxtray.exe[468] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 00F62DA7
.text C:\WINDOWS\system32\igfxtray.exe[468] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 00F62D16
.text C:\WINDOWS\system32\hkcmd.exe[480] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00ED1EC1
.text C:\WINDOWS\system32\hkcmd.exe[480] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00ED1C62
.text C:\WINDOWS\system32\hkcmd.exe[480] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00ED1A0B
.text C:\WINDOWS\system32\hkcmd.exe[480] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00ED191B
.text C:\WINDOWS\system32\hkcmd.exe[480] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00ED2C34
.text C:\WINDOWS\system32\hkcmd.exe[480] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00ED2BA6
.text C:\WINDOWS\system32\hkcmd.exe[480] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 00ED2DA7
.text C:\WINDOWS\system32\hkcmd.exe[480] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 00ED2D16
.text C:\WINDOWS\system32\igfxpers.exe[488] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F41EC1
.text C:\WINDOWS\system32\igfxpers.exe[488] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F41C62
.text C:\WINDOWS\system32\igfxpers.exe[488] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F41A0B
.text C:\WINDOWS\system32\igfxpers.exe[488] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F4191B
.text C:\WINDOWS\system32\igfxpers.exe[488] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F42C34
.text C:\WINDOWS\system32\igfxpers.exe[488] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F42BA6
.text C:\WINDOWS\system32\igfxpers.exe[488] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 00F42DA7
.text C:\WINDOWS\system32\igfxpers.exe[488] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 00F42D16
.text C:\LifeView FlyVideo\RecSche.EXE[528] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\LifeView FlyVideo\RecSche.EXE[528] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\LifeView FlyVideo\RecSche.EXE[528] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\LifeView FlyVideo\RecSche.EXE[528] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\LifeView FlyVideo\RecSche.EXE[528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\LifeView FlyVideo\RecSche.EXE[528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\LifeView FlyVideo\RecSche.EXE[528] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\LifeView FlyVideo\RecSche.EXE[528] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[548] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[548] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[548] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[548] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[548] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[548] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[548] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[548] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\VM_STI.EXE[552] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\VM_STI.EXE[552] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\VM_STI.EXE[552] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\VM_STI.EXE[552] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\VM_STI.EXE[552] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\VM_STI.EXE[552] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\VM_STI.EXE[552] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\VM_STI.EXE[552] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\winlogon.exe[584] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\winlogon.exe[584] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\qytcfvnips.exe[604] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 01731EC1
.text C:\WINDOWS\system32\qytcfvnips.exe[604] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01731C62
.text C:\WINDOWS\system32\qytcfvnips.exe[604] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01731A0B
.text C:\WINDOWS\system32\qytcfvnips.exe[604] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0173191B
.text C:\WINDOWS\system32\qytcfvnips.exe[604] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01732C34
.text C:\WINDOWS\system32\qytcfvnips.exe[604] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01732BA6
.text C:\WINDOWS\system32\qytcfvnips.exe[604] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 01732DA7
.text C:\WINDOWS\system32\qytcfvnips.exe[604] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 01732D16
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[884] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[884] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\ctfmon.exe[1188] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\ctfmon.exe[1188] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\ctfmon.exe[1188] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\ctfmon.exe[1188] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\ctfmon.exe[1188] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\ctfmon.exe[1188] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\ctfmon.exe[1188] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\ctfmon.exe[1188] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1212] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1212] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1212] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1212] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1212] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1212] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1212] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1212] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\explorer.exe[1216] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\explorer.exe[1216] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\explorer.exe[1216] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\explorer.exe[1216] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\explorer.exe[1216] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\explorer.exe[1216] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\explorer.exe[1216] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\explorer.exe[1216] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\spoolsv.exe[1440] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\spoolsv.exe[1440] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\spoolsv.exe[1440] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\spoolsv.exe[1440] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\spoolsv.exe[1440] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\spoolsv.exe[1440] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\spoolsv.exe[1440] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\spoolsv.exe[1440] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1572] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 006C1EC1
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1572] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 006C1C62
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1572] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 006C1A0B
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1572] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 006C191B
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1572] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006C2C34
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1572] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006C2BA6
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1572] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 006C2DA7
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1572] ADVAPI32.dll!CreateProcessAsUserA 77E10958 3 Bytes JMP 006C2D16
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1572] ADVAPI32.dll!CreateProcessAsUserA + 4 77E1095C 1 Byte
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1588] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1588] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1588] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1588] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1588] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1588] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1588] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1588] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1668] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1668] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1668] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1668] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1668] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1668] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1668] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1668] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Messenger\msmsgs.exe[1696] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\Messenger\msmsgs.exe[1696] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\Messenger\msmsgs.exe[1696] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\Messenger\msmsgs.exe[1696] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Messenger\msmsgs.exe[1696] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\Messenger\msmsgs.exe[1696] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\Messenger\msmsgs.exe[1696] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\Messenger\msmsgs.exe[1696] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\svchost.exe[1804] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[1804] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[1804] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\wdfmgr.exe[1872] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\wdfmgr.exe[1872] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\wdfmgr.exe[1872] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\wdfmgr.exe[1872] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3328] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3328] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3328] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3328] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3328] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3328] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3328] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3328] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3784] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3784] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3784] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3784] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3784] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3784] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3784] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3784] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\wuauclt.exe[3924] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\wuauclt.exe[3924] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\wuauclt.exe[3924] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\wuauclt.exe[3924] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\wuauclt.exe[3924] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\wuauclt.exe[3924] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\wuauclt.exe[3924] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\wuauclt.exe[3924] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
---- Processes - GMER 1.0.12 ----
Process C:\WINDOWS\system32\qytcfvnips.exe (*** hidden *** ) 604
Library C:\windows\system32\qytcfvnips.exe (*** hidden *** ) @ C:\WINDOWS\system32\qytcfvnips.exe [604] 0x00400000
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@qytcfvnips c:\windows\system32\qytcfvnips.exe qytcfvnips
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@qytcfvnips c:\windows\system32\qytcfvnips.exe qytcfvnips
---- Files - GMER 1.0.12 ----
File C:\WINDOWS\Prefetch\QYTCFVNIPS.EXE-1721B52D.pf
File C:\WINDOWS\system32\qytcfvnips.dat
File C:\WINDOWS\system32\qytcfvnips.exe
File C:\WINDOWS\system32\qytcfvnips_nav.dat
File C:\WINDOWS\system32\qytcfvnips_navps.dat
Hi
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.zip).
Unzip it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\Prefetch\QYTCFVNIPS.EXE-1721B52D.pf
C:\WINDOWS\system32\qytcfvnips.dat
C:\WINDOWS\system32\qytcfvnips.exe
C:\WINDOWS\system32\qytcfvnips_nav.dat
C:\WINDOWS\system32\qytcfvnips_navps.dat
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Re-run gmer
Send gmer log along with a fresh Hijackthis log.
Dear Shaba.
I did do the KillBox. It did not reboot automatically. I had to reboot it manually.
Here is the fresh HJT report, GMER report follows in another message. Thanks alot.
Logfile of HijackThis v1.99.1
Scan saved at 11:05:36 ?, on 26/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\soundman.exe
C:\LifeView FlyVideo\RecSche.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
G:\thameen\docs\install\spy\gmer\gmer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RecSche] C:\LifeView FlyVideo\RecSche.exe /Startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera LTI301P
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164213056468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2F3600C-5740-451B-8597-54D4FC2AAB2B}: NameServer = 212.14.224.1 212.14.234.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Here is the GMEr scan part I
GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-26 11:18:48
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.12 ----
SSDT 82167420 ZwConnectPort
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 822E0138 ZwOpenThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
---- User code sections - GMER 1.0.12 ----
.text C:\WINDOWS\system32\alg.exe[404] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\alg.exe[404] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\alg.exe[404] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\alg.exe[404] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\igfxtray.exe[436] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F51EC1
.text C:\WINDOWS\system32\igfxtray.exe[436] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F51C62
.text C:\WINDOWS\system32\igfxtray.exe[436] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F51A0B
.text C:\WINDOWS\system32\igfxtray.exe[436] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F5191B
.text C:\WINDOWS\system32\igfxtray.exe[436] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F52C34
.text C:\WINDOWS\system32\igfxtray.exe[436] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F52BA6
.text C:\WINDOWS\system32\igfxtray.exe[436] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 00F52DA7
.text C:\WINDOWS\system32\igfxtray.exe[436] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 00F52D16
.text C:\WINDOWS\system32\hkcmd.exe[460] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00D81EC1
.text C:\WINDOWS\system32\hkcmd.exe[460] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00D81C62
.text C:\WINDOWS\system32\hkcmd.exe[460] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00D81A0B
.text C:\WINDOWS\system32\hkcmd.exe[460] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00D8191B
.text C:\WINDOWS\system32\hkcmd.exe[460] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D82C34
.text C:\WINDOWS\system32\hkcmd.exe[460] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D82BA6
.text C:\WINDOWS\system32\hkcmd.exe[460] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 00D82DA7
.text C:\WINDOWS\system32\hkcmd.exe[460] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 00D82D16
.text C:\WINDOWS\system32\igfxpers.exe[476] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00DF1EC1
.text C:\WINDOWS\system32\igfxpers.exe[476] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00DF1C62
.text C:\WINDOWS\system32\igfxpers.exe[476] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00DF1A0B
.text C:\WINDOWS\system32\igfxpers.exe[476] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00DF191B
.text C:\WINDOWS\system32\igfxpers.exe[476] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DF2C34
.text C:\WINDOWS\system32\igfxpers.exe[476] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DF2BA6
.text C:\WINDOWS\system32\igfxpers.exe[476] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 00DF2DA7
.text C:\WINDOWS\system32\igfxpers.exe[476] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 00DF2D16
.text C:\WINDOWS\SOUNDMAN.EXE[484] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\SOUNDMAN.EXE[484] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\SOUNDMAN.EXE[484] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\SOUNDMAN.EXE[484] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\SOUNDMAN.EXE[484] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\SOUNDMAN.EXE[484] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\SOUNDMAN.EXE[484] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\SOUNDMAN.EXE[484] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\LifeView FlyVideo\RecSche.EXE[516] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\LifeView FlyVideo\RecSche.EXE[516] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\LifeView FlyVideo\RecSche.EXE[516] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\LifeView FlyVideo\RecSche.EXE[516] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\LifeView FlyVideo\RecSche.EXE[516] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\LifeView FlyVideo\RecSche.EXE[516] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\LifeView FlyVideo\RecSche.EXE[516] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\LifeView FlyVideo\RecSche.EXE[516] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[528] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[528] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[528] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[528] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[528] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[528] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[528] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[528] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\VM_STI.EXE[556] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\VM_STI.EXE[556] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\VM_STI.EXE[556] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\VM_STI.EXE[556] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\VM_STI.EXE[556] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\VM_STI.EXE[556] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\VM_STI.EXE[556] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\VM_STI.EXE[556] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\winlogon.exe[584] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\winlogon.exe[584] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\winlogon.exe[584] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\services.exe[628] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\services.exe[628] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\lsass.exe[640] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\lsass.exe[640] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\svchost.exe[784] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[784] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[784] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\qytcfvnips.exe[828] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 01731EC1
.text C:\WINDOWS\system32\qytcfvnips.exe[828] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01731C62
.text C:\WINDOWS\system32\qytcfvnips.exe[828] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01731A0B
.text C:\WINDOWS\system32\qytcfvnips.exe[828] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0173191B
.text C:\WINDOWS\system32\qytcfvnips.exe[828] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01732C34
.text C:\WINDOWS\system32\qytcfvnips.exe[828] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01732BA6
.text C:\WINDOWS\system32\qytcfvnips.exe[828] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 01732DA7
.text C:\WINDOWS\system32\qytcfvnips.exe[828] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 01732D16
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[844] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
GMER scan part II
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[844] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[884] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[884] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[928] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1196] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F41EC1
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1196] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F41C62
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1196] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F41A0B
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1196] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F4191B
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1196] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00F42C34
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1196] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00F42BA6
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1196] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 00F42DA7
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[1196] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 00F42D16
.text C:\WINDOWS\explorer.exe[1264] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 01A01EC1
.text C:\WINDOWS\explorer.exe[1264] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01A01C62
.text C:\WINDOWS\explorer.exe[1264] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01A01A0B
.text C:\WINDOWS\explorer.exe[1264] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01A0191B
.text C:\WINDOWS\explorer.exe[1264] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01A02C34
.text C:\WINDOWS\explorer.exe[1264] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01A02BA6
.text C:\WINDOWS\explorer.exe[1264] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 01A02DA7
.text C:\WINDOWS\explorer.exe[1264] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 01A02D16
.text C:\WINDOWS\system32\spoolsv.exe[1444] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\spoolsv.exe[1444] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\spoolsv.exe[1444] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\spoolsv.exe[1444] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\spoolsv.exe[1444] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\spoolsv.exe[1444] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\spoolsv.exe[1444] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\spoolsv.exe[1444] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\ctfmon.exe[1484] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\ctfmon.exe[1484] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\ctfmon.exe[1484] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\ctfmon.exe[1484] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\ctfmon.exe[1484] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\ctfmon.exe[1484] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\ctfmon.exe[1484] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\ctfmon.exe[1484] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1564] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 006C1EC1
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1564] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 006C1C62
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1564] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 006C1A0B
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1564] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 006C191B
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1564] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006C2C34
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1564] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006C2BA6
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1564] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 006C2DA7
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1564] ADVAPI32.dll!CreateProcessAsUserA 77E10958 3 Bytes JMP 006C2D16
.text C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe[1564] ADVAPI32.dll!CreateProcessAsUserA + 4 77E1095C 1 Byte
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1580] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1580] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1580] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1580] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1580] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1580] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1580] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1580] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1628] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1628] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1628] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1628] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1628] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1628] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1628] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1628] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1668] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1668] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1668] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1668] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1668] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1668] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1668] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\MSN Messenger\msnmsgr.exe[1668] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\svchost.exe[1812] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\svchost.exe[1812] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\svchost.exe[1812] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\svchost.exe[1812] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
GMEr Scan part III
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\wdfmgr.exe[1860] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\wdfmgr.exe[1860] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\wdfmgr.exe[1860] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\wdfmgr.exe[1860] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Messenger\msmsgs.exe[2092] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\Messenger\msmsgs.exe[2092] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\Messenger\msmsgs.exe[2092] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\Messenger\msmsgs.exe[2092] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Messenger\msmsgs.exe[2092] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\Messenger\msmsgs.exe[2092] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\Messenger\msmsgs.exe[2092] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\Messenger\msmsgs.exe[2092] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[2228] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[2228] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[2228] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[2228] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[2228] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[2228] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[2228] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\Google\Google Updater\GoogleUpdater.exe[2228] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe[2576] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe[2576] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe[2576] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe[2576] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe[2576] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe[2576] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe[2576] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe[2576] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text C:\WINDOWS\system32\wuauclt.exe[3104] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text C:\WINDOWS\system32\wuauclt.exe[3104] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text C:\WINDOWS\system32\wuauclt.exe[3104] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text C:\WINDOWS\system32\wuauclt.exe[3104] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\wuauclt.exe[3104] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text C:\WINDOWS\system32\wuauclt.exe[3104] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text C:\WINDOWS\system32\wuauclt.exe[3104] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text C:\WINDOWS\system32\wuauclt.exe[3104] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3200] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 10001EC1
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3200] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001C62
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3200] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001A0B
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3200] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3200] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10002C34
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3200] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10002BA6
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3200] ADVAPI32.dll!CreateProcessAsUserW 77DF7775 5 Bytes JMP 10002DA7
.text G:\thameen\docs\install\spy\gmer\gmer.exe[3200] ADVAPI32.dll!CreateProcessAsUserA 77E10958 5 Bytes JMP 10002D16
---- Processes - GMER 1.0.12 ----
Process C:\WINDOWS\system32\qytcfvnips.exe (*** hidden *** ) 828
Library C:\windows\system32\qytcfvnips.exe (*** hidden *** ) @ C:\WINDOWS\system32\qytcfvnips.exe [828] 0x00400000
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@qytcfvnips c:\windows\system32\qytcfvnips.exe qytcfvnips
Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@qytcfvnips c:\windows\system32\qytcfvnips.exe qytcfvnips
---- Files - GMER 1.0.12 ----
File C:\WINDOWS\Prefetch\QYTCFVNIPS.EXE-1721B52D.pf
File C:\WINDOWS\system32\qytcfvnips.dat
File C:\WINDOWS\system32\qytcfvnips.exe
File C:\WINDOWS\system32\qytcfvnips_nav.dat
File C:\WINDOWS\system32\qytcfvnips_navps.dat
---- EOF - GMER 1.0.12 ----
Hi
We need another tool that will rename those files because deletion doesn't seem to be successful.
Download F-Secure Blacklight and save it to your desktop -> https://europe.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next
You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).
DON'T choose yet Rename if something was found!
Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)
Hi Shaba . I'm now taking it personal with this smart malware. I really will enjoy it when I crush it. I hope I will. But I do not want to give you extended trouble. If you see that we need to stop, then its ok. I can still re0-download my windows.
Here is the BlBeta scan:
11/27/06 12:39:42 [Info]: BlackLight Engine 1.0.47 initialized
11/27/06 12:39:42 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/27/06 12:39:42 [Note]: 7019 4
11/27/06 12:39:42 [Note]: 7005 0
11/27/06 12:39:50 [Note]: 7006 0
11/27/06 12:39:50 [Note]: 7011 1184
11/27/06 12:39:50 [Note]: 7026 0
11/27/06 12:39:51 [Note]: 7026 0
11/27/06 12:39:51 [Note]: 7024 3
11/27/06 12:39:51 [Info]: Hidden process: C:\windows\system32\qytcfvnips.exe
11/27/06 12:39:51 [Note]: FSRAW library version 1.7.1020
11/27/06 12:40:41 [Info]: Hidden file: c:\WINDOWS\Prefetch\QYTCFVNIPS.EXE-1721B52D.pf
11/27/06 12:40:41 [Note]: 10002 1
11/27/06 12:40:54 [Info]: Hidden file: c:\WINDOWS\system32\qytcfvnips.dat
11/27/06 12:40:54 [Note]: 10002 1
11/27/06 12:40:54 [Info]: Hidden file: C:\windows\system32\qytcfvnips.exe
11/27/06 12:40:54 [Note]: 10002 1
11/27/06 12:40:54 [Info]: Hidden file: c:\WINDOWS\system32\qytcfvnips_nav.dat
11/27/06 12:40:54 [Note]: 10002 1
11/27/06 12:40:54 [Info]: Hidden file: c:\WINDOWS\system32\qytcfvnips_navps.dat
11/27/06 12:40:54 [Note]: 10002 1
11/27/06 12:42:20 [Note]: 7007 0
---------------------------------------------End of scan
Hi
Yes, that's a really clever one malware.
Please follow these instructions carefully
First, scan with blacklight.
You'll see a list what have been found
Select those one at a time and click Rename (Rename should be enabled when one of those findings are selected). You must repeat that step for 5 times in total because of 5 files. No need to save blacklight log.
Reboot
Scan with blacklight and save a log
Send:
- a fresh HijackThis log
- blacklight log
Dear Shaba. I did the BL scan again, and I found the same five files. I renamed the first file and rebootedm but in the second scan I found no more files. Could all the files been renamed in the first step? I repeated the scan few times but no files were found.
Here is a new HJT log and BL log. Thanks loads.
11/28/06 00:53:13 [Info]: BlackLight Engine 1.0.47 initialized
11/28/06 00:53:13 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/28/06 00:53:13 [Note]: 7019 4
11/28/06 00:53:13 [Note]: 7005 0
11/28/06 00:53:14 [Note]: 7006 0
11/28/06 00:53:14 [Note]: 7011 3332
11/28/06 00:53:14 [Note]: 7026 0
11/28/06 00:53:14 [Note]: 7026 0
11/28/06 00:53:16 [Note]: FSRAW library version 1.7.1020
11/28/06 00:54:31 [Note]: 2000 1012
11/28/06 00:54:31 [Note]: 2000 1012
11/28/06 00:54:31 [Note]: 2000 1012
11/28/06 00:54:46 [Note]: 7007 0
----------------------------------------------------------
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:55:03 ?, on 28/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\soundman.exe
C:\LifeView FlyVideo\RecSche.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RecSche] C:\LifeView FlyVideo\RecSche.exe /Startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera LTI301P
O4 - HKLM\..\Run: [qytcfvnips] c:\windows\system32\qytcfvnips.exe qytcfvnips
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164213056468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
------------------End of HJT log
Hi
Looking good; bad entry has come visible :)
Open HijackThis, click do a system scan only and checkmark this:
O4 - HKLM\..\Run: [qytcfvnips] c:\windows\system32\qytcfvnips.exe qytcfvnips
Close all windows including browser and press fix checked.
Reboot
Delete if found:
C:\WINDOWS\Prefetch\QYTCFVNIPS.EXE-1721B52D.pf
C:\WINDOWS\system32\qytcfvnips.dat
C:\WINDOWS\system32\qytcfvnips.exe
C:\WINDOWS\system32\qytcfvnips_nav.dat
C:\WINDOWS\system32\qytcfvnips_navps.dat
or if all renamed:
C:\WINDOWS\Prefetch\QYTCFVNIPS.EXE-1721B52D.pf.ren
C:\WINDOWS\system32\qytcfvnips.dat.ren
C:\WINDOWS\system32\qytcfvnips.exe.ren
C:\WINDOWS\system32\qytcfvnips_nav.dat.ren
C:\WINDOWS\system32\qytcfvnips_navps.dat.ren
Empty Recycle Bin
Send a fresh HijackThis log.
Dear Shaba.
Thank you very much. I think we got rid of it. After I did the last BL scan and did the rename, I used the net for a good time without seeing the malware pop ups.
I did remove the files you recommended.
Thank you alot Shaba, I really do appreciate the time and effort you gave me. It's really very nice of you. This is a very rewarding forum.
------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 09:21:25 ?, on 28/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\soundman.exe
C:\LifeView FlyVideo\RecSche.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RecSche] C:\LifeView FlyVideo\RecSche.exe /Startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera LTI301P
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164213056468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2F3600C-5740-451B-8597-54D4FC2AAB2B}: NameServer = 212.14.224.1 212.14.234.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
--------------------End of HJT log
Hi
Let's however run one online scan:
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Send:
- a fresh HijackThis log
- kaspersky report
Hi Shaba. Here are the results of the online scan.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 29, 2006 10:55:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/11/2006
Kaspersky Anti-Virus database records: 246766
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 54960
Number of viruses found: 11
Number of infected objects: 40 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:29:53
Infected Object Name / Virus Name / Last Action
C:\!KillBox\( 3) Infected: Trojan-Dropper.Win32.Agent.azp skipped
C:\!KillBox\( 8) Infected: Trojan-Dropper.Win32.Agent.azp skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-11-29_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NASRI\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\History\History.IE5\MSHist012006112920061130\index.dat Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NASRI\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NASRI\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Instant Access\Multi\20061126151103\instant access.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.af skipped
C:\Program Files\Instant Access\Multi\20061126151106\instant access.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.af skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\WGV\WGV.006 Infected: not-a-virus:Monitor.Win32.Ardamax.24 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mwsrvacc.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.af skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP1\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP1\change.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP1\change.log Object is locked skipped
G:\thameen\docs\install\BSINSTALL.exe/WISE0023.BIN/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
G:\thameen\docs\install\BSINSTALL.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
G:\thameen\docs\install\BSINSTALL.exe WiseSFX: infected - 2 skipped
G:\thameen\docs\install\BSINSTALL.exe WiseSFX Dropper: infected - 2 skipped
G:\thameen\docs\log\007ssinstall.exe/data0001 Infected: not-a-virus:Monitor.Win32.007SpySoft.308 skipped
G:\thameen\docs\log\007ssinstall.exe Inno: infected - 1 skipped
G:\thameen\docs\log\actualkeylogger.exe/Stream/data0001 Infected: not-a-virus:Monitor.Win32.ActualSpy.2301 skipped
G:\thameen\docs\log\actualkeylogger.exe/Stream/data0004 Infected: not-a-virus:Monitor.Win32.ActualSpy.27 skipped
G:\thameen\docs\log\actualkeylogger.exe/Stream/data0005 Infected: not-a-virus:Monitor.Win32.ActualSpy.252 skipped
G:\thameen\docs\log\actualkeylogger.exe/Stream Infected: not-a-virus:Monitor.Win32.ActualSpy.252 skipped
G:\thameen\docs\log\actualkeylogger.exe Inno: infected - 4 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.exe/stream/data0009 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.exe/stream Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.exe NSIS: infected - 4 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip/FamilyKeyLogger-setup.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip/FamilyKeyLogger-setup.exe/stream/data0009 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip/FamilyKeyLogger-setup.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip/FamilyKeyLogger-setup.exe/stream Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip/FamilyKeyLogger-setup.exe Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip ZIP: infected - 5 skipped
G:\thameen\docs\log\keylogger-king-home23.exe/ci-temp0.cab/winlogonsys.dll Infected: not-a-virus:Monitor.Win32.KGBSpy.34 skipped
G:\thameen\docs\log\keylogger-king-home23.exe/ci-temp0.cab Infected: not-a-virus:Monitor.Win32.KGBSpy.34 skipped
G:\thameen\docs\log\keylogger-king-home23.exe CreateInstall: infected - 2 skipped
G:\thameen\docs\log\pcspy.exe/Stream/data0012 Infected: not-a-virus:Monitor.Win32.PCSpy.c skipped
G:\thameen\docs\log\pcspy.exe/Stream Infected: not-a-virus:Monitor.Win32.PCSpy.c skipped
G:\thameen\docs\log\pcspy.exe Inno: infected - 2 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip/FamilyKeyLogger-setup.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip/FamilyKeyLogger-setup.exe/stream/data0009 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip/FamilyKeyLogger-setup.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip/FamilyKeyLogger-setup.exe/stream Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip/FamilyKeyLogger-setup.exe Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip ZIP: infected - 5 skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 11:16:33 ?, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\soundman.exe
C:\LifeView FlyVideo\RecSche.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HJT\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RecSche] C:\LifeView FlyVideo\RecSche.exe /Startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera LTI301P
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164213056468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2F3600C-5740-451B-8597-54D4FC2AAB2B}: NameServer = 212.14.224.1 212.14.234.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Hi
Uninstall via add/remove programs if present:
Instant Access
Empty this folder:
C:\!KillBox\
Delete this folder:
C:\Program Files\Instant Access\
Delete these:
C:\WINDOWS\system32\mwsrvacc.exe
G:\thameen\docs\install\BSINSTALL.exe
G:\thameen\docs\log\007ssinstall.exe
G:\thameen\docs\log\actualkeylogger.exe
G:\thameen\docs\log\FamilyKeyLogger-setup.exe
G:\thameen\docs\log\FamilyKeyLogger-setup.zip
G:\thameen\docs\log\keylogger-king-home23.exe
G:\thameen\docs\log\pcspy.exeG:\thameen\docs\pentacomia\familykeylogger.zip
(If you have downloaded keyloggers on purpose, you don't need to delete them in that case)
Empty Recycle Bin
Re-scan with kaspersky
Send:
- a fresh HijackThis log
- kaspersky report
Hi Shaba.
I found the "instant access" folder and removed it. But I did not find it at "Add Remove Programs" where I looked for it first.
The keylogger I keep them because I use them now and then. Do you think they can be the source of danger?
Hee is the result of the scan
Online Scan log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 30, 2006 12:13:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/11/2006
Kaspersky Anti-Virus database records: 247023
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 55808
Number of viruses found: 10
Number of infected objects: 55 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:31:52
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-11-30_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NASRI\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\History\History.IE5\MSHist012006113020061201\index.dat Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\Temp\fla29.tmp Object is locked skipped
C:\Documents and Settings\NASRI\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NASRI\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NASRI\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\WGV\WGV.006 Infected: not-a-virus:Monitor.Win32.Ardamax.24 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\A0000170.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.af skipped
C:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\A0000173.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.af skipped
C:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\A0000177.exe Infected: not-a-virus:Porn-Dialer.Win32.InstantAccess.af skipped
C:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\change.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\change.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\A0000178.exe/WISE0023.BIN/clientax.dll Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
G:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\A0000178.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.180Solutions.ao skipped
G:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\A0000178.exe WiseSFX: infected - 2 skipped
G:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\A0000178.exe WiseSFX Dropper: infected - 2 skipped
G:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\A0000179.exe/data0001 Infected: not-a-virus:Monitor.Win32.007SpySoft.308 skipped
G:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\A0000179.exe Inno: infected - 1 skipped
G:\System Volume Information\_restore{7E391CB9-4F8B-4230-91AA-F888F6AB7D4A}\RP2\change.log Object is locked skipped
G:\thameen\docs\log\actualkeylogger.exe/Stream/data0001 Infected: not-a-virus:Monitor.Win32.ActualSpy.2301 skipped
G:\thameen\docs\log\actualkeylogger.exe/Stream/data0004 Infected: not-a-virus:Monitor.Win32.ActualSpy.27 skipped
G:\thameen\docs\log\actualkeylogger.exe/Stream/data0005 Infected: not-a-virus:Monitor.Win32.ActualSpy.252 skipped
G:\thameen\docs\log\actualkeylogger.exe/Stream Infected: not-a-virus:Monitor.Win32.ActualSpy.252 skipped
G:\thameen\docs\log\actualkeylogger.exe Inno: infected - 4 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.exe/stream/data0009 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.exe/stream Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.exe NSIS: infected - 4 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip/FamilyKeyLogger-setup.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip/FamilyKeyLogger-setup.exe/stream/data0009 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip/FamilyKeyLogger-setup.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip/FamilyKeyLogger-setup.exe/stream Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip/FamilyKeyLogger-setup.exe Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\FamilyKeyLogger-setup.zip ZIP: infected - 5 skipped
G:\thameen\docs\log\keylogger-king-home23.exe/ci-temp0.cab/winlogonsys.dll Infected: not-a-virus:Monitor.Win32.KGBSpy.34 skipped
G:\thameen\docs\log\keylogger-king-home23.exe/ci-temp0.cab Infected: not-a-virus:Monitor.Win32.KGBSpy.34 skipped
G:\thameen\docs\log\keylogger-king-home23.exe CreateInstall: infected - 2 skipped
G:\thameen\docs\log\netvizor.zip/pcspy.exe/Stream/data0012 Infected: not-a-virus:Monitor.Win32.PCSpy.c skipped
G:\thameen\docs\log\netvizor.zip/pcspy.exe/Stream Infected: not-a-virus:Monitor.Win32.PCSpy.c skipped
G:\thameen\docs\log\netvizor.zip/pcspy.exe Infected: not-a-virus:Monitor.Win32.PCSpy.c skipped
G:\thameen\docs\log\netvizor.zip/actualkeylogger.exe/Stream/data0001 Infected: not-a-virus:Monitor.Win32.ActualSpy.2301 skipped
G:\thameen\docs\log\netvizor.zip/actualkeylogger.exe/Stream/data0004 Infected: not-a-virus:Monitor.Win32.ActualSpy.27 skipped
G:\thameen\docs\log\netvizor.zip/actualkeylogger.exe/Stream/data0005 Infected: not-a-virus:Monitor.Win32.ActualSpy.252 skipped
G:\thameen\docs\log\netvizor.zip/actualkeylogger.exe/Stream Infected: not-a-virus:Monitor.Win32.ActualSpy.252 skipped
G:\thameen\docs\log\netvizor.zip/actualkeylogger.exe Infected: not-a-virus:Monitor.Win32.ActualSpy.252 skipped
G:\thameen\docs\log\netvizor.zip/FamilyKeyLogger-setup.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\netvizor.zip/FamilyKeyLogger-setup.exe/stream/data0009 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\netvizor.zip/FamilyKeyLogger-setup.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\netvizor.zip/FamilyKeyLogger-setup.exe/stream Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\netvizor.zip/FamilyKeyLogger-setup.exe Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\log\netvizor.zip/keylogger-king-home23.exe/ci-temp0.cab/winlogonsys.dll Infected: not-a-virus:Monitor.Win32.KGBSpy.34 skipped
G:\thameen\docs\log\netvizor.zip/keylogger-king-home23.exe/ci-temp0.cab Infected: not-a-virus:Monitor.Win32.KGBSpy.34 skipped
G:\thameen\docs\log\netvizor.zip/keylogger-king-home23.exe Infected: not-a-virus:Monitor.Win32.KGBSpy.34 skipped
G:\thameen\docs\log\netvizor.zip ZIP: infected - 16 skipped
G:\thameen\docs\log\pcspy.exe/Stream/data0012 Infected: not-a-virus:Monitor.Win32.PCSpy.c skipped
G:\thameen\docs\log\pcspy.exe/Stream Infected: not-a-virus:Monitor.Win32.PCSpy.c skipped
G:\thameen\docs\log\pcspy.exe Inno: infected - 2 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip/FamilyKeyLogger-setup.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip/FamilyKeyLogger-setup.exe/stream/data0009 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip/FamilyKeyLogger-setup.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip/FamilyKeyLogger-setup.exe/stream Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip/FamilyKeyLogger-setup.exe Infected: not-a-virus:Monitor.Win32.FamilyKeyLogger.280 skipped
G:\thameen\docs\pentacomia\familykeylogger.zip ZIP: infected - 5 skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 12:14:03 ?, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\soundman.exe
C:\LifeView FlyVideo\RecSche.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Samsung\Samsung PC Studio 3\Launcher.exe
C:\Program Files\Samsung\Samsung PC Studio 3\ConMgr.exe
C:\Program Files\Samsung\Samsung PC Studio 3\SoundEditor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RecSche] C:\LifeView FlyVideo\RecSche.exe /Startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Vimicro USB PC Camera LTI301P
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1164213056468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2F3600C-5740-451B-8597-54D4FC2AAB2B}: NameServer = 212.14.224.1 212.14.234.36
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Dear Shaba. I want to add that I did not see the pop ups since yesterday.
Thameen
Hi
No, they're not dangerous if you have downloaded&used them on purpose.
How are things running now?
Dear Shaba.
Since two days I had no pop ups. Thats of course due to your help and your valuable time and attention you gave me.
Thameen
Great! :)
You're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.staff.uiuc.edu/~ehowes/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Thanks Shaba for this information.
Thameen
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.