Similar Problem again !!!

H

Honda

New member
I have somehow picked a what i suspect to be malware...and i am not sure where i got it from...however i suspect it was from a spam mail....anyway here is my HJT.LOG

And my windows security centre is messed up.

please help.

Logfile of HijackThis v1.99.1
Scan saved at 19:44:26, on 2006-12-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Washer\Formdata.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Washer\Formdata.exe
C:\Program\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\ibgiyhbp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A8CDAA73-A22A-4292-B874-752326C25DBF} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O2 - BHO: (no name) - {EBB43D15-C602-4AFB-9BF8-B29727479A84} - C:\WINDOWS\system32\mlljk.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program\Delade filer\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: X-Micro WLAN 11g USB Utility.lnk = C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program\ieSpell\wikipedia.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.spray.se/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.zonline.se/ClientDownloads/fcplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_i.dll
O20 - Winlogon Notify: efcdbby - C:\WINDOWS\SYSTEM32\efcdbby.dll
O20 - Winlogon Notify: mlljk - C:\WINDOWS\system32\mlljk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: windmh32 - windmh32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\hpdj.exe (file missing)
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
Hi, welcome to Spybot Forum!

*Please download VundoFix.exe to your Desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


*Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
On your next reply, please include a fresh HijackThis log, SDfix log and the vundofix log.
 
SDFix: Version 1.51
****************

2006-12-22 - 14:03:45,52

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking Services...

Service Name:

MsaSvc

File Path:

C:\WINDOWS\system32\msasvc.exe

MsaSvc Deleted...

Starting Registry Repairs...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\WINDOWS\system32\msasvc.exe
C:\WINDOWS\Temp\win1.tmp
C:\WINDOWS\Temp\win10.tmp
C:\WINDOWS\Temp\win11.tmp
C:\WINDOWS\Temp\win12.tmp
C:\WINDOWS\Temp\win13.tmp
C:\WINDOWS\Temp\win14.tmp
C:\WINDOWS\Temp\win15.tmp
C:\WINDOWS\Temp\win16.tmp
C:\WINDOWS\Temp\win17.tmp
C:\WINDOWS\Temp\win18.tmp
C:\WINDOWS\Temp\win19.tmp
C:\WINDOWS\Temp\win1A.tmp
C:\WINDOWS\Temp\win1B.tmp
C:\WINDOWS\Temp\win1C.tmp
C:\WINDOWS\Temp\win1D.tmp
C:\WINDOWS\Temp\win1E.tmp
C:\WINDOWS\Temp\win1F.tmp
C:\WINDOWS\Temp\win2.tmp
C:\WINDOWS\Temp\win20.tmp
C:\WINDOWS\Temp\win21.tmp
C:\WINDOWS\Temp\win22.tmp
C:\WINDOWS\Temp\win23.tmp
C:\WINDOWS\Temp\win24.tmp
C:\WINDOWS\Temp\win25.tmp
C:\WINDOWS\Temp\win26.tmp
C:\WINDOWS\Temp\win27.tmp
C:\WINDOWS\Temp\win28.tmp
C:\WINDOWS\Temp\win29.tmp
C:\WINDOWS\Temp\win2A.tmp
C:\WINDOWS\Temp\win2B.tmp
C:\WINDOWS\Temp\win2C.tmp
C:\WINDOWS\Temp\win2D.tmp
C:\WINDOWS\Temp\win2E.tmp
C:\WINDOWS\Temp\win2F.tmp
C:\WINDOWS\Temp\win3.tmp
C:\WINDOWS\Temp\win30.tmp
C:\WINDOWS\Temp\win31.tmp
C:\WINDOWS\Temp\win32.tmp
C:\WINDOWS\Temp\win33.tmp
C:\WINDOWS\Temp\win34.tmp
C:\WINDOWS\Temp\win35.tmp
C:\WINDOWS\Temp\win36.tmp
C:\WINDOWS\Temp\win37.tmp
C:\WINDOWS\Temp\win38.tmp
C:\WINDOWS\Temp\win39.tmp
C:\WINDOWS\Temp\win3A.tmp
C:\WINDOWS\Temp\win3B.tmp
C:\WINDOWS\Temp\win3C.tmp
C:\WINDOWS\Temp\win3D.tmp
C:\WINDOWS\Temp\win3F.tmp
C:\WINDOWS\Temp\win4.tmp
C:\WINDOWS\Temp\win40.tmp
C:\WINDOWS\Temp\win41.tmp
C:\WINDOWS\Temp\win42.tmp
C:\WINDOWS\Temp\win43.tmp
C:\WINDOWS\Temp\win5.tmp
C:\WINDOWS\Temp\win6.tmp
C:\WINDOWS\Temp\win7.tmp
C:\WINDOWS\Temp\win8.tmp
C:\WINDOWS\Temp\win9.tmp
C:\WINDOWS\Temp\winA.tmp
C:\WINDOWS\Temp\winB.tmp
C:\WINDOWS\Temp\winC.tmp
C:\WINDOWS\Temp\winD.tmp
C:\WINDOWS\Temp\winE.tmp
C:\WINDOWS\Temp\winF.tmp
C:\WINDOWS\Temp\winFC.tmp
C:\WINDOWS\Temp\winFD.tmp
C:\WINDOWS\Temp\winFE.tmp
C:\WINDOWS\Temp\winFF.tmp

Backing Up and Removing any Files Found...

Alternate Stream Check:

C:\WINDOWS\system32
No streams found.
Final Check:

Services:
---------

Rootkit PE386 Found!. Rootkit scan Needed...

Authorized Applications Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\WINDOWS\SYSTEM32\awvst.dll
C:\WINDOWS\SYSTEM32\efcdbby.dll
C:\WINDOWS\SYSTEM32\nnlml.dll
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
C:\WINDOWS\SYSTEM32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Program Files\InterActual\InterActual Player\iti2A.tmp
C:\WINDOWS\Temp\$_2341235.TMP

FINISHED!
 
VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 13:43:38 2006-12-01

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\mljgf.dll
C:\WINDOWS\SYSTEM32\fgjlm.ini
C:\WINDOWS\SYSTEM32\fgjlm.bak1
C:\WINDOWS\SYSTEM32\fgjlm.bak2
C:\WINDOWS\SYSTEM32\fgjlm.ini2
C:\WINDOWS\SYSTEM32\fgjlm.tmp
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\SYSTEM32\fgjlm.ini
C:\WINDOWS\SYSTEM32\fgjlm.bak1
C:\WINDOWS\SYSTEM32\fgjlm.bak2
C:\WINDOWS\SYSTEM32\fgjlm.ini2
C:\WINDOWS\SYSTEM32\fgjlm.tmp
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fgjlm.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\mljgf.dll
C:\WINDOWS\SYSTEM32\mljgf.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.ini
C:\WINDOWS\SYSTEM32\fgjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.bak1
C:\WINDOWS\SYSTEM32\fgjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.bak2
C:\WINDOWS\SYSTEM32\fgjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.ini2
C:\WINDOWS\SYSTEM32\fgjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.tmp
C:\WINDOWS\SYSTEM32\fgjlm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljgf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 14:03:14 2006-12-01

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 01:22:02 2006-12-19

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\windmh32.dll

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 15:20:20 2006-12-19

Listing files found while scanning....

C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jkkji.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jkkji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 12:55:15 2006-12-22

Listing files found while scanning....

C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\mlljk.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\mlljk.dll Has been deleted!

Performing Repairs to the registry.
Done!
 
Logfile of HijackThis v1.99.1
Scan saved at 14:31:32, on 2006-12-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\ibgiyhbp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B034173-5390-4C1A-811E-531CC979B131} - C:\WINDOWS\system32\awvst.dll
O2 - BHO: (no name) - {7FA8828D-AE3F-485F-BDC0-2333C6163E0A} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A8CDAA73-A22A-4292-B874-752326C25DBF} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: X-Micro WLAN 11g USB Utility.lnk = C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program\ieSpell\wikipedia.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.spray.se/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.zonline.se/ClientDownloads/fcplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_i.dll
O20 - Winlogon Notify: awvst - C:\WINDOWS\system32\awvst.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: windmh32 - windmh32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\hpdj.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
Configure your machine to view hidden files:

Windows XP
  • Click Start.
  • Open My Computer..
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the "Hidden files and folders" heading select Show hidden files and folders.
  • Uncheck the Hide Protected Operating System Files Option.
  • Click Yes to confirm.
  • Click OK.
I want you to please submit some files HERE for experts to take a look at..

Fill in the information needed in the appropriate boxes..

Under "Topic Where File Was Requested:" copy and paste this: http://forums.spybot.info/showthread.php?p=59414#post59414

Under the "files to submit," on the first box, click browse then navigate to this file: C:\WINDOWS\system32\awvst.dll
Hit open.

Finally, click the "Send file" button on the bottom part of the page.

___________________________


*Download
http://www.uploads.ejvindh.net/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.


*Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files.
  • Copy&Paste the 2 entries below into the top 2 boxes.
    • C:\WINDOWS\system32\awvst.dll
    • C:\WINDOWS\SYSTEM32\tsvwa.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

*Run AVG Anti-Spyware
  • From the main AVG Anti-Spyware screen, click on Update, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Exit AVG Anti-Spyware. DO NOT scan yet.

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\ibgiyhbp.dll
O2 - BHO: (no name) - {5B034173-5390-4C1A-811E-531CC979B131} - C:\WINDOWS\system32\awvst.dll
O2 - BHO: (no name) - {7FA8828D-AE3F-485F-BDC0-2333C6163E0A} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: (no name) - {A8CDAA73-A22A-4292-B874-752326C25DBF} - C:\WINDOWS\system32\jkkji.dll (file missing)
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_i.dll
O20 - Winlogon Notify: awvst - C:\WINDOWS\system32\awvst.dll
O20 - Winlogon Notify: windmh32 - windmh32.dll (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

Close your browsers and all open windows except for HijackThis, then click "Fix checked".


*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type delservices.bat in the File name and save it to your desktop.

Code: 
@echo off
sc stop "COM+ Messages"
sc delete "COM+ Messages"

Do not use it yet!!


*You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

*Locate delservices.bat on your Desktop and double-click on it.

*Using Windows Explorer, find and delete these files:

C:\WINDOWS\system32\ibgiyhbp.dll
C:\WINDOWS\Downloaded Program Files\fcplugin.dll
C:\WINDOWS\system32\win_i.dll
C:\WINDOWS\system32\windmh32.dll
C:\WINDOWS\SYSTEM32\efcdbby.dll
C:\WINDOWS\SYSTEM32\nnlml.dll
C:\WINDOWS\system32\svchosts.exe <<Important!: There is a legit file called svchost.exe present in the same folder as the infected file. The infected file that we want to delete is svchosts.exe , please be careful in deleting the file.

Empty your recycle bin.

*Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
  • Launch AVG AntiSpyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
  • Close AVG AntiSpyware.
  • Reboot to normal mode.

*On your next reply, please post the contents of C:\avenger.txt & C:\rustbfix\pelog.txt , C:\vundofix.txt , AVG Antispyware log, and a fresh HijackThis log.
 
Angelfire 777, i only had one log produced from the rustbfix...avenger txt...

should i continue on with the remaining actions...?

I have submitted the file to uploadmalware....

here is a copy of the avenger txt and hjt log at present....

(i have not proceeded beyond the rustbfix directions you issued as only one log was generated.)

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\irmhbyit

*******************

Script file located at: \??\C:\Documents and Settings\mvcljtim.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.

Logfile of HijackThis v1.99.1
Scan saved at 16:32:13, on 2006-12-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3FD6B99C-A275-46ea-8FD1-3D63986E51E4} - C:\WINDOWS\system32\ibgiyhbp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6EE6436B-00BB-4229-8D92-C12654C5B342} - C:\WINDOWS\system32\awvst.dll
O2 - BHO: (no name) - {7FA8828D-AE3F-485F-BDC0-2333C6163E0A} - C:\WINDOWS\system32\mlljk.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {A8CDAA73-A22A-4292-B874-752326C25DBF} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: X-Micro WLAN 11g USB Utility.lnk = C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program\ieSpell\wikipedia.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.spray.se/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.zonline.se/ClientDownloads/fcplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_i.dll
O20 - Winlogon Notify: awvst - C:\WINDOWS\system32\awvst.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: windmh32 - windmh32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\hpdj.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
Being a typical guy i was inpatient so i proceeded with the the other actions, I PROMISE I WONT DO IT AGAIN.

Ok logs from everything...

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:12:11 2006-12-22

+ Scan result:



C:\System Volume Information\_restore{96B7963F-6FFF-4BD4-9444-33F92F55D17C}\RP519\A0357102.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{96B7963F-6FFF-4BD4-9444-33F92F55D17C}\RP519\A0357103.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{96B7963F-6FFF-4BD4-9444-33F92F55D17C}\RP519\A0357001.exe -> Downloader.Small.crd : Cleaned.
C:\System Volume Information\_restore{96B7963F-6FFF-4BD4-9444-33F92F55D17C}\RP519\A0357045.exe -> Downloader.Small.crd : Cleaned.
C:\Documents and Settings\Ägaren\Cookies\ägaren@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Ägaren\Cookies\ägaren@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Ägaren\Cookies\ägaren@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Ägaren\Cookies\ägaren@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Ägaren\Cookies\ägaren@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\WINDOWS\SYSTEM32:lzx32.sys -> Trojan.Rustock.nay : Cleaned.
C:\xfwmjm.exe -> Trojan.Rustock.nay : Cleaned.
C:\System Volume Information\_restore{96B7963F-6FFF-4BD4-9444-33F92F55D17C}\RP522\A0357326.dll -> Trojan.Sinowal.br : Cleaned.


::Report end
 
Logfile of HijackThis v1.99.1
Scan saved at 17:04:22, on 2006-12-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Washer\Formdata.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6EE6436B-00BB-4229-8D92-C12654C5B342} - C:\WINDOWS\system32\awvst.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: X-Micro WLAN 11g USB Utility.lnk = C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program\ieSpell\wikipedia.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.spray.se/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.zonline.se/ClientDownloads/fcplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\hpdj.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
************************* Rustock.b-fix -- By ejvindh *************************
2006-12-22 16:10:45,21

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
 
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\irmhbyit

*******************

Script file located at: \??\C:\Documents and Settings\mvcljtim.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.
 
VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 13:43:38 2006-12-01

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\mljgf.dll
C:\WINDOWS\SYSTEM32\fgjlm.ini
C:\WINDOWS\SYSTEM32\fgjlm.bak1
C:\WINDOWS\SYSTEM32\fgjlm.bak2
C:\WINDOWS\SYSTEM32\fgjlm.ini2
C:\WINDOWS\SYSTEM32\fgjlm.tmp
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\SYSTEM32\fgjlm.ini
C:\WINDOWS\SYSTEM32\fgjlm.bak1
C:\WINDOWS\SYSTEM32\fgjlm.bak2
C:\WINDOWS\SYSTEM32\fgjlm.ini2
C:\WINDOWS\SYSTEM32\fgjlm.tmp
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.bak2
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\fgjlm.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\mljgf.dll
C:\WINDOWS\SYSTEM32\mljgf.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.ini
C:\WINDOWS\SYSTEM32\fgjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.bak1
C:\WINDOWS\SYSTEM32\fgjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.bak2
C:\WINDOWS\SYSTEM32\fgjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.ini2
C:\WINDOWS\SYSTEM32\fgjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fgjlm.tmp
C:\WINDOWS\SYSTEM32\fgjlm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\mljgf.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 14:03:14 2006-12-01

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 01:22:02 2006-12-19

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\windmh32.dll

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 15:20:20 2006-12-19

Listing files found while scanning....

C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jkkji.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijkkj.bak1
C:\WINDOWS\system32\ijkkj.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jkkji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 12:55:15 2006-12-22

Listing files found while scanning....

C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\mlljk.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\kjllm.ini
C:\WINDOWS\system32\kjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjllm.bak1
C:\WINDOWS\system32\kjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\kjllm.bak2
C:\WINDOWS\system32\kjllm.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlljk.dll
C:\WINDOWS\system32\mlljk.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 20:13:55 2006-12-22

Listing files found while scanning....

C:\WINDOWS\system32\awvst.dll
C:\WINDOWS\system32\tsvwa.ini
C:\WINDOWS\system32\tsvwa.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvst.dll
C:\WINDOWS\system32\awvst.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tsvwa.ini
C:\WINDOWS\system32\tsvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tsvwa.bak2
C:\WINDOWS\system32\tsvwa.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.13

Checking Java version...

Sun Java not detected
Scan started at 17:05:52 2006-12-23

Listing files found while scanning....
 
By the way, while searching I found your previous thread with Shaba

http://forums.spybot.info/showthread.php?t=9353

Any reason why you left him?


*Did you have any Norton Antivirus products in your machine before? If so, please run this tool HERE to remove all leftovers of the Norton products.


*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: (no name) - {6EE6436B-00BB-4229-8D92-C12654C5B342} - C:\WINDOWS\system32\awvst.dll (file missing)
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://www.zonline.se/ClientDownloads/fcplugin.cab

Close your browsers and all open windows except for HijackThis, then click "Fix checked".


*Download Gmer from here:
http://gmer.thespykiller.co.uk/gmer.zip
  • Disconnect from internet and close running programs.
  • There is a small chance this application may crash your computer so save any work you have open.
  • Double click gmer.exe
  • Let the gmer.sys driver load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
  • If no warning....
  • Click "Rootkit" tab and click "Scan"
  • Once done, click "Copy"
  • Open Notepad and hit "ctrl+v" to paste the log.
  • Reconnect to the internet and post the log back to this thread please.

On your next reply, please include a fresh HijackThis log, gmer log and a description on how your machine is running.
 
Yes i had nortons before, but i got rid of it, it was actually during that phase that i seemed to get all these viruses...my fault.

Yes Shaba was my previous handler and i have nothing against him/her, it ended, i lost the thread so to speak, as i was away for a while with work....

So thought i would start over...anyway....

Logfile of HijackThis v1.99.1
Scan saved at 04:19:30, on 2006-12-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program\Delade filer\Logitech\LComMgr\LVComSX.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program\Grisoft\AVG Free\avgcc.exe
C:\HJT\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program\Delade filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program\Delade filer\Logitech\LComMgr\LVComSX.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: X-Micro WLAN 11g USB Utility.lnk = C:\Program\X-Micro Technology Corporation\X-Micro WLAN 11g USB adapter\XMicroWlan.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program\ieSpell\wikipedia.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.spray.se/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\GAREN~1\LOKALA~1\Temp\hpdj.exe (file missing)
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program\Delade filer\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
 
i cant seem to be able to post the gmer log...seems that when i try the ie slows right down then it fails to find the website....did that make any sense?
 
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-24 03:45:26
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
 
---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 3C, EA, F8, E0, 9E, EA, ... ]
.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 60, 3C, EA, F8, E0, 9E, EA, ... ]

---- User code sections - GMER 1.0.12 ----

.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NlsMbOemCodePageTag + FFF84FE8 7C901000 140 Bytes [ AF, 69, FF, FF, 83, C4, 0C, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlEnterCriticalSection + 88 7C90108D 74 Bytes [ 83, C4, 0C, 85, F6, 75, 2C, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlEnterCriticalSection + D3 7C9010D8 77 Bytes CALL 7C8F7AB3 C:\WINDOWS\system32\kernel32.dll
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlLeaveCriticalSection + 3B 7C901128 85 Bytes [ 4E, 65, 74, 70, 56, 61, 6C, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!LdrInitializeThunk 7C90117E 62 Bytes [ 90, 90, 4E, 65, 74, 70, 43, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlActivateActivationContextUnsafeFast + 8 7C9011BD 74 Bytes [ 20, 30, 78, 25, 6C, 78, 0A, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + E 7C901208 7 Bytes [ 42, 00, 55, 00, 49, 00, 4C ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 16 7C901210 64 Bytes [ 54, 00, 49, 00, 4E, 00, 00, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCurrentTeb + 1 7C901251 8 Bytes [ 20, 30, 78, 25, 6C, 78, 0A, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlInitString 7C90125C 134 Bytes [ 90, 90, 90, 90, 4E, 65, 74, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlInitUnicodeString + D 7C9012E3 226 Bytes [ 90, 4E, 65, 74, 70, 56, 61, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!log 7C9013CA 89 Bytes [ 8B, FF, 55, 8B, EC, 81, EC, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_CIlog + 51 7C901424 3 Bytes [ 00, 04, 00 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_CIlog + 55 7C901428 10 Bytes [ 85, F0, FD, FF, FF, 8B, 45, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_CIlog + 60 7C901433 1 Byte [ 08 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_CIlog + 62 7C901435 15 Bytes [ 68, 84, D4, 96, 60, 89, B5, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_CIlog + 73 7C901446 41 Bytes [ 89, B5, BC, FD, FF, FF, 89, ... ]
.text ...
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_CIpow + 13 7C9014CA 2 Bytes [ 8A, 07 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_CIpow + 16 7C9014CD 73 Bytes [ C7, 02, 88, 85, D0, FD, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_CIpow + 60 7C901517 28 Bytes [ 8D, 85, AC, FD, FF, FF, 50, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_CIpow + 7D 7C901534 43 Bytes [ FD, FF, FF, FF, 73, 04, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_CIpow + A9 7C901560 102 Bytes [ 04, 89, 85, C8, FD, FF, FF, ... ]
.text ...
 
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!sin + 39 7C901718 34 Bytes [ 85, BC, FD, FF, FF, 50, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!sin + 5C 7C90173B 55 Bytes [ B8, FD, FF, FF, 89, 43, 0C, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!sin + 94 7C901773 63 Bytes CALL 7C8FAE35
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!sqrt + 21 7C9017B3 19 Bytes [ 50, FF, B5, E0, FD, FF, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!sqrt + 35 7C9017C7 49 Bytes [ F8, FD, FF, FF, 89, 43, 10, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!sqrt + 68 7C9017FA 287 Bytes CALL 7C8FC0BE
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_alldvrm + 2E 7C90191A 618 Bytes [ F0, 56, 68, 2C, D3, 96, 60, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_aulldiv + 39 7C901B85 46 Bytes [ 85, F6, 75, 07, 83, 8D, F4, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_aulldiv + 68 7C901BB4 6 Bytes [ 75, 04, 85, F6, 75, 37 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_aulldvrm + 2 7C901BBB 231 Bytes [ 85, CC, FD, FF, FF, 6A, 01, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_aullrem + 50 7C901CA3 66 Bytes [ BB, 00, 00, 20, 00, 74, 27, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!_aullshr + 19 7C901CE6 239 Bytes [ 57, 9D, FF, FF, 83, BD, E8, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!atan + 61 7C901DD6 174 Bytes [ B5, B8, FD, FF, FF, E8, A9, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!ceil + 67 7C901E85 195 Bytes [ FF, B5, E4, FD, FF, FF, E8, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!ceil + 12B 7C901F49 47 Bytes [ 90, 90, 90, 90, 90, 90, 90, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!floor + 1C 7C901F79 157 Bytes [ 72, 65, 6D, 6F, 76, 69, 6E, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!floor + BA 7C902017 89 Bytes [ 90, 4E, 65, 74, 70, 41, 70, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!floor + 114 7C902071 77 Bytes [ 90, 90, 90, 90, 90, 90, 90, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!memchr + 1A 7C9020BF 142 Bytes [ 70, 41, 70, 70, 6C, 79, 4A, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!memcmp 7C90214F 113 Bytes [ 90, 4E, 65, 74, 70, 41, 70, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!memcmp + 72 7C9021C1 99 Bytes [ 73, 20, 6F, 66, 20, 73, 65, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!memcpy + 25 7C902225 605 Bytes [ 90, 90, 90, 4E, 65, 74, 70, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!memcpy + 283 7C902483 275 Bytes [ 90, 4E, 65, 74, 70, 41, 70, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!memmove + 5D 7C902597 100 Bytes CALL 7C8DC74E C:\WINDOWS\system32\kernel32.dll
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!memmove + C2 7C9025FC 282 Bytes [ 90, 90, 90, 90, 4E, 65, 74, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!memmove + 1DD 7C902717 167 Bytes [ 61, 64, 69, 6E, 67, 20, 6A, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!memmove + 285 7C9027BF 116 Bytes [ 90, 90, 8B, FF, 55, 8B, EC, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!memmove + 2FA 7C902834 39 Bytes [ 5D, C2, 08, 00, 4E, 65, 74, ... ]
.text ...
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strcpy + 1 7C9028D8 86 Bytes [ 89, 85, C0, FD, FF, FF, 66, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strcat + 43 7C90292F 37 Bytes [ 88, 9D, D9, FD, FF, FF, 89, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strcat + 6B 7C902957 74 Bytes [ 66, AB, 89, 9D, EC, FD, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strcat + B6 7C9029A2 83 Bytes [ B5, F0, FD, FF, FF, E8, 63, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strcmp + 25 7C9029F6 208 Bytes [ B9, 4F, FF, FF, FF, 75, 1C, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strlen + 2A 7C902AC7 69 Bytes [ 57, 8D, 85, D0, FD, FF, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strlen + 70 7C902B0D 350 Bytes [ 85, F4, FD, FF, FF, 50, 8D, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strncmp + 29 7C902C6C 30 Bytes [ FF, 68, C4, F1, 96, 60, E8, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strncpy + B 7C902C8B 172 Bytes [ 53, FF, B5, CC, FD, FF, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strncpy + B8 7C902D38 19 Bytes CALL 7C8DC750 C:\WINDOWS\system32\kernel32.dll
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strncpy + CD 7C902D4D 59 Bytes [ 00, 80, 53, 53, FF, B5, CC, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strpbrk + 6 7C902D89 26 Bytes [ 8B, 85, EC, FD, FF, FF, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strpbrk + 21 7C902DA4 144 Bytes [ 8D, EC, FD, FF, FF, 83, C4, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strspn + 48 7C902E35 3 Bytes JMP 7C903739 C:\WINDOWS\system32\ntdll.dll
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!strspn + 4D 7C902E3A 108 Bytes [ A9, 00, 00, 00, 40, 75, 05, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!tan + 69 7C902EA7 97 Bytes JMP 7C90373A C:\WINDOWS\system32\ntdll.dll
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!tan + CB 7C902F09 57 Bytes [ B5, 74, FD, FF, FF, 3B, F3, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!tan + 105 7C902F43 512 Bytes [ 00, 8D, B5, F8, FD, FF, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlZeroMemory + 29 7C903144 118 Bytes [ 39, 9D, B0, FD, FF, FF, 0F, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlMoveMemory + 6A 7C9031BB 116 Bytes [ FF, B5, 9C, FD, FF, FF, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlMoveMemory + DF 7C903230 60 Bytes [ FF, FF, 83, FF, 57, 59, 59, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlMoveMemory + 11C 7C90326D 207 Bytes [ 85, F8, 02, 00, 00, 8D, 85, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlMoveMemory + 1EC 7C90333D 48 Bytes [ 85, 28, 02, 00, 00, 39, 9D, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlMoveMemory + 21D 7C90336E 38 Bytes [ 85, B8, FD, FF, FF, 3B, C3, ... ]
.text ...
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlExtendedLargeIntegerDivide + 24 7C903549 56 Bytes [ 56, FF, B5, 6C, FD, FF, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlExtendedLargeIntegerDivide + 5D 7C903582 124 Bytes [ FF, 8B, 40, 04, 83, F8, 04, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlExtendedMagicDivide + 78 7C9035FF 62 Bytes CALL 7C8F79B1 C:\WINDOWS\system32\kernel32.dll
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlExtendedIntegerMultiply + 23 7C903640 53 Bytes [ F6, 45, 1C, 02, 0F, 84, A0, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlExtendedIntegerMultiply + 59 7C903676 252 Bytes [ FF, FF, B5, B4, FD, FF, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlConvertUlongToLargeInteger + 2E 7C903773 32 Bytes [ 39, 9D, A8, FD, FF, FF, 74, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlConvertUlongToLargeInteger + 4F 7C903794 13 Bytes CALL 7C8E2305 C:\WINDOWS\system32\kernel32.dll
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlConvertUlongToLargeInteger + 5D 7C9037A2 15 Bytes [ B5, 8C, FD, FF, FF, E8, 59, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlConvertUlongToLargeInteger + 6D 7C9037B2 229 Bytes [ 74, 56, 8D, 85, D0, FD, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlCaptureContext + 53 7C903898 58 Bytes [ 4E, 65, 74, 70, 4A, 6F, 69, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlCaptureContext + 8E 7C9038D3 60 Bytes [ 90, 4E, 65, 74, 70, 4A, 6F, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlCaptureContext + CB 7C903910 137 Bytes [ 4E, 65, 74, 70, 4A, 6F, 69, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlCaptureContext + 15E3 7C904E28 2 Bytes JMP 7C904EE4 C:\WINDOWS\system32\ntdll.dll
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!RtlCaptureContext + 15E7 7C904E2C 18 Bytes [ 00, 40, 89, 46, 04, 8D, 45, ... ]
.text ...
 
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtAccessCheckAndAuditAlarm + 3 7C90D3A6 55 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtAccessCheckByTypeResultList 7C90D3E2 31 Bytes [ 8B, FF, 55, 8B, EC, 83, EC, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtAccessCheckByTypeResultListAndAuditAlarm + B 7C90D402 37 Bytes [ D6, 8D, 45, F8, 50, 8D, 45, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtAddAtom + 7 7C90D428 49 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtAdjustGroupsToken + F 7C90D45A 79 Bytes [ 00, 00, 53, 8B, 5D, 0C, 3B, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtAllocateLocallyUniqueId + B 7C90D4AA 3 Bytes [ 83, 7D, F0 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtAllocateLocallyUniqueId + F 7C90D4AE 125 Bytes [ 5B, 74, 08, FF, 75, F0, E8, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCallbackReturn + F 7C90D52C 9 Bytes [ 00, 8D, 45, F8, 50, 68, 19, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCancelDeviceWakeupRequest + 4 7C90D536 6 Bytes [ 57, 68, D8, 06, 97, 60 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCancelDeviceWakeupRequest + B 7C90D53D 16 Bytes [ 75, EC, FF, 15, E0, 10, 94, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCancelIoFile + 7 7C90D54E 3 Bytes JMP 7C90D495 C:\WINDOWS\system32\ntdll.dll
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCancelIoFile + B 7C90D552 161 Bytes [ FF, FF, 3B, C7, 0F, 85, F2, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCompressKey + 5 7C90D5F4 89 Bytes [ 74, 08, FF, 75, FC, E8, 32, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateDirectoryObject + B 7C90D64E 109 Bytes [ 8B, F0, EB, 54, 53, FF, 15, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateJobObject + 10 7C90D6BC 7 Bytes [ 53, 00, 79, 00, 73, 00, 74 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateJobSet + 3 7C90D6C4 1 Byte [ 65 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateJobSet + 5 7C90D6C6 1 Byte [ 6D ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateJobSet + 7 7C90D6C8 7 Bytes [ 52, 00, 6F, 00, 6F, 00, 74 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateJobSet + F 7C90D6D0 2 Bytes [ 00, 00 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateKey 7C90D6D6 3 Bytes [ 90, 90, 53 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateKey + 4 7C90D6DA 19 Bytes [ 6F, 00, 66, 00, 74, 00, 77, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateMailslotFile + 3 7C90D6EE 1 Byte [ 63 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateMailslotFile + 5 7C90D6F0 1 Byte [ 72 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateMailslotFile + 7 7C90D6F2 7 Bytes [ 6F, 00, 73, 00, 6F, 00, 66 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateMailslotFile + F 7C90D6FA 9 Bytes [ 74, 00, 5C, 00, 57, 00, 69, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateMutant + 4 7C90D704 19 Bytes [ 64, 00, 6F, 00, 77, 00, 73, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateNamedPipeFile + 3 7C90D718 1 Byte [ 72 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateNamedPipeFile + 5 7C90D71A 1 Byte [ 72 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateNamedPipeFile + 7 7C90D71C 7 Bytes [ 65, 00, 6E, 00, 74, 00, 56 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateNamedPipeFile + F 7C90D724 9 Bytes [ 65, 00, 72, 00, 73, 00, 69, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreatePagingFile + 4 7C90D72E 2 Bytes [ 6E, 00 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreatePagingFile + 7 7C90D731 83 Bytes [ 00, 90, 90, 90, 90, 90, 8B, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateProfile + 7 7C90D785 50 Bytes [ 85, C0, 7C, 1B, 8B, 75, E0, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateSemaphore + 10 7C90D7B8 80 Bytes [ 8B, FF, 55, 8B, EC, 83, EC, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtCreateToken + D 7C90D809 54 Bytes [ 60, 01, 00, 8B, 4D, FC, 5F, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtDebugContinue + 5 7C90D840 102 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtDeleteKey + 3 7C90D8A7 7 Bytes [ 8D, 45, D0, 50, E8, 95, FF ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtDeleteKey + B 7C90D8AF 71 Bytes [ FF, A1, 98, F7, 98, 60, 3B, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtDeviceIoControlFile + 14 7C90D8F7 37 Bytes [ 50, 8D, 45, 84, 50, 89, 7D, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtDuplicateObject + 10 7C90D91D 97 Bytes CALL 7C90D734 C:\WINDOWS\system32\ntdll.dll
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtEnumerateValueKey + 9 7C90D97F 1 Byte [ FF ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtEnumerateValueKey + B 7C90D981 24 Bytes [ 6A, 08, 8D, 45, B0, 50, 8D, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtExtendSection + F 7C90D99A 189 Bytes [ C0, 81, FE, 22, 00, 00, C0, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtFreeVirtualMemory + 12 7C90DA5A 13 Bytes [ 8B, FF, 55, 8B, EC, 56, 8B, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtFsControlFile + B 7C90DA68 20 Bytes [ FF, FF, FF, 75, 0C, 56, FF, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtGetContextThread + B 7C90DA7D 135 Bytes [ FF, 56, FF, 15, D8, 12, 94, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtInitializeRegistry 7C90DB05 94 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtListenPort + B 7C90DB64 29 Bytes [ 15, 70, 10, 94, 60, 85, C0, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtLoadKey 7C90DB83 25 Bytes [ 90, 90, 90, 8B, FF, 55, 8B, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtLoadKey2 + 5 7C90DB9D 1 Byte [ 00 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtLoadKey2 + 7 7C90DB9F 7 Bytes [ 51, FF, 75, 10, C7, 00, 18 ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtLoadKey2 + F 7C90DBA7 20 Bytes [ 00, 00, 50, 68, 00, 00, 00, ... ]
.text C:\Program\WinRAR\WinRAR.exe[2432] ntdll.dll!NtLockFile + F
 
You must log in or register to reply here.
Back
Top