Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Suspected Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Suspected Malware

Unread postby mgunby » October 18th, 2007, 10:03 am

I hope y'all can help me out. Since Saturday (when I stupidly attempted to install a third-party toolbar to IE), I've been experiencing pop-ups designed to mimic Windows Security Center and extreme slowing of my system, to the point of getting the "Virtual Memory Running Low" message when the only application I have running in a browser.

I have followed all the steps in this thread, and I'm still experiencing popups from fp.pc-on-internet.

Here's my HijackThis log from this morning:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:51:14 AM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Generic\Power4 Gear\BatteryLife.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickBooksDB17] C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe -n QB_MELISSA_17 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10172) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe C:\DOCUME~1\Melissa\LOCALS~1\APPLIC~1\Intuit\QUICKB~2\Log\DBSTAR~1.LOG -y
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Database Server Manager.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.realpage.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} (RealPage Web Objects) - http://onesite.realpage.com/coreglobal/ ... alpage.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0171101125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 14936 bytes

I'm in over my head and would appreciate any help you can give me.
mgunby
Active Member
 
Posts: 5
Joined: October 18th, 2007, 9:53 am
Advertisement
Register to Remove

Unread postby DFW » October 21st, 2007, 2:22 pm

Hello and wecome . My name is DFW and I will be assisting you with your malware issues .

Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs. As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Unread postby DFW » October 22nd, 2007, 5:42 pm

Please Download GMER to your desktop

Please create a folder in the Program Files folder called GMER.

Download GMER and extract it to the C:\program files\GMER folder you have just made.


Run the Gmer.exe program by double-clicking the executable file gmer.exe.
You may be prompted to scan immediately if GMER detects rootkit activity.

If you are prompted to scan your system click "yes" to begin the scan.
If you are not prompted, Click the "Rootkit" tab, then click "Scan".


DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and also paste them back in your next reply.

Please post with the results from the GMER scan, and a fresh hijackthis log.
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

GMER and new HijackThis logs

Unread postby mgunby » October 23rd, 2007, 6:01 am

GMER log:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-10-23 02:47:41
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT 8602DF30 ZwAlertResumeThread
SSDT 86030310 ZwAlertThread
SSDT 85F960A8 ZwAllocateVirtualMemory
SSDT 8613D078 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey
SSDT 862408E8 ZwCreateMutant
SSDT 85FF0930 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey
SSDT 8623E748 ZwFreeVirtualMemory
SSDT 862431B8 ZwImpersonateAnonymousToken
SSDT 8602D6E0 ZwImpersonateThread
SSDT 86168928 ZwMapViewOfSection
SSDT 86241C98 ZwOpenEvent
SSDT 86059A78 ZwOpenProcessToken
SSDT 8603E4C8 ZwOpenThreadToken
SSDT 8558C298 ZwQueryValueKey
SSDT 860D1080 ZwResumeThread
SSDT 8603DF30 ZwSetContextThread
SSDT 8609EAD8 ZwSetInformationProcess
SSDT 8603B930 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey
SSDT 86237970 ZwSuspendProcess
SSDT 86031110 ZwSuspendThread
SSDT 860581C8 ZwTerminateProcess
SSDT 86039588 ZwTerminateThread
SSDT 860E4AD0 ZwUnmapViewOfSection
SSDT 860AC0A8 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\Explorer.EXE[356] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\Explorer.EXE[356] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\Explorer.EXE[356] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\Explorer.EXE[356] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe[532] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 009D200E
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe[532] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 009D1DAF
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe[532] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 009D1CF2
.text C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe[532] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 009D191B
.text C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe[620] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0105200E
.text C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe[620] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01051DAF
.text C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe[620] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01051CF2
.text C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe[620] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0105191B
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[668] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00C3200E
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[668] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00C31DAF
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[668] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00C31CF2
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe[668] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00C3191B
.text C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[724] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[724] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[724] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\HP\hpcoretech\hpcmpmgr.exe[724] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe[732] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00D8200E
.text C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe[732] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00D81DAF
.text C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe[732] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00D81CF2
.text C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe[732] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00D8191B
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[740] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[740] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[740] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe[740] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Winamp\winampa.exe[812] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Winamp\winampa.exe[812] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Winamp\winampa.exe[812] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Winamp\winampa.exe[812] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\igfxpers.exe[828] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00DF200E
.text C:\WINDOWS\system32\igfxpers.exe[828] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00DF1DAF
.text C:\WINDOWS\system32\igfxpers.exe[828] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00DF1CF2
.text C:\WINDOWS\system32\igfxpers.exe[828] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00DF191B
.text C:\WINDOWS\ATK0100\HControl.exe[844] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0199200E
.text C:\WINDOWS\ATK0100\HControl.exe[844] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01991DAF
.text C:\WINDOWS\ATK0100\HControl.exe[844] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01991CF2
.text C:\WINDOWS\ATK0100\HControl.exe[844] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0199191B
.text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\csrss.exe[864] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe[868] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 011D200E
.text C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe[868] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 011D1DAF
.text C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe[868] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 011D1CF2
.text C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe[868] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 011D191B
.text C:\WINDOWS\system32\services.exe[932] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\services.exe[932] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\services.exe[932] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\services.exe[932] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Generic\Power4 Gear\BatteryLife.exe[1136] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0095200E
.text C:\Program Files\Generic\Power4 Gear\BatteryLife.exe[1136] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00951DAF
.text C:\Program Files\Generic\Power4 Gear\BatteryLife.exe[1136] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00951CF2
.text C:\Program Files\Generic\Power4 Gear\BatteryLife.exe[1136] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0095191B
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 01A4200E
.text C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01A41DAF
.text C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01A41CF2
.text C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01A4191B
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1464] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0147200E
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1464] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01471DAF
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1464] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01471CF2
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1464] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0147191B
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1468] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 01A3200E
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1468] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01A31DAF
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1468] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01A31CF2
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[1468] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 01A3191B
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1528] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 015A200E
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1528] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 015A1DAF
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1528] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 015A1CF2
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[1528] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 015A191B
.text C:\WINDOWS\system32\spoolsv.exe[1636] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00EC200E
.text C:\WINDOWS\system32\spoolsv.exe[1636] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00EC1DAF
.text C:\WINDOWS\system32\spoolsv.exe[1636] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00EC1CF2
.text C:\WINDOWS\system32\spoolsv.exe[1636] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00EC191B
.text C:\WINDOWS\system32\igfxtray.exe[1660] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00E6200E
.text C:\WINDOWS\system32\igfxtray.exe[1660] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00E61DAF
.text C:\WINDOWS\system32\igfxtray.exe[1660] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00E61CF2
.text C:\WINDOWS\system32\igfxtray.exe[1660] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00E6191B
.text C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe[1796] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0090200E
.text C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe[1796] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00901DAF
.text C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe[1796] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00901CF2
.text C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe[1796] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0090191B
.text C:\WINDOWS\system32\hkcmd.exe[1928] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00D8200E
.text C:\WINDOWS\system32\hkcmd.exe[1928] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00D81DAF
.text C:\WINDOWS\system32\hkcmd.exe[1928] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00D81CF2
.text C:\WINDOWS\system32\hkcmd.exe[1928] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00D8191B
.text C:\WINDOWS\ATK0100\ATKOSD.exe[2176] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\ATK0100\ATKOSD.exe[2176] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\ATK0100\ATKOSD.exe[2176] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\ATK0100\ATKOSD.exe[2176] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\iTunes\iTunesHelper.exe[2236] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 09C6200E
.text C:\Program Files\iTunes\iTunesHelper.exe[2236] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 09C61DAF
.text C:\Program Files\iTunes\iTunesHelper.exe[2236] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 09C61CF2
.text C:\Program Files\iTunes\iTunesHelper.exe[2236] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 09C6191B
.text C:\WINDOWS\system32\ctfmon.exe[2276] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\WINDOWS\system32\ctfmon.exe[2276] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\WINDOWS\system32\ctfmon.exe[2276] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\WINDOWS\system32\ctfmon.exe[2276] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\BitTorrent\bittorrent.exe[2284] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 015B200E
.text C:\Program Files\BitTorrent\bittorrent.exe[2284] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 015B1DAF
.text C:\Program Files\BitTorrent\bittorrent.exe[2284] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 015B1CF2
.text C:\Program Files\BitTorrent\bittorrent.exe[2284] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 015B191B
.text C:\Program Files\AIM6\aim6.exe[2304] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\AIM6\aim6.exe[2304] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\AIM6\aim6.exe[2304] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\AIM6\aim6.exe[2304] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2328] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2328] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2328] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2328] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[2328] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2372] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2372] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2372] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2372] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\documents and settings\melissa\local settings\application data\ahuqdqpo.exe[2396] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\documents and settings\melissa\local settings\application data\ahuqdqpo.exe[2396] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\documents and settings\melissa\local settings\application data\ahuqdqpo.exe[2396] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\documents and settings\melissa\local settings\application data\ahuqdqpo.exe[2396] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe[2712] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 00F3200E
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe[2712] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 00F31DAF
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe[2712] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 00F31CF2
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe[2712] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 00F3191B
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe[2796] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe[2796] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe[2796] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe[2796] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[2808] ntdll.dll!NtEnumerateKey 7C90D94C 3 Bytes JMP 0091200E
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[2808] ntdll.dll!NtEnumerateKey + 4 7C90D950 1 Byte [ 84 ]
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[2808] ntdll.dll!NtEnumerateValueKey 7C90D976 3 Bytes JMP 00911DAF
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[2808] ntdll.dll!NtEnumerateValueKey + 4 7C90D97A 1 Byte [ 84 ]
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[2808] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 3 Bytes JMP 00911CF2
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[2808] ntdll.dll!NtQueryDirectoryFile + 4 7C90DF62 1 Byte [ 84 ]
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[2808] ntdll.dll!NtQuerySystemInformation 7C90E1AA 3 Bytes JMP 0091191B
.text C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe[2808] ntdll.dll!NtQuerySystemInformation + 4 7C90E1AE 1 Byte [ 84 ]
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2856] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2856] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2856] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[2856] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!send 71AB428A 5 Bytes JMP 100030E6
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 100032CC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3280] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 100035BC
.text C:\Program Files\iPod\bin\iPodService.exe[3300] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\iPod\bin\iPodService.exe[3300] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\iPod\bin\iPodService.exe[3300] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\iPod\bin\iPodService.exe[3300] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe[3580] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 0114200E
.text C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe[3580] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 01141DAF
.text C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe[3580] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 01141CF2
.text C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe[3580] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 0114191B
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe[3656] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 034E200E
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe[3656] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 034E1DAF
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe[3656] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 034E1CF2
.text C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe[3656] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 034E191B
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3956] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3956] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3956] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[3956] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B
.text C:\Program Files\GMER\gmer.exe[4768] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 1000200E
.text C:\Program Files\GMER\gmer.exe[4768] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 10001DAF
.text C:\Program Files\GMER\gmer.exe[4768] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 10001CF2
.text C:\Program Files\GMER\gmer.exe[4768] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 1000191B

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!OpenServiceW] [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!ControlService] [6F8A0680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!OpenServiceW] [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!OpenServiceW] [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!ControlService] [6F8A0680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\netapi32.dll [ADVAPI32.dll!OpenServiceA] [6F8A063A] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\netapi32.dll [ADVAPI32.dll!ControlService] [6F8A0680] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\netapi32.dll [ADVAPI32.dll!OpenServiceW] [6F8A065D] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\netapi32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\WS2HELP.dll [ADVAPI32.dll!OpenServiceA] [6F8A063A] C:\WINDOWS\AppPatch\AcGenral.DLL
IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1292] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWS\system32\ShimEng.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9A27] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll
IAT C:\Program Files\AIM6\aim6.exe[2304] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9979] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F73691DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F73691DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7369454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F73691DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F735CF4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [AADF78F0] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [AADF7950] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [AADF7860] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_F
mgunby
Active Member
 
Posts: 5
Joined: October 18th, 2007, 9:53 am

Hijack This log

Unread postby mgunby » October 23rd, 2007, 6:04 am

Looks like it got cut off...

hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:12 AM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Program Files\Generic\Power4 Gear\BatteryLife.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\Generic\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] C:\Program Files\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickBooksDB17] C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe -n QB_MELISSA_17 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10172) -ti 0 -ec simple -ct- -qi -qw -tl 120 -oe C:\DOCUME~1\Melissa\LOCALS~1\APPLIC~1\Intuit\QUICKB~2\Log\DBSTAR~1.LOG -y
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Database Server Manager.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.realpage.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} (RealPage Web Objects) - http://onesite.realpage.com/coreglobal/ ... alpage.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 0171101125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 15228 bytes
mgunby
Active Member
 
Posts: 5
Joined: October 18th, 2007, 9:53 am

Unread postby DFW » October 23rd, 2007, 4:13 pm

Hi mgunby

Yes it looks like the bottom part of the GMER log is missing, however now download, install and run the tool below


Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

  • Extract its contents to the desktop.
  • Double click on navilog1.exe to install it on your computer.
  • When the installation is complete, the tool will start automatically.
  • If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
  • Press E for English from the language Menu.
  • Type 1 in the next Menu to select Search and press Enter.
  • Wait for the Scan to finish (It may take a reasonable amount of time)
  • Press any key as requested .
  • A new document will be produced: fixnavi.txt.
  • Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Unread postby mgunby » October 24th, 2007, 12:42 am

Search Navipromo version 3.3.2 began on Tue 10/23/2007 at 21:27:20.46

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Updated on 22.10.2007 at 19h00 by IL-MAFIOSO

Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 7.0.5730.11

Done in normal mode

*** Searching for installed Software ***




*** Search folders in C:\WINDOWS ***



*** Search folders in C:\Program Files ***



*** Search folders in C:\Documents and Settings\All Users\Application Data ***




*** Search folders in C:\Documents and Settings\Melissa\Application Data ***


*** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

No file found in :

- C:\WINDOWS\system32
- C:\DOCUME~1\MELISSA\LOCALS~1\APPLIC~1



*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in C:\WINDOWS\system32 *

* Scan in C:\DOCUME~1\MELISSA\LOCALS~1\APPLIC~1 *

Files found :

ahuqdqpo.exe found !



*** Search files ***


C:\WINDOWS\system32\nvs2.inf found !


*** Search specific Registry keys ***

HKEY_CURRENT_USER\Software\Lanconfig found !

*** Complementary Search ***
(Search specific files)

1)Search known files:

2)Heuristic Search :


C:\DOCUME~1\MELISSA\LOCALS~1\APPLIC~1\ahuqdqpo.dat found !

3)Certificates Search :

Egroup certificate found !


*** Search completed on Tue 10/23/2007 at 21:33:20.26 ***
mgunby
Active Member
 
Posts: 5
Joined: October 18th, 2007, 9:53 am

Unread postby DFW » October 24th, 2007, 9:46 am


  • Double click on Navilog1 shortcut icon on your desktop to run it.
  • Press E for English from the language Menu.
  • Type 2 in the next Menu and press Enter.
  • The tool will then advise you that it will restart your computer.
  • Close all open windows and save personnal documents, if open, too.
  • If your computer doesn't restart automatically, restart it manually.
  • Choose your usual session.
  • Wait for the *** Clean finished the ... *** message (It may take a reasonable amount of time)
  • A new document will be produced.
  • Please copy/paste the contents of this report in your next reply.
  • Your desktop will now appear.

Note : In the event you lose your desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt)



Post back with cleannavi.txt log and a new HJT log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Unread postby mgunby » October 26th, 2007, 2:01 am

Navipromo Removal version 3.3.2 started on Thu 10/25/2007 at 22:39:28.70

Fix running from C:\Program Files\navilog1
Updated on 22.10.2007 at 19h00 by IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Internet Explorer : 7.0.5730.11

Automatic removal



*** fsbl1.txt not found ***
(Check that Catchme found nothing in Search Mode)


*** Deleting with Backups GenericNaviSearch results ***

* Deletion in C:\WINDOWS\System32 *

C:\WINDOWS\prefetch\ahuqdqpo*.pf found !
Copy C:\WINDOWS\prefetch\ahuqdqpo*.pf done !
C:\WINDOWS\prefetch\ahuqdqpo*.pf deleted !


* Deletion in C:\DOCUME~1\MELISSA\LOCALS~1\APPLIC~1 *

ahuqdqpo.exe found !
Copy ahuqdqpo.exe done !
ahuqdqpo.exe deleted !

ahuqdqpo.dat found !
Copy ahuqdqpo.dat done !
ahuqdqpo.dat deleted !

ahuqdqpo_nav.dat found !
Copy ahuqdqpo_nav.dat done !
ahuqdqpo_nav.dat deleted !

ahuqdqpo_navps.dat found !
Copy ahuqdqpo_navps.dat done !
ahuqdqpo_navps.dat deleted !



*** Deleting folders in C:\WINDOWS ***


*** Deleting folders in C:\Program Files ***


*** Deleting folders in C:\Documents and Settings\All Users\Application Data ***


*** Deleting folders in C:\Documents and Settings\Melissa\Application Data ***


*** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***



*** Deleting files ***

C:\WINDOWS\system32\nvs2.inf deleted !

*** Deleting temporary files ***

Cleaning of C:\WINDOWS\Temp done !
Cleaning of C:\Documents and Settings\Melissa\Local Settings\Temp done !

*** Complementary Search ***
(Search specific files)

1)Search known files:


2)Heuristic search and deletion with backups :


*** Copy Registry to Backupnavi folder ***

Backing up Registry done !

*** Cleaning Registry ***

Registry cleaned


*** Certificates ***

Egroup Certificate deleted !

*** Cleaning stage complete on Thu 10/25/2007 at 22:54:55.81 ***
mgunby
Active Member
 
Posts: 5
Joined: October 18th, 2007, 9:53 am

Unread postby DFW » October 26th, 2007, 3:07 pm

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful.
    (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now
    change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.



Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources.
It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s.[/b]

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
  • Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.




We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.



Now Run AVG in Safe Mode

  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button This must done before saving the report
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
      Image
  • Right-click the AVG Tray Icon and select Exit.
  • Now copy the report back to this topic.



Please post back with the AVG Log and a new HJT Log
User avatar
DFW
MRU Honors Grad Emeritus
 
Posts: 3229
Joined: September 28th, 2006, 12:23 pm
Location: UK

Unread postby askey127 » November 10th, 2007, 2:19 pm

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13897
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware