Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible Infection of VBS/Dropper and BackDoor.Hupigon.BFA

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible Infection of VBS/Dropper and BackDoor.Hupigon.BFA

Unread postby dantijkc » July 10th, 2007, 11:44 am

My wife was trying to type in her banking address that she has bookmarked on her computer, but accidentally went to http://www.royaldirect.com A pop-up from avg free (version 7.5) said something about an automatic download containing a virus. Before I could read it, she clicked x to close the box. I immediately ran an AVG scan and found VBS/Dropper and a change to my kernel32.dll file. AVG fixed the dropper problem (supposedly) but then, the next day two things happened. First, an AVG scan then found BackDoor.Hupigon.BFA (which it supposedly fixed and the kernel32.dll file still said 'changed') and my router began powering on and off at such a rapid pace that I cannot access either the web or even the router settings. Thus, I am posting away from home and hoping for a response before returning home.

Is it possible that some malware has damaged either my router or my computers ability to access the router (which due to its strange behaviour cannot be accessed by any other computer on the network either)? I would like to buy a new router if this one has simply died, but thought I should take care of any infection first.

The system runs fine, AVG finds no threats (other than a change to the kernell32.dll file), trojan hunter finds no threats, Ad-Aware finds no threats, and Spybot S&D finds no threats. My HijackThis log follows. Please advise on any problems from there as well as about the router situation.

Thanks in advance!


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:46:49 AM, on 7/10/07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSec.exe
D:\Program Files\Norton\Ghost\Agent\PQV2iSvc.exe
D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\ProShow Gold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
D:\Program Files\Norton\Ghost\Agent\GhostTray.exe
D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\Program Files\ZoneAlarm\zlclient.exe
D:\PROGRA~1\Grisoft\AVG\avgcc.exe
D:\Program Files\Quicktime\qttask.exe
C:\WINNT\system32\internat.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\rundll32.exe
D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
D:\Program Files\DeskSlide\DeskSlide.exe
D:\Program Files\MemTurbo\MemTurbo.exe
D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HijackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Program Files\Norton\Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "D:\Program Files\Norton\System Works\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [DeskSlide] D:\Program Files\DeskSlide\DeskSlide.exe -logon -hide
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: MemTurbo.lnk = D:\Program Files\MemTurbo\MemTurbo.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = D:\Program Files\Adobe\Acrobat\Acrobat\acrobat_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5152811406
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Norton\Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - D:\Program Files\ProShow Gold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 10350 bytes
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am
Advertisement
Register to Remove

HJT 1.99 Log - appended

Unread postby dantijkc » July 10th, 2007, 11:54 am

Upon noticing in another post that JijackThis 2.0 Beta is not acceptable yet, I've gotten a 1.99 log below:

Logfile of HijackThis v1.99.1
Scan saved at 11:49:00 AM, on 7/10/07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSec.exe
D:\Program Files\Norton\Ghost\Agent\PQV2iSvc.exe
D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
D:\Program Files\ProShow Gold\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
D:\Program Files\Norton\Ghost\Agent\GhostTray.exe
D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\Program Files\ZoneAlarm\zlclient.exe
D:\PROGRA~1\Grisoft\AVG\avgcc.exe
D:\Program Files\Quicktime\qttask.exe
C:\WINNT\system32\internat.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\rundll32.exe
D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
D:\Program Files\DeskSlide\DeskSlide.exe
D:\Program Files\MemTurbo\MemTurbo.exe
D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Program Files\Norton\Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "D:\Program Files\Norton\System Works\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [DeskSlide] D:\Program Files\DeskSlide\DeskSlide.exe -logon -hide
O4 - Startup: MemTurbo.lnk = D:\Program Files\MemTurbo\MemTurbo.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = D:\Program Files\Adobe\Acrobat\Acrobat\acrobat_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5152811406
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Norton\Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - D:\Program Files\ProShow Gold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am

Is Anyone Even Looking at/Working on This?

Unread postby dantijkc » July 11th, 2007, 10:30 am

35 views in 24 hours, but not even a comment? Is there anyone who is even attempting to look at my log or offer help? Please help as I am going away very soon and need to take care of some things on the internet first.

Thanks!
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am

Unread postby Elrond » July 11th, 2007, 3:14 pm

Hi dantijkc
Welcome to Malware Removal Forums.

I'm Elrond, I'll be glad to help you with your computer problems.

Sorry for the wait but all of us are voluntees and do this on the side. We often take a peak at the logs even if we do not pick them up.

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please only use this topic for your replies on this problem. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.

Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note that you should have Administrator rights to perform the fixes. (XP accounts are Administrator by default) Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


You HijackThis log looks clean. However I do not like what you are telling me happened and therefore we will look a bit deeper. We will start with a online scan that will not remove anything but will give me more to work with.


You will need to use Internet Explorer for this scan as it will not run under other browsers.

Go here to run an online scannner from Kaspersky.

  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.


Next Download and Run ComboFix

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please post the Kaspersky and the Combofix logs in this thread together with a description of ahy unsusal behaviour by your computer.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Hmmmm....

Unread postby dantijkc » July 11th, 2007, 7:20 pm

Now, the router seems to be functioning fine, but Zone Alarm constantly keeps informing me of attempts to alter the registry - I am not doing this myself, but I am denyingthe changes.

I don't know if those scans are going to help much for the following reasons: 1) Kaspersky found nothing and the log file it created reads simply:

ÿþ-

That's it... it doesn't say anything else.

For the ComboFix, it quarantined a backup of my registry and nothing else and said at the end it would create a log file in C:\ComboFix but didn't tell me what the log file would be called. It then ended and when I went to the folder to find the log there was nothing even resembling a log file to my knowledge... no .txt or .log file. There are mainly just .bat, .sys, and .exe files. Any idea what this log would be called and then maybe I could post it?
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am

Unread postby Elrond » July 12th, 2007, 3:44 am

Hi again dantijkc

Those two scans should have given reports. There seems to be something that stops them from running correctly.

Let's try this.


Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
      Do you want to skip supplementary searches?
      click NO
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Error Message, but log completed it seems!

Unread postby dantijkc » July 12th, 2007, 12:05 pm

Hi Elrond and thanks for helping!

About 2-3 minutes after starting Silent Runners, I got a windows error message that read the following:

Windows Script Host [In title Bar]
Script: C:\Documents and Settings... Silent Runners.vbs
Line: 7884
Char: 4
Error: Overflow: 'hVal'
Source: Microsfot VBScript runtime error

The message had no buttons, only the x to close. After doing so, I waited about an hour with no 'done' message and copied the log to a new file (in case it was still writing although it didn't seem promising). Here is the log:

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"SpybotSD TeaTimer" = "D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"Norton SystemWorks" = ""D:\Program Files\Norton\System Works\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz" ["Symantec Corporation"]
"AWMON" = ""D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"" ["Lavasoft Sweden"]
"DeskSlide" = "D:\Program Files\DeskSlide\DeskSlide.exe -logon -hide" ["George Obada"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"Lexmark X6100 Series" = ""C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"" ["Lexmark International, Inc."]
"THGuard" = ""D:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]
"Norton Ghost 9.0" = "D:\Program Files\Norton\Ghost\Agent\GhostTray.exe" ["Symantec Corporation"]
"Acrobat Assistant 7.0" = ""D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
"SoundMAX" = ""C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]
"(Default)" = "(empty string)" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"ZoneAlarm Client" = ""D:\Program Files\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AVG7_CC" = "D:\PROGRA~1\Grisoft\AVG\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"QuickTime Task" = ""D:\Program Files\Quicktime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "D:\PROGRA~1\MSOFFI~1\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\MSOFFI~1\Office\OLKFSTUB.DLL" [MS]
"{990a81a0-b289-11cf-a800-00a0c903a2a6}" = "Cryptext"
-> {HKLM...CLSID} = "Cryptext"
\InProcServer32\(Default) = "C:\WINNT\system32\ShellExt\Cryptext.dll" [empty string]
"{46E22146-59C0-4136-9233-52E412E2B428}" = "EzCddax extension"
-> {HKLM...CLSID} = "EzCddax Class"
\InProcServer32\(Default) = "D:\Program Files\Easy CDDA Extractor\ezcddax9.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "D:\Program Files\Real\rpshell.dll" ["RealNetworks, Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "D:\Program Files\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG\avgse.dll" ["GRISOFT, s.r.o."]
Cryptext\(Default) = "{990a81a0-b289-11cf-a800-00a0c903a2a6}"
-> {HKLM...CLSID} = "Cryptext"
\InProcServer32\(Default) = "C:\WINNT\system32\ShellExt\Cryptext.dll" [empty string]
EzCddax\(Default) = "{46E22146-59C0-4136-9233-52E412E2B428}"
-> {HKLM...CLSID} = "EzCddax Class"
\InProcServer32\(Default) = "D:\Program Files\Easy CDDA Extractor\ezcddax9.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "D:\Program Files\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
Cryptext\(Default) = "{990a81a0-b289-11cf-a800-00a0c903a2a6}"
-> {HKLM...CLSID} = "Cryptext"
\InProcServer32\(Default) = "C:\WINNT\system32\ShellExt\Cryptext.dll" [empty string]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG\avgse.dll" ["GRISOFT, s.r.o."]
Cryptext\(Default) = "{990a81a0-b289-11cf-a800-00a0c903a2a6}"
-> {HKLM...CLSID} = "Cryptext"
\InProcServer32\(Default) = "C:\WINNT\system32\ShellExt\Cryptext.dll" [empty string]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "D:\Program Files\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClearRecentDocsOnExit" = (REG_BINARY) hex:01 00 00 00
{unrecognized setting}

"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\DeskSlide\slide.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Application Data\DeskSlide\slide.bmp"

Active Desktop web content (hidden if disabled):

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = "My Current Home Page"
"Source" = "About:Home"
"SubscribedURL" = "About:Home"

I will try running the Kaspersky scan again.
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am

No Dice on the Second Try

Unread postby dantijkc » July 12th, 2007, 10:13 pm

The log read the same thing after a second attempt at a Kaspersky scan. :(
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am

Unread postby Elrond » July 13th, 2007, 3:24 am

Nothing seems to work at the moment. Even Silent Runner seems cut off.

Let us try this and see if we get a real log. It should show rootkits which I start suspecting because everything is too clean and no scans work. It is not normal and points toward something not being OK.

GMER
Please create a new subfolder in the Program Files folder called GMER. If you have an older version of GMER installed, you must delete it.

  • Download GMER and extract it to the C:\program files\GMER folder.
  • Please rename the GMER file
    Note: You can rename gmer.exe to anything you like as long as you keep the .exe ending.
    Run the Gmer.exe renamed program by double-clicking the executable file (gmer.exe) in Windows Explorer.
    You may be prompted to scan immediately if GMER detects rootkit activity.

    • If you are prompted to scan your system click "yes" to begin the scan.
    • If you are not prompted, Click the "Rootkit" tab, then click "Scan".

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and also paste them back in your next reply.

Please post (reply) with the results from the GMER scan, and a fresh hijackthis log.


Do not give up. We will find out what is going on. :)


I will be off line from about midday today until midday tomorrow EDT. I have not forgotten you.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Seemed to Run Fine...

Unread postby dantijkc » July 13th, 2007, 11:13 am

That seemed to run fine. Here's the log:

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-13 11:08:30
Windows 5.0.2195 Service Pack 4


---- System - GMER 1.0.13 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwUnloadDriver

INT 0x2E srescan.sys BFE70A9D

---- Kernel code sections - GMER 1.0.13 ----

? srescan.sys The system cannot find the file specified.
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mc21.tmp The system cannot find the file specified.
.text NTDLL.DLL!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text NTDLL.DLL!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]

---- User code sections - GMER 1.0.13 ----

.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[664] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[664] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[664] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[664] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[664] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\Program Files\Common Files\Real\Update_OB\realsched.exe[664] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[752] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[752] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[752] kernel32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[752] kernel32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[752] kernel32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[752] kernel32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text C:\WINNT\system32\RUNDLL32.EXE[976] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\RUNDLL32.EXE[976] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\RUNDLL32.EXE[976] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\WINNT\system32\RUNDLL32.EXE[976] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\WINNT\system32\RUNDLL32.EXE[976] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\WINNT\system32\RUNDLL32.EXE[976] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text C:\WINNT\system32\internat.exe[988] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\internat.exe[988] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\internat.exe[988] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\WINNT\system32\internat.exe[988] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\WINNT\system32\internat.exe[988] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\WINNT\system32\internat.exe[988] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe[992] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe[992] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe[992] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe[992] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe[992] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe[992] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\PROGRA~1\Grisoft\AVG\avgcc.exe[1208] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text D:\PROGRA~1\Grisoft\AVG\avgcc.exe[1208] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text D:\PROGRA~1\Grisoft\AVG\avgcc.exe[1208] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text D:\PROGRA~1\Grisoft\AVG\avgcc.exe[1208] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text D:\PROGRA~1\Grisoft\AVG\avgcc.exe[1208] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text D:\PROGRA~1\Grisoft\AVG\avgcc.exe[1208] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe[1212] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe[1212] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe[1212] kernel32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe[1212] kernel32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe[1212] kernel32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe[1212] kernel32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text C:\WINNT\system32\rundll32.exe[1520] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\rundll32.exe[1520] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\rundll32.exe[1520] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\WINNT\system32\rundll32.exe[1520] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\WINNT\system32\rundll32.exe[1520] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\WINNT\system32\rundll32.exe[1520] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\Program Files\DeskSlide\DeskSlide.exe[1868] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\DeskSlide\DeskSlide.exe[1868] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text D:\Program Files\DeskSlide\DeskSlide.exe[1868] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\DeskSlide\DeskSlide.exe[1868] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text D:\Program Files\DeskSlide\DeskSlide.exe[1868] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text D:\Program Files\DeskSlide\DeskSlide.exe[1868] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text C:\WINNT\Explorer.EXE[1900] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\Explorer.EXE[1900] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\WINNT\Explorer.EXE[1900] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\WINNT\Explorer.EXE[1900] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\WINNT\Explorer.EXE[1900] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\WINNT\Explorer.EXE[1900] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe[1984] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe[1984] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe[1984] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe[1984] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe[1984] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe[1984] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text C:\WINNT\system32\lexpps.exe[2000] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\WINNT\system32\lexpps.exe[2000] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\WINNT\system32\lexpps.exe[2000] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\WINNT\system32\lexpps.exe[2000] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\WINNT\system32\lexpps.exe[2000] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\WINNT\system32\lexpps.exe[2000] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\Program Files\Quicktime\qttask.exe[2136] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Quicktime\qttask.exe[2136] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Quicktime\qttask.exe[2136] KERNEL32.DLL!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Quicktime\qttask.exe[2136] KERNEL32.DLL!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text D:\Program Files\Quicktime\qttask.exe[2136] KERNEL32.DLL!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text D:\Program Files\Quicktime\qttask.exe[2136] KERNEL32.DLL!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\Program Files\MemTurbo\MemTurbo.exe[2164] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\MemTurbo\MemTurbo.exe[2164] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text D:\Program Files\MemTurbo\MemTurbo.exe[2164] KERNEL32.DLL!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\MemTurbo\MemTurbo.exe[2164] KERNEL32.DLL!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text D:\Program Files\MemTurbo\MemTurbo.exe[2164] KERNEL32.DLL!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text D:\Program Files\MemTurbo\MemTurbo.exe[2164] KERNEL32.DLL!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[2212] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[2212] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[2212] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[2212] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[2212] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[2212] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\Program Files\Norton\Ghost\Agent\PQV2iSvc.exe[2244] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text D:\Program Files\ZoneAlarm\zlclient.exe[2292] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe[2296] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe[2296] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe[2296] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe[2296] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe[2296] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe[2296] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe[2332] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe[2332] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe[2332] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe[2332] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe[2332] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe[2332] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2448] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2448] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2448] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2448] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2448] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[2448] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\Program Files\Norton\Ghost\Agent\GhostTray.exe[2572] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text D:\Program Files\Norton\Ghost\Agent\GhostTray.exe[2572] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text D:\Program Files\Norton\Ghost\Agent\GhostTray.exe[2572] KERNEL32.DLL!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text D:\Program Files\Norton\Ghost\Agent\GhostTray.exe[2572] KERNEL32.DLL!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text D:\Program Files\Norton\Ghost\Agent\GhostTray.exe[2572] KERNEL32.DLL!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text D:\Program Files\Norton\Ghost\Agent\GhostTray.exe[2572] KERNEL32.DLL!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe[2588] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe[2588] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe[2588] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe[2588] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe[2588] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe[2588] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A
.text D:\Program Files\TrojanHunter 4.2\THGuard.exe[2632] kernel32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\Program Files\GMER\GiveAnotherGo.exe[3032] ntdll.dll!NtOpenProcess 77F8870C 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\GMER\GiveAnotherGo.exe[3032] ntdll.dll!NtOpenProcess + 4 77F88710 2 Bytes [ 0E, 5F ]
.text C:\Program Files\GMER\GiveAnotherGo.exe[3032] KERNEL32.dll!DebugActiveProcess 7C57FCEF 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\GMER\GiveAnotherGo.exe[3032] KERNEL32.dll!LoadLibraryExW 7C590595 6 Bytes JMP 5F070F5A
.text C:\Program Files\GMER\GiveAnotherGo.exe[3032] KERNEL32.dll!FreeLibrary + 37 7C5908CE 4 Bytes [ 6A, F7, A6, E2 ]
.text C:\Program Files\GMER\GiveAnotherGo.exe[3032] KERNEL32.dll!OpenProcess 7C5969AD 6 Bytes JMP 5F040F5A

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BE664950] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BE664AC0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BE664E70] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BE664FD0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BE664950] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BE664E70] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BE664FD0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BE664AC0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BE664950] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BE664FD0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BE664E70] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisCloseAdapter] [BE664FD0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisOpenAdapter] [BE664E70] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisDeregisterProtocol] [BE664AC0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\nbf.sys[NDIS.SYS!NdisRegisterProtocol] [BE664950] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [BE671FB0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [BE65D570] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [BE65D4C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [BE65D670] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [BE65D1D0] \SystemRoot\System32\vsdatant.sys

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [23021346] C:\WINNT\AppPatch\AcLayers.DLL
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\Secur32.dll [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [230214FD] C:\WINNT\AppPatch\AcLayers.DLL
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll
IAT C:\WINNT\Explorer.EXE[1900] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BFF4066E] PQV2i.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [EB934404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BBECD330] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BBECD3A0] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BBECD290] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BBECD290] SYMEVENT.SYS

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [BE6718A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [BE6718A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [BE6718A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BE6718A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [BE6718A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [BE6718A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [BE6718A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [BE6718A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BE6718A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [BE6718A0] vsdatant.sys

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_NAMED_PIPE [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLOSE [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_EA [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_EA [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_VOLUME_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_VOLUME_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DIRECTORY_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FILE_SYSTEM_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_LOCK_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_MAILSLOT [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_SECURITY [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_SECURITY [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CHANGE [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_QUOTA [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_QUOTA [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_NAMED_PIPE [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLOSE [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_INFORMATION [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_INFORMATION [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_EA [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_EA [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_VOLUME_INFORMATION [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_VOLUME_INFORMATION [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DIRECTORY_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FILE_SYSTEM_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_LOCK_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_MAILSLOT [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_SECURITY [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_SECURITY [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CHANGE [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_QUOTA [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_QUOTA [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_NAMED_PIPE [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLOSE [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ [BBECD330] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE [BBECD3A0] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_INFORMATION [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_INFORMATION [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_EA [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_EA [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_VOLUME_INFORMATION [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_VOLUME_INFORMATION [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DIRECTORY_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FILE_SYSTEM_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_LOCK_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_MAILSLOT [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_SECURITY [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_SECURITY [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CHANGE [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_QUOTA [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_QUOTA [BBECD290] SYMEVENT.SYS
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE_NAMED_PIPE [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLOSE [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_EA [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_EA [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_VOLUME_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_VOLUME_INFORMATION [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DIRECTORY_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FILE_SYSTEM_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_LOCK_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE_MAILSLOT [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_SECURITY [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_SECURITY [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CHANGE [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_QUOTA [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_QUOTA [BFF4066E] PQV2i.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE_NAMED_PIPE [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLOSE [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ [EB934404] avg7rsw.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am

Oh... and the new HijackThis log

Unread postby dantijkc » July 13th, 2007, 11:17 am

Here's the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:13:21 AM, on 7/13/07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSec.exe
D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
D:\Program Files\ProShow Gold\ScsiAccess.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
D:\Program Files\Norton\Ghost\Agent\PQV2iSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
D:\Program Files\Norton\Ghost\Agent\GhostTray.exe
D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
D:\Program Files\ZoneAlarm\zlclient.exe
D:\PROGRA~1\Grisoft\AVG\avgcc.exe
D:\Program Files\Quicktime\qttask.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\lexpps.exe
C:\WINNT\system32\internat.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\rundll32.exe
D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
D:\Program Files\DeskSlide\DeskSlide.exe
D:\Program Files\MemTurbo\MemTurbo.exe
D:\PROGRA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\HijackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Program Files\Norton\Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "D:\Program Files\Norton\System Works\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [AWMON] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [DeskSlide] D:\Program Files\DeskSlide\DeskSlide.exe -logon -hide
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: MemTurbo.lnk = D:\Program Files\MemTurbo\MemTurbo.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = D:\Program Files\Adobe\Acrobat\Acrobat\acrobat_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5152811406
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{15D4E2FE-16D1-42D2-8486-61C9986D71E1}: NameServer = 192.168.1.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - D:\Program Files\Norton\Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - D:\Program Files\ProShow Gold\ScsiAccess.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\Norton\SYSTEM~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 10154 bytes
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am

Vacation

Unread postby dantijkc » July 14th, 2007, 11:59 am

I will be away for two weeks now. Please still respond if you have any suggestions and I will do the tasks and post again when I return.

Thank you so much for helping!
dantijkc
Active Member
 
Posts: 11
Joined: July 10th, 2007, 11:23 am

Unread postby Elrond » July 14th, 2007, 3:27 pm

Please check in when you return. Have a good vacation or trip or whatever you are up to. :)

When you get back I have some more work for you. It is still more diagnostics work. :(

    • Please create a new folder in a place where you can easily find it. Call it AutoRuns.
    • Download AutoRuns from http://www.microsoft.com/technet/sysint ... oruns.mspx
      Save it in the the folder you created.
    • Right click the the file that you downloaded Autoruns.zip and select Extract Here
    • Left click Autoruns.exe. A window with a lot of information in it will open.
    • Close to the top left corner you will find File. Click it and then click save. That will open a window giving you the posibility to choose name and place to save the file. Just click Save.
    • Find the file AutoRuns.txt in the AutoRuns folder. Double click the file. Notepad will open with a lot of text in it. Copy the contents of the file in your next post in this thread.
  1. Try to find the combofix log here: C:\combofix.txt

  2. Run the following batch file:
    • Copy the contents of the Quote Box below to Notepad. Be sure that Word Wrap is unchecked under Format in the Toolbar.
    • Name the file as Find VBS.bat
    • Change the Save as Type to All Files
    • and Save it on the desktop
      dir /a /s "C:\*.vbs" > vbssearch.txt
      notepad.exe vbssearch.txt
    • Click Find VBS.bat. A black window will open and and a moment later Notepad will open.
      Copy the text from Notepad to this thread.
  3. Post the text from Notepad together with the material from AutoRuns, the log from Combofix if it is there, and a new HijackThis log.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby Elrond » July 15th, 2007, 12:27 am

Still more work. :)

How to get AVG report
  • Right click the AVG tray icon
  • Select Test Center > Test Results
  • Double click the scan where virus was detected.
  • Select Virus Results
  • At the top of the window select Program > Export List To File
  • Save it as "All Files" and name it AVGlog.txt
  • Post me AVGlog.txt

Add that log, if you can find it to to the material asked for in the last post.


Lastly a question: Can you check the spelling of kernel32.dll that AVG is unhappy with. At one point you spell it kernel32.dll and at another kernell32.dll. Is it just a spelling mistake or are there 2 different files?
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby NonSuch » July 24th, 2007, 4:15 am

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware