Jump to content


Photo

Vista PC problems


  • This topic is locked This topic is locked
22 replies to this topic

#1 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 16 June 2008 - 10:42 AM

Hi all,
just recently I've been having a problem with explorer.exe closing and restarting (the task bar disappears & comes back), also on boot i get the messages khFGVIII.dll and lgocabaq.dll could not be found.

Does anyone know why this is? Hopefully someone can help!

Thanks

Graham

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:41:15, on 16/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\DeltaIITray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\Windows\system32\vjjnpwkm.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {B1BE73AB-565C-4A1E-9D94-8F46DE3082F3} - C:\Windows\system32\wvUoLDsR.dll (file missing)
O2 - BHO: {f17625b7-7e65-0048-3774-689343aeea5d} - {d5aeea34-3986-4773-8400-56e77b52671f} - C:\Windows\system32\ijsoyxhs.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\Windows\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\khfGVlll.dll,#1
O4 - HKLM\..\Run: [c08ce81f] rundll32.exe "C:\Windows\system32\lgocabaq.dll",b
O4 - HKLM\..\Run: [BMc3bfdb83] Rundll32.exe "C:\Windows\system32\hvyuahxd.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingC7910] cmd /c del "C:\Windows\System32\mlJAqonn.dll_old"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab57176.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6693 bytes

Edited by nasdaq, 22 June 2008 - 08:13 AM.
coded box removed


#2 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 18 June 2008 - 08:33 AM

Hi MushyP, and Welcome to SWI.

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#3 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 18 June 2008 - 04:41 PM

Many Thanks for your reply. Don't feel sorry for taking time, your not obliged to give a response to every post after all. Here's the log from MBAM

Malwarebytes' Anti-Malware 1.17Database version: 86723:29:30 18/06/2008mbam-log-6-18-2008 (23-29-30).txtScan type: Quick ScanObjects scanned: 50417Time elapsed: 16 minute(s), 2 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 8Registry Values Infected: 4Registry Data Items Infected: 1Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{514a5c49-0c7d-42c3-a71b-38864a269b7a} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{514a5c49-0c7d-42c3-a71b-38864a269b7a} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{3ca60057-9277-49c0-8d64-280dbad9c3e1} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3ca60057-9277-49c0-8d64-280dbad9c3e1} (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c08ce81f (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMc3bfdb83 (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\Windows\System32\vtbyqsid.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Windows\System32\disqybtv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Windows\System32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

And here's my HJT log
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:40:25, on 18/06/2008Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16386)Boot mode: NormalRunning processes:C:\Windows\Explorer.EXEC:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\System32\DeltaIITray.exeC:\Program Files\AVG\AVG8\avgtray.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\system32\NOTEPAD.EXER1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.google.co.uk/"]http://www.google.co.uk/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO2 - BHO: (no name) - {B1BE73AB-565C-4A1E-9D94-8F46DE3082F3} - C:\Windows\system32\wvUoLDsR.dll (file missing)O2 - BHO: {f17625b7-7e65-0048-3774-689343aeea5d} - {d5aeea34-3986-4773-8400-56e77b52671f} - C:\Windows\system32\ijsoyxhs.dllO3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\System32\DeltaIITray.exeO4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\Windows\system32\DeltaIITray.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exeO4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.htmlO8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO13 - Gopher Prefix: O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [url="http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab"]http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab[/url]O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - [url="http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab"]http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab[/url]O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [url="http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab"]http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab[/url]O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [url="http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab"]http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab[/url]O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - [url="http://messenger.zone.msn.com/binary/Chess.cab57176.cab"]http://messenger.zone.msn.com/binary/Chess.cab57176.cab[/url]O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [url="http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab"]http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab[/url]O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe--End of file - 6255 bytes

The .dll errors did not appear after a reboot which is a good sign... hopefully things are back to normal again now.

Thank you once again for your help!
Graham

#4 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 19 June 2008 - 03:32 AM

Hi again MushyP!!..:).

Still a little cleaning is needed...

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

PS. Do me a favour - post logs not in code boxes... Just paste them - it will be a little easier for me to read the logs!..:).

Edited by snemelk, 19 June 2008 - 03:34 AM.

c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 19 June 2008 - 04:36 PM

Sorry I thought I was doing you a favour putting it in a box...
thank you once again!!!


here is my ComboFix Log

ComboFix 08-06-19.1 - Administrator 2008-06-19 23:21:59.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1024 [GMT 1:00]
Running from: C:\Users\Administrator\Desktop\HijackThis\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\fvcxntnm.ini
C:\Windows\system32\ijsoyxhs.dll
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\njgdasli.ini
C:\Windows\System32\nnoqAJlm.ini
C:\Windows\System32\nnoqAJlm.ini2
C:\Windows\system32\qabacogl.ini
C:\Windows\system32\RsDLoUvw.ini
C:\Windows\System32\RsDLoUvw.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 17:48 --------- d-----w C:\Users\Administrator\AppData\Roaming\Canon
2008-06-18 16:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\Malwarebytes
2008-06-18 16:20 --------- d-----w C:\ProgramData\Malwarebytes
2008-06-18 16:20 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 16:20 --------- d-----w C:\Program Files\Trend Micro
2008-06-15 09:24 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-15 08:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-13 17:17 --------- d-----w C:\Users\Administrator\AppData\Roaming\LimeWire
2008-06-11 19:39 --------- d-----w C:\Users\Administrator\AppData\Roaming\BitTorrent
2008-06-11 18:38 67,080 ----a-w C:\Windows\system32\drivers\avgwfpx.sys
2008-06-11 18:26 12,424 ----a-w C:\Windows\system32\drivers\avgrkx86.sys
2008-06-11 18:25 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-06-11 18:25 --------- d-----w C:\ProgramData\avg8
2008-06-11 18:25 --------- d-----w C:\Program Files\AVG
2008-06-11 17:53 --------- d-----w C:\ProgramData\Lavasoft
2008-06-11 17:12 --------- d-----w C:\ProgramData\Apple Computer
2008-06-10 18:02 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-06-10 18:02 15,864 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-06-09 23:21 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-06-09 23:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-09 23:20 --------- d-----w C:\Program Files\Java
2008-06-09 23:19 --------- d-----w C:\Program Files\Easypano
2008-06-07 21:51 --------- d-----w C:\ProgramData\Nero
2008-06-07 21:51 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-07 16:01 --------- d-----w C:\Program Files\Nero
2008-06-06 22:54 --------- d-----w C:\Users\Administrator\AppData\Roaming\Nero
2008-06-05 20:36 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-05 20:34 --------- d-----w C:\Program Files\Soulseek
2008-06-03 16:38 --------- d-----w C:\Program Files\LimeWire
2008-05-29 22:14 --------- d-----w C:\Users\Administrator\AppData\Roaming\App Launcher Gadget
2008-05-29 18:42 --------- d-----w C:\Program Files\Direct MP3 Joiner
2008-05-27 02:50 --------- d-----w C:\Users\Administrator\AppData\Roaming\DNA
2008-05-26 23:00 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-25 11:12 --------- d-----w C:\Program Files\coolpro2
2008-05-22 22:32 --------- d-----w C:\Program Files\AM Pro 2.1
2008-05-22 22:28 --------- d-----w C:\Program Files\AM Pro
2008-05-22 18:15 --------- d-----w C:\Program Files\Free M4a to MP3 Converter
2008-05-22 18:00 --------- d-----w C:\ProgramData\RapidSolution
2008-05-22 17:57 --------- d-----w C:\Users\Administrator\AppData\Roaming\Tunebite
2008-05-22 17:53 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-05-22 17:44 --------- d-----w C:\Program Files\RapidSolution
2008-05-22 17:42 --------- d-----w C:\Users\Administrator\AppData\Roaming\NoteCable
2008-05-22 17:28 --------- d-----w C:\ProgramData\TEMP
2008-05-18 23:30 --------- d-----w C:\Program Files\DNA
2008-05-18 23:30 --------- d-----w C:\Program Files\BitTorrent
2008-05-18 23:26 --------- d-----w C:\Program Files\ABC3_1
2006-11-02 12:49 174 --sha-w C:\Program Files\desktop.ini
2007-12-29 14:08 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-29 14:08 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-29 14:08 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-08-05 09:49 5 --sha-w C:\Windows\System32\dfeffda3_g.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE73AB-565C-4A1E-9D94-8F46DE3082F3}]
C:\Windows\system32\wvUoLDsR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d5aeea34-3986-4773-8400-56e77b52671f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-03-09 14:40 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:34 125440]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M-Audio Taskbar Icon"="C:\Windows\System32\DeltaIITray.exe" [2007-12-03 12:21 236040]
"DeltaIITaskbarApp"="C:\Windows\system32\DeltaIITray.exe" [2007-12-03 12:21 236040]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-11 19:38 1177368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
"Midi1"= KORGUMDD.DRV

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\Windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\Windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-05-19 00:30 289088 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltTray]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 12:09 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a------ 2002-12-10 17:54 127022 C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite for Smartphones]
-ra------ 2007-06-13 09:16 528384 C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 23:57 30208 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundFusion]
--a------ 2007-03-09 16:09 493608 C:\Windows\System32\hercplgs.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tunebite]
C:\Program Files\RapidSolution\Tunebite\Tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-07-21 11:09 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2056407848-3820016962-1051293969-500]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{D43E47CB-F4B9-4220-980B-556C9773D787}C:\\program files\\abc\\abc.exe"= UDP:C:\program files\abc\abc.exe:abc
"UDP Query User{36892A59-13DC-40B2-A378-D22DFACC7DF7}C:\\program files\\abc\\abc.exe"= TCP:C:\program files\abc\abc.exe:abc
"{BEA2A4B9-5C0B-4E57-A6AD-DFAF2F148077}"= UDP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{09046336-CDF2-417B-8949-007B30F0E3FD}"= TCP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{F4395EA8-8DBD-4062-AD64-5B25AB4CDE81}"= UDP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{80C330FE-CA89-4886-8DB9-9FBA484DD326}"= TCP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{066AA853-EEDC-451C-AB7F-E0E31D9D7AC1}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{AB6DCF98-B47C-4B02-8B7E-ABBB44541041}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{D946878A-CE27-48E3-A4B2-357499B8F6B9}"= UDP:C:\Program Files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"{56B653A8-5254-4649-89D0-EFEB6CD3AB86}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{33BF394C-9289-4290-B80D-8BDC7DA6E622}C:\\program files\\soulseek\\slsk.exe"= UDP:C:\program files\soulseek\slsk.exe:SoulSeek
"UDP Query User{8ACC195E-8C20-49DC-AE24-2A6F1B418B76}C:\\program files\\soulseek\\slsk.exe"= TCP:C:\program files\soulseek\slsk.exe:SoulSeek
"{5F979A0A-BDD4-4B0D-B287-3F13A4BC0968}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{35174BB5-683A-4999-BBC3-AC7F32CF4FC4}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"5f9eaa91-19ed-4b20-b440-97a2bc9c819c"= UDP:Profile=Private:Allow Local port
"TCP Query User{A59CB814-8C10-4B22-8F19-7D0F10577B97}C:\\program files\\abc\\abc.exe"= UDP:C:\program files\abc\abc.exe:abc
"UDP Query User{7E3962E4-3396-408E-ADC7-B57F5D37CEE6}C:\\program files\\abc\\abc.exe"= TCP:C:\program files\abc\abc.exe:abc
"TCP Query User{B934ADF7-2CF7-4C45-A800-DB23237B192B}C:\\program files\\soulseek\\slsk.exe"= UDP:C:\program files\soulseek\slsk.exe:SoulSeek
"UDP Query User{6C2AE61F-DD7C-4426-B50D-7D8377859391}C:\\program files\\soulseek\\slsk.exe"= TCP:C:\program files\soulseek\slsk.exe:SoulSeek
"{215052AE-9112-41AD-A469-659BC650B8DE}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{1DB3B78F-4B05-4DB3-B68D-3C10D6CFDE68}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{FFF88F65-5E0E-46BE-98F2-BA5FA51C18B8}C:\\program files\\nero\\nero 7\\nero showtime\\showtime.exe"= UDP:C:\program files\nero\nero 7\nero showtime\showtime.exe:Nero ShowTime
"UDP Query User{3BCDC510-1A46-43A5-BB98-0CDD4B0D2EB2}C:\\program files\\nero\\nero 7\\nero showtime\\showtime.exe"= TCP:C:\program files\nero\nero 7\nero showtime\showtime.exe:Nero ShowTime
"{FA29A697-5187-4CE4-8C86-D6DE8053050E}"= UDP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{CB8448FD-64AD-46AB-A19A-646B598A8F4F}"= TCP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{8A36D091-98AC-486A-B15A-9A65BF795F80}"= UDP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{A8AA1A16-C594-48AC-9CE6-5468797D058C}"= TCP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{9B7042DF-39D7-49C9-8E13-4D3114728030}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{5106DCF0-115B-4792-912F-61845381EBEF}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"TCP Query User{20076053-F8AD-4153-A31F-631D4B390204}C:\\program files\\adobe\\dreamweaver\\adobe dreamweaver cs3\\dreamweaver2.exe"= UDP:C:\program files\adobe\dreamweaver\adobe dreamweaver cs3\dreamweaver2.exe:dreamweaver2.exe
"UDP Query User{0A8E4EA0-E16F-45A8-A2A2-22AF5FD5C989}C:\\program files\\adobe\\dreamweaver\\adobe dreamweaver cs3\\dreamweaver2.exe"= TCP:C:\program files\adobe\dreamweaver\adobe dreamweaver cs3\dreamweaver2.exe:dreamweaver2.exe
"TCP Query User{F361EC90-8971-4814-8466-869913DF8165}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7C6C6ACE-6E43-4A0D-BCEE-CF659EFE39F4}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{F639FDDF-55EA-4E43-8DD8-36BA9808FEE2}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{9300781D-D14A-42CF-894B-88A8C497268D}C:\\program files\\intuwave\\shared\\mrouterruntime\\mrouterruntime.exe"= UDP:C:\program files\intuwave\shared\mrouterruntime\mrouterruntime.exe:mRouterRuntime Module
"UDP Query User{228724A9-2597-4DAA-A7DD-ACA8EB0D533B}C:\\program files\\intuwave\\shared\\mrouterruntime\\mrouterruntime.exe"= TCP:C:\program files\intuwave\shared\mrouterruntime\mrouterruntime.exe:mRouterRuntime Module
"TCP Query User{DF5B8FC9-B7C6-49F8-8903-B498AAF2859B}C:\\program files\\intuwave\\shared\\mrouterruntime\\mrouterruntime.exe"= UDP:C:\program files\intuwave\shared\mrouterruntime\mrouterruntime.exe:mRouterRuntime Module
"UDP Query User{184AA1A1-B83A-48A9-BA1B-C4E582F0B1D3}C:\\program files\\intuwave\\shared\\mrouterruntime\\mrouterruntime.exe"= TCP:C:\program files\intuwave\shared\mrouterruntime\mrouterruntime.exe:mRouterRuntime Module
"{06CE8E9F-45C2-48E3-9690-15EA88518FF1}"= UDP:C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0
"{EFCFD25E-0132-4B40-B93D-15FC7B973483}"= TCP:C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0
"TCP Query User{79B33974-A061-4046-A0D4-4FB0AD5F7B2D}C:\\program files\\sony ericsson\\update service\\update service.exe"= UDP:C:\program files\sony ericsson\update service\update service.exe:Update Service
"UDP Query User{3E879A0E-812F-499E-A6E4-91F8EA368BBC}C:\\program files\\sony ericsson\\update service\\update service.exe"= TCP:C:\program files\sony ericsson\update service\update service.exe:Update Service
"{172393D7-65DC-4801-A9DC-1B86551B34FD}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{D836373F-37E8-43FD-97E0-A3939126FC5C}C:\\program files\\common files\\ahead\\nero web\\setupx.exe"= UDP:C:\program files\common files\ahead\nero web\setupx.exe:MSI starter
"UDP Query User{A42BBFC1-3127-4BC3-AA8F-A9A6FF7ED3DB}C:\\program files\\common files\\ahead\\nero web\\setupx.exe"= TCP:C:\program files\common files\ahead\nero web\setupx.exe:MSI starter
"TCP Query User{7759E38F-1576-4C50-B4D8-29A456AEF571}C:\\program files\\abc3_1\\abc.exe"= UDP:C:\program files\abc3_1\abc.exe:abc
"UDP Query User{0C04408F-0E18-480C-B027-A485E83880F5}C:\\program files\\abc3_1\\abc.exe"= TCP:C:\program files\abc3_1\abc.exe:abc
"{DCF5EC80-A38E-4BB5-BA54-EE376C244EFB}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{0001F434-4CB6-4098-82EB-50C36F439EB7}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{3DE962F0-0904-4E40-A80B-2719EB75B220}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{B218502A-C8A8-4BF1-A423-FB9C78736C55}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{29EA7B50-925A-434F-BC35-4584CD0FB048}C:\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{763B5DB8-D242-4FCD-93C7-7C005D3BFD23}C:\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"TCP Query User{F8C75667-DADC-4110-8E1F-F61D226CCD85}C:\\program files\\dna\\btdna.exe"= UDP:C:\program files\dna\btdna.exe:DNA
"UDP Query User{C2B70469-FDF1-4C1E-A7F6-BC6B4A007C2F}C:\\program files\\dna\\btdna.exe"= TCP:C:\program files\dna\btdna.exe:DNA
"{81464873-D20E-4586-90FB-A62B56BB07AB}"= UDP:C:\Program Files\RapidSolution\Tunebite\TunebiteHelper.exe:TunebiteHelper
"{06D4CD44-6F5B-412B-9F72-2D6762548BED}"= TCP:C:\Program Files\RapidSolution\Tunebite\TunebiteHelper.exe:TunebiteHelper
"TCP Query User{B97B8462-55C9-4C09-9661-66795E50EE51}C:\\users\\administrator\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= UDP:C:\users\administrator\appdata\local\temp\onlineupdate8\setupxu.exe:setupxu.exe
"UDP Query User{6851AAF6-717B-4779-9EEF-11320FF066FF}C:\\users\\administrator\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= TCP:C:\users\administrator\appdata\local\temp\onlineupdate8\setupxu.exe:setupxu.exe
"TCP Query User{86E9330D-7E1A-4481-A346-F4A75C28D476}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= UDP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"UDP Query User{C260B742-9794-4477-9824-4E988E6D1E02}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= TCP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"{C6E1F7FD-D96B-4057-9B73-937AF1CCECA6}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{FFBD4F3F-7338-4D30-A25F-34B1023285E8}"= C:\Program Files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{5758B78E-92F5-4B57-BCF2-012F04286D1C}"= UDP:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe:windows media player streaming service
"{F2D10F34-807F-4B1C-B8BB-4C72A1F114BB}"= TCP:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe:windows media player streaming service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 AvgRkx86;avgrkx86.sys;C:\Windows\system32\Drivers\avgrkx86.sys [2008-06-11 19:26]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-11 19:25]
R2 48751;48751;C:\Windows\System32\48751.sys [2007-07-21 11:36]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-11 19:37]
R2 RtNdPt60;Realtek NDIS Protocol Driver;C:\Windows\system32\DRIVERS\RtNdPt60.sys [2007-02-05 22:44]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);C:\Windows\system32\DRIVERS\deltaII.sys [2007-12-03 12:21]
R3 FA31x;Netgear FA311/312 NDIS 5.0 Miniport Driver;C:\Windows\system32\DRIVERS\FA31xND5.SYS [2001-04-17 18:41]
R3 hercspud;Hercules ® WDM Audio Driver;C:\Windows\system32\drivers\hercspud.sys [2007-03-14 09:15]
R3 hercwdm;Hercules ® WDM Interface Driver;C:\Windows\system32\drivers\hercwdm.sys [2007-03-13 17:08]
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\Windows\system32\DRIVERS\zebrceb.sys [2008-03-09 12:16]
S3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-06-11 19:38]
S3 ESI_GigaportAG;usb-audio.de driver for ESI - GIGAPortAG;C:\Windows\system32\Drivers\gigapAG.sys [2007-06-29 19:15]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\Windows\system32\Drivers\KORGUMDS.SYS [2007-03-29 20:22]
S3 MBAMCatchMe;MBAMCatchMe;C:\Windows\system32\drivers\mbamcatchme.sys [2008-06-10 19:02]
S3 pgusbmme;usb-audio.de MME-Adapter;C:\Windows\system32\drivers\pgusbmm3.sys [2007-06-29 19:30]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 09:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s125mdm.sys [2007-04-24 09:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 09:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s125obex.sys [2007-04-24 09:33]
S3 zebrbus;Sony Ericsson Composite Device driver;C:\Windows\system32\DRIVERS\zebrbus.sys [2008-03-09 12:16]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\Windows\system32\DRIVERS\zebrmdfl.sys [2008-03-09 12:16]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\Windows\system32\DRIVERS\zebrmdm.sys [2008-03-09 12:16]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\Windows\system32\DRIVERS\zebrmdmc.sys [2008-03-09 12:16]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\Windows\system32\DRIVERS\zebrsce.sys [2008-03-09 12:16]
S4 Sinimb2md;Sinimb2md;C:\Windows\system32\attrib.exe [2006-11-02 10:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{baa4f21e-3e6e-11dc-ae96-111111111111}]
\shell\AutoRun\command - E:\InstallTomTomHOME.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-19 02:29:59 C:\Windows\Tasks\ErrorSweeper Scheduled Scan.job"
- C:\Program Files\ErrorSweeper\ErrorSweeper.ex
- C:\Program Files\ErrorSweeper
"2007-07-21 10:35:12 C:\Windows\Tasks\User_Feed_Synchronization-{C55CA353-2749-4975-A6CF-07F40FE15D4D}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 23:27:12
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\Users\Administrator\AppData\Local\Temp\CabBDCD.tmp 0 bytes
C:\Users\Administrator\AppData\Local\Temp\TarBDCE.tmp 0 bytes
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@msn[2].txt 433 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-06-19 23:31:17 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-06-19 22:31:10

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

309 --- E O F --- 2007-07-21 10:09:32







and here's my HJT log





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:32:25, on 19/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\DeltaIITray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {B1BE73AB-565C-4A1E-9D94-8F46DE3082F3} - C:\Windows\system32\wvUoLDsR.dll (file missing)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\Windows\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 4715 bytes

#6 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 20 June 2008 - 09:34 AM

Hi again MushyP!!..:).

There are several things I don't like in your logs... We will have to investigate it further...

Firstly,
Go to Start -> Control Panel -> Programs and Features, highlight a program to see the available option on the toolbar for it. Choose Uninstall for:

ErrorSweeper, if still present...

ErrorSweeper is a misleading application that may give exaggerated reports of threats on the computer.

Secondly,

Open Notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

File::
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe
C:\Windows\Tasks\ErrorSweeper Scheduled Scan.job
Folder::
C:\Program Files\ErrorSweeper
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1BE73AB-565C-4A1E-9D94-8F46DE3082F3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d5aeea34-3986-4773-8400-56e77b52671f}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}]


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thirdly,

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

C:\Windows\System32\dfeffda3_g.dll

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Important: Please scan also those two files:

C:\Windows\System32\48751.sys
C:\Windows\system32\attrib.exe

Finally,
Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the Desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread (please post the log in a separate post...).


Logs to post:
- a new ComboFix log
- a fresh HijackThis log
- the results form Jotti's virus scan - three files...
- a GMER scan log, in a separate post...
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#7 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 June 2008 - 06:28 PM

Hello, thanks for being so helpful with this!!

Error Sweeper was not there to uninstall.

I could not find a copy of dfeffda3_g.dll by browsing, but when i just pasted the link to C:\Windows\System32\dfeffda3_g.dll it scanned and gave this:

File: dfeffda3_g.dll
Status: OK
MD5: 2b95aa3baac722f3d35108c0be68e2b4
Packers detected: -

Scanner results
Scan taken on 21 Jun 2008 00:17:01 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: 48751.sys
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: ee50afab5e473da1dc5eaa5239b775f3
Packers detected: -

Scanner results
Scan taken on 21 Jun 2008 00:11:59 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: attrib.exe
Status: OK
MD5: 8cd951d018bb9c012bbcf0320895d01e
Packers detected: -

Scanner results
Scan taken on 21 Jun 2008 00:15:14 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


ComboFix 08-06-19.1 - Administrator 2008-06-20 18:22:50.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6000.0.1252.1.1033.18.1134 [GMT 1:00]
Running from: C:\Users\Administrator\Desktop\HijackThis\ComboFix.exe
Command switches used :: C:\Users\Administrator\Desktop\HijackThis\CFScript.txt
* Created a new restore point

FILE ::
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe
C:\Windows\Tasks\ErrorSweeper Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe
C:\Windows\Tasks\ErrorSweeper Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 16:11 69,128 ----a-w C:\Windows\system32\drivers\avgwfpx.sys
2008-06-20 16:11 12,936 ----a-w C:\Windows\system32\drivers\avgrkx86.sys
2008-06-20 16:10 96,520 ----a-w C:\Windows\system32\drivers\avgldx86.sys
2008-06-20 16:10 10,520 ----a-w C:\Windows\System32\avgrsstx.dll
2008-06-19 17:48 --------- d-----w C:\Users\Administrator\AppData\Roaming\Canon
2008-06-18 16:20 --------- d-----w C:\Users\Administrator\AppData\Roaming\Malwarebytes
2008-06-18 16:20 --------- d-----w C:\ProgramData\Malwarebytes
2008-06-18 16:20 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 16:20 --------- d-----w C:\Program Files\Trend Micro
2008-06-15 09:24 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-06-15 08:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-13 17:17 --------- d-----w C:\Users\Administrator\AppData\Roaming\LimeWire
2008-06-11 19:39 --------- d-----w C:\Users\Administrator\AppData\Roaming\BitTorrent
2008-06-11 18:25 --------- d-----w C:\ProgramData\avg8
2008-06-11 18:25 --------- d-----w C:\Program Files\AVG
2008-06-11 17:53 --------- d-----w C:\ProgramData\Lavasoft
2008-06-11 17:12 --------- d-----w C:\ProgramData\Apple Computer
2008-06-10 18:02 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-06-10 18:02 15,864 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-06-09 23:21 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-06-09 23:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-09 23:20 --------- d-----w C:\Program Files\Java
2008-06-09 23:19 --------- d-----w C:\Program Files\Easypano
2008-06-07 21:51 --------- d-----w C:\ProgramData\Nero
2008-06-07 21:51 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-07 16:01 --------- d-----w C:\Program Files\Nero
2008-06-06 22:54 --------- d-----w C:\Users\Administrator\AppData\Roaming\Nero
2008-06-05 20:36 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-05 20:34 --------- d-----w C:\Program Files\Soulseek
2008-06-03 16:38 --------- d-----w C:\Program Files\LimeWire
2008-05-29 22:14 --------- d-----w C:\Users\Administrator\AppData\Roaming\App Launcher Gadget
2008-05-29 18:42 --------- d-----w C:\Program Files\Direct MP3 Joiner
2008-05-27 02:50 --------- d-----w C:\Users\Administrator\AppData\Roaming\DNA
2008-05-26 23:00 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-05-25 11:12 --------- d-----w C:\Program Files\coolpro2
2008-05-22 22:32 --------- d-----w C:\Program Files\AM Pro 2.1
2008-05-22 22:28 --------- d-----w C:\Program Files\AM Pro
2008-05-22 18:15 --------- d-----w C:\Program Files\Free M4a to MP3 Converter
2008-05-22 18:00 --------- d-----w C:\ProgramData\RapidSolution
2008-05-22 17:57 --------- d-----w C:\Users\Administrator\AppData\Roaming\Tunebite
2008-05-22 17:53 --------- d-----w C:\Program Files\PixiePack Codec Pack
2008-05-22 17:44 --------- d-----w C:\Program Files\RapidSolution
2008-05-22 17:42 --------- d-----w C:\Users\Administrator\AppData\Roaming\NoteCable
2008-05-22 17:28 --------- d-----w C:\ProgramData\TEMP
2008-05-18 23:30 --------- d-----w C:\Program Files\DNA
2008-05-18 23:30 --------- d-----w C:\Program Files\BitTorrent
2008-05-18 23:26 --------- d-----w C:\Program Files\ABC3_1
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2006-11-02 12:49 174 --sha-w C:\Program Files\desktop.ini
2007-12-29 14:08 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-12-29 14:08 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-12-29 14:08 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-08-05 09:49 5 --sha-w C:\Windows\System32\dfeffda3_g.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-19_23.30.31.11 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 22:26:34 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-20 16:06:50 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-20 16:06:52 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-06-20 16:06:52 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-06-19 22:27:00 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-20 16:11:18 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-20 16:11:18 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-06-19 22:27:00 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-20 16:11:12 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-20 16:11:12 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-06-19 17:42:38 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-20 16:12:51 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-19 17:42:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-20 16:12:51 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-19 17:42:38 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-20 16:12:51 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-11 18:37:46 26,184 ----a-w C:\Windows\System32\drivers\avgmfx86.sys
+ 2008-06-20 16:10:56 26,824 ----a-w C:\Windows\System32\drivers\avgmfx86.sys
- 2008-06-19 17:47:00 155,274 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-20 16:13:47 155,274 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-19 17:47:00 790,372 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-20 16:13:47 790,372 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-19 17:44:41 9,868 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2056407848-3820016962-1051293969-500_UserData.bin
+ 2008-06-20 16:12:52 10,138 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2056407848-3820016962-1051293969-500_UserData.bin
- 2008-06-19 17:44:40 58,828 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-20 16:12:51 59,032 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-19 17:44:35 50,872 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-20 16:11:21 51,084 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2008-03-09 14:40 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:34 125440]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M-Audio Taskbar Icon"="C:\Windows\System32\DeltaIITray.exe" [2007-12-03 12:21 236040]
"DeltaIITaskbarApp"="C:\Windows\system32\DeltaIITray.exe" [2007-12-03 12:21 236040]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-20 17:11 1231128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
"Midi1"= KORGUMDD.DRV

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=C:\Windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\Windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Administrator^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\Windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-05-19 00:30 289088 C:\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltTray]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--a------ 2006-04-13 12:09 49152 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
--a------ 2002-12-10 17:54 127022 C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite for Smartphones]
-ra------ 2007-06-13 09:16 528384 C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2005-12-07 23:57 30208 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundFusion]
--a------ 2007-03-09 16:09 493608 C:\Windows\System32\hercplgs.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tunebite]
C:\Program Files\RapidSolution\Tunebite\Tunebite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-07-21 11:09 1006264 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2056407848-3820016962-1051293969-500]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{D43E47CB-F4B9-4220-980B-556C9773D787}C:\\program files\\abc\\abc.exe"= UDP:C:\program files\abc\abc.exe:abc
"UDP Query User{36892A59-13DC-40B2-A378-D22DFACC7DF7}C:\\program files\\abc\\abc.exe"= TCP:C:\program files\abc\abc.exe:abc
"{BEA2A4B9-5C0B-4E57-A6AD-DFAF2F148077}"= UDP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{09046336-CDF2-417B-8949-007B30F0E3FD}"= TCP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{F4395EA8-8DBD-4062-AD64-5B25AB4CDE81}"= UDP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{80C330FE-CA89-4886-8DB9-9FBA484DD326}"= TCP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{066AA853-EEDC-451C-AB7F-E0E31D9D7AC1}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{AB6DCF98-B47C-4B02-8B7E-ABBB44541041}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{D946878A-CE27-48E3-A4B2-357499B8F6B9}"= UDP:C:\Program Files\Grisoft\AVG7\avgemc.exe:avgemc.exe
"{56B653A8-5254-4649-89D0-EFEB6CD3AB86}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"TCP Query User{33BF394C-9289-4290-B80D-8BDC7DA6E622}C:\\program files\\soulseek\\slsk.exe"= UDP:C:\program files\soulseek\slsk.exe:SoulSeek
"UDP Query User{8ACC195E-8C20-49DC-AE24-2A6F1B418B76}C:\\program files\\soulseek\\slsk.exe"= TCP:C:\program files\soulseek\slsk.exe:SoulSeek
"{5F979A0A-BDD4-4B0D-B287-3F13A4BC0968}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{35174BB5-683A-4999-BBC3-AC7F32CF4FC4}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"5f9eaa91-19ed-4b20-b440-97a2bc9c819c"= UDP:Profile=Private:Allow Local port
"TCP Query User{A59CB814-8C10-4B22-8F19-7D0F10577B97}C:\\program files\\abc\\abc.exe"= UDP:C:\program files\abc\abc.exe:abc
"UDP Query User{7E3962E4-3396-408E-ADC7-B57F5D37CEE6}C:\\program files\\abc\\abc.exe"= TCP:C:\program files\abc\abc.exe:abc
"TCP Query User{B934ADF7-2CF7-4C45-A800-DB23237B192B}C:\\program files\\soulseek\\slsk.exe"= UDP:C:\program files\soulseek\slsk.exe:SoulSeek
"UDP Query User{6C2AE61F-DD7C-4426-B50D-7D8377859391}C:\\program files\\soulseek\\slsk.exe"= TCP:C:\program files\soulseek\slsk.exe:SoulSeek
"{215052AE-9112-41AD-A469-659BC650B8DE}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{1DB3B78F-4B05-4DB3-B68D-3C10D6CFDE68}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{FFF88F65-5E0E-46BE-98F2-BA5FA51C18B8}C:\\program files\\nero\\nero 7\\nero showtime\\showtime.exe"= UDP:C:\program files\nero\nero 7\nero showtime\showtime.exe:Nero ShowTime
"UDP Query User{3BCDC510-1A46-43A5-BB98-0CDD4B0D2EB2}C:\\program files\\nero\\nero 7\\nero showtime\\showtime.exe"= TCP:C:\program files\nero\nero 7\nero showtime\showtime.exe:Nero ShowTime
"{FA29A697-5187-4CE4-8C86-D6DE8053050E}"= UDP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{CB8448FD-64AD-46AB-A19A-646B598A8F4F}"= TCP:C:\Program Files\Grisoft\AVG7\avginet.exe:avginet.exe
"{8A36D091-98AC-486A-B15A-9A65BF795F80}"= UDP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{A8AA1A16-C594-48AC-9CE6-5468797D058C}"= TCP:C:\Program Files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{9B7042DF-39D7-49C9-8E13-4D3114728030}"= UDP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{5106DCF0-115B-4792-912F-61845381EBEF}"= TCP:C:\Program Files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"TCP Query User{20076053-F8AD-4153-A31F-631D4B390204}C:\\program files\\adobe\\dreamweaver\\adobe dreamweaver cs3\\dreamweaver2.exe"= UDP:C:\program files\adobe\dreamweaver\adobe dreamweaver cs3\dreamweaver2.exe:dreamweaver2.exe
"UDP Query User{0A8E4EA0-E16F-45A8-A2A2-22AF5FD5C989}C:\\program files\\adobe\\dreamweaver\\adobe dreamweaver cs3\\dreamweaver2.exe"= TCP:C:\program files\adobe\dreamweaver\adobe dreamweaver cs3\dreamweaver2.exe:dreamweaver2.exe
"TCP Query User{F361EC90-8971-4814-8466-869913DF8165}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{7C6C6ACE-6E43-4A0D-BCEE-CF659EFE39F4}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{F639FDDF-55EA-4E43-8DD8-36BA9808FEE2}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{9300781D-D14A-42CF-894B-88A8C497268D}C:\\program files\\intuwave\\shared\\mrouterruntime\\mrouterruntime.exe"= UDP:C:\program files\intuwave\shared\mrouterruntime\mrouterruntime.exe:mRouterRuntime Module
"UDP Query User{228724A9-2597-4DAA-A7DD-ACA8EB0D533B}C:\\program files\\intuwave\\shared\\mrouterruntime\\mrouterruntime.exe"= TCP:C:\program files\intuwave\shared\mrouterruntime\mrouterruntime.exe:mRouterRuntime Module
"TCP Query User{DF5B8FC9-B7C6-49F8-8903-B498AAF2859B}C:\\program files\\intuwave\\shared\\mrouterruntime\\mrouterruntime.exe"= UDP:C:\program files\intuwave\shared\mrouterruntime\mrouterruntime.exe:mRouterRuntime Module
"UDP Query User{184AA1A1-B83A-48A9-BA1B-C4E582F0B1D3}C:\\program files\\intuwave\\shared\\mrouterruntime\\mrouterruntime.exe"= TCP:C:\program files\intuwave\shared\mrouterruntime\mrouterruntime.exe:mRouterRuntime Module
"{06CE8E9F-45C2-48E3-9690-15EA88518FF1}"= UDP:C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0
"{EFCFD25E-0132-4B40-B93D-15FC7B973483}"= TCP:C:\Program Files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0
"TCP Query User{79B33974-A061-4046-A0D4-4FB0AD5F7B2D}C:\\program files\\sony ericsson\\update service\\update service.exe"= UDP:C:\program files\sony ericsson\update service\update service.exe:Update Service
"UDP Query User{3E879A0E-812F-499E-A6E4-91F8EA368BBC}C:\\program files\\sony ericsson\\update service\\update service.exe"= TCP:C:\program files\sony ericsson\update service\update service.exe:Update Service
"{172393D7-65DC-4801-A9DC-1B86551B34FD}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{D836373F-37E8-43FD-97E0-A3939126FC5C}C:\\program files\\common files\\ahead\\nero web\\setupx.exe"= UDP:C:\program files\common files\ahead\nero web\setupx.exe:MSI starter
"UDP Query User{A42BBFC1-3127-4BC3-AA8F-A9A6FF7ED3DB}C:\\program files\\common files\\ahead\\nero web\\setupx.exe"= TCP:C:\program files\common files\ahead\nero web\setupx.exe:MSI starter
"TCP Query User{7759E38F-1576-4C50-B4D8-29A456AEF571}C:\\program files\\abc3_1\\abc.exe"= UDP:C:\program files\abc3_1\abc.exe:abc
"UDP Query User{0C04408F-0E18-480C-B027-A485E83880F5}C:\\program files\\abc3_1\\abc.exe"= TCP:C:\program files\abc3_1\abc.exe:abc
"{DCF5EC80-A38E-4BB5-BA54-EE376C244EFB}"= UDP:C:\Program Files\DNA\btdna.exe:DNA
"{0001F434-4CB6-4098-82EB-50C36F439EB7}"= TCP:C:\Program Files\DNA\btdna.exe:DNA
"{3DE962F0-0904-4E40-A80B-2719EB75B220}"= UDP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"{B218502A-C8A8-4BF1-A423-FB9C78736C55}"= TCP:C:\Program Files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{29EA7B50-925A-434F-BC35-4584CD0FB048}C:\\program files\\bittorrent\\bittorrent.exe"= UDP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{763B5DB8-D242-4FCD-93C7-7C005D3BFD23}C:\\program files\\bittorrent\\bittorrent.exe"= TCP:C:\program files\bittorrent\bittorrent.exe:bittorrent
"TCP Query User{F8C75667-DADC-4110-8E1F-F61D226CCD85}C:\\program files\\dna\\btdna.exe"= UDP:C:\program files\dna\btdna.exe:DNA
"UDP Query User{C2B70469-FDF1-4C1E-A7F6-BC6B4A007C2F}C:\\program files\\dna\\btdna.exe"= TCP:C:\program files\dna\btdna.exe:DNA
"{81464873-D20E-4586-90FB-A62B56BB07AB}"= UDP:C:\Program Files\RapidSolution\Tunebite\TunebiteHelper.exe:TunebiteHelper
"{06D4CD44-6F5B-412B-9F72-2D6762548BED}"= TCP:C:\Program Files\RapidSolution\Tunebite\TunebiteHelper.exe:TunebiteHelper
"TCP Query User{B97B8462-55C9-4C09-9661-66795E50EE51}C:\\users\\administrator\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= UDP:C:\users\administrator\appdata\local\temp\onlineupdate8\setupxu.exe:setupxu.exe
"UDP Query User{6851AAF6-717B-4779-9EEF-11320FF066FF}C:\\users\\administrator\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= TCP:C:\users\administrator\appdata\local\temp\onlineupdate8\setupxu.exe:setupxu.exe
"TCP Query User{86E9330D-7E1A-4481-A346-F4A75C28D476}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= UDP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"UDP Query User{C260B742-9794-4477-9824-4E988E6D1E02}C:\\program files\\common files\\nero\\nero web\\setupx.exe"= TCP:C:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"{C6E1F7FD-D96B-4057-9B73-937AF1CCECA6}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{FFBD4F3F-7338-4D30-A25F-34B1023285E8}"= C:\Program Files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{5758B78E-92F5-4B57-BCF2-012F04286D1C}"= UDP:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe:windows media player streaming service
"{F2D10F34-807F-4B1C-B8BB-4C72A1F114BB}"= TCP:C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Recycle Bin\kdja.exe:windows media player streaming service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"= C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 AvgRkx86;avgrkx86.sys;C:\Windows\system32\Drivers\avgrkx86.sys [2008-06-20 17:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-06-20 17:10]
R2 48751;48751;C:\Windows\System32\48751.sys [2007-07-21 11:36]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-20 17:11]
R2 RtNdPt60;Realtek NDIS Protocol Driver;C:\Windows\system32\DRIVERS\RtNdPt60.sys [2007-02-05 22:44]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWfpX;AVG8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-06-20 17:11]
R3 DELTAII;Service for M-Audio Delta Driver (WDM);C:\Windows\system32\DRIVERS\deltaII.sys [2007-12-03 12:21]
R3 FA31x;Netgear FA311/312 NDIS 5.0 Miniport Driver;C:\Windows\system32\DRIVERS\FA31xND5.SYS [2001-04-17 18:41]
R3 hercspud;Hercules ® WDM Audio Driver;C:\Windows\system32\drivers\hercspud.sys [2007-03-14 09:15]
R3 hercwdm;Hercules ® WDM Interface Driver;C:\Windows\system32\drivers\hercwdm.sys [2007-03-13 17:08]
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);C:\Windows\system32\DRIVERS\zebrceb.sys [2008-03-09 12:16]
S3 ESI_GigaportAG;usb-audio.de driver for ESI - GIGAPortAG;C:\Windows\system32\Drivers\gigapAG.sys [2007-06-29 19:15]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\Windows\system32\Drivers\KORGUMDS.SYS [2007-03-29 20:22]
S3 MBAMCatchMe;MBAMCatchMe;C:\Windows\system32\drivers\mbamcatchme.sys [2008-06-10 19:02]
S3 pgusbmme;usb-audio.de MME-Adapter;C:\Windows\system32\drivers\pgusbmm3.sys [2007-06-29 19:30]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;C:\Windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 09:33]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;C:\Windows\system32\DRIVERS\s125mdm.sys [2007-04-24 09:33]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);C:\Windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 09:33]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;C:\Windows\system32\DRIVERS\s125obex.sys [2007-04-24 09:33]
S3 zebrbus;Sony Ericsson Composite Device driver;C:\Windows\system32\DRIVERS\zebrbus.sys [2008-03-09 12:16]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\Windows\system32\DRIVERS\zebrmdfl.sys [2008-03-09 12:16]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\Windows\system32\DRIVERS\zebrmdm.sys [2008-03-09 12:16]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\Windows\system32\DRIVERS\zebrmdmc.sys [2008-03-09 12:16]
S3 zebrsce;Sony Ericsson PC-Connect Port;C:\Windows\system32\DRIVERS\zebrsce.sys [2008-03-09 12:16]
S4 Sinimb2md;Sinimb2md;C:\Windows\system32\attrib.exe [2006-11-02 10:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{baa4f21e-3e6e-11dc-ae96-111111111111}]
\shell\AutoRun\command - E:\InstallTomTomHOME.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-07-21 10:35:12 C:\Windows\Tasks\User_Feed_Synchronization-{C55CA353-2749-4975-A6CF-07F40FE15D4D}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 18:25:43
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-20 18:27:17
ComboFix-quarantined-files.txt 2008-06-20 17:26:56
ComboFix2.txt 2008-06-19 22:31:18

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

334 --- E O F --- 2007-07-21 10:09:32


Here's my fresh HJT log

Logfile of HijackThis v1.99.1
Scan saved at 01:26:00, on 21/06/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\DeltaIITray.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\explorer.exe
C:\Users\Administrator\Desktop\HijackThis\gmer\gmer.exe
C:\Users\Administrator\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {B1BE73AB-565C-4A1E-9D94-8F46DE3082F3} - (no file)
O2 - BHO: (no name) - {d5aeea34-3986-4773-8400-56e77b52671f} - (no file)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\Windows\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)


GMER log to follow!

#8 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 June 2008 - 01:34 AM

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-21 08:32:44
Windows 6.0.6000


---- User code sections - GMER 1.0.14 ----

.text C:\Users\Administrator\Desktop\HijackThis\gmer\gmer.exe[700] ntdll.dll!NtCreateFile + 3 771AF417 2 Bytes JMP 0300BAFA
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxIndirectParamW 772F14DA 5 Bytes JMP 7193FEBF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxExA 7730570D 5 Bytes JMP 7193FE06 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxParamA 773065BF 5 Bytes JMP 7193FE84 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxIndirectW 7730F1B3 5 Bytes JMP 717D15DA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxParamW 7731129F 5 Bytes JMP 717AF205 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!DialogBoxIndirectParamA 773329B1 5 Bytes JMP 7193FEFA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxIndirectA 7733FAB7 5 Bytes JMP 7193FE40 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1400] USER32.dll!MessageBoxExW 7733FBB1 5 Bytes JMP 7193FDCC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] kernel32.dll!OutputDebugStringW 75AC60A7 5 Bytes JMP 28001E60 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] kernel32.dll!FindResourceExA 75AC92DD 7 Bytes JMP 28001C30 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] kernel32.dll!FindResourceA 75AC93BB 5 Bytes JMP 28001BA0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] kernel32.dll!FindResourceW 75AD33FE 5 Bytes JMP 28001A90 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] kernel32.dll!SizeofResource 75AD341C 7 Bytes JMP 28001D90 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] kernel32.dll!SetUnhandledExceptionFilter 75ADD187 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] kernel32.dll!CreateEventA 75AF7B60 5 Bytes JMP 28001850 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] kernel32.dll!LockResource 75AFD5DF 5 Bytes JMP 28001E00 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] kernel32.dll!FindResourceExW 75AFD673 7 Bytes JMP 28001B10 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] kernel32.dll!LoadResource 75AFD74B 7 Bytes JMP 28001CD0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] ADVAPI32.dll!CryptDeriveKey 75E2D229 7 Bytes JMP 28001000 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] ADVAPI32.dll!CryptDecrypt 75E2D359 7 Bytes JMP 28001060 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] USER32.dll!SetWindowPlacement 772E74D9 5 Bytes JMP 28005860 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] USER32.dll!TrackPopupMenuEx 772EC75F 5 Bytes JMP 280049A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] USER32.dll!LoadImageW 772ED3C5 5 Bytes JMP 280060C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] USER32.dll!SetWindowRgn 772EE006 7 Bytes JMP 280059A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] USER32.dll!CreateWindowExW 772F85F0 5 Bytes JMP 28003850 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] USER32.dll!LoadIconW 772F86D8 5 Bytes JMP 280062B0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] USER32.dll!PeekMessageW 773025BC 1 Byte [ E9 ]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] USER32.dll!PeekMessageW + 2 773025BE 3 Bytes [ 1A, D0, B0 ]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] USER32.dll!MessageBoxIndirectW 7730F1B3 5 Bytes JMP 28005CB0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] USER32.dll!CreateDialogParamW 7731A500 5 Bytes JMP 28005AC0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] WS2_32.dll!closesocket 75F73847 5 Bytes JMP 2800A6E0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] WS2_32.dll!send 75F73A8A 5 Bytes JMP 2800A2C0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] WS2_32.dll!recv 75F74ABD 5 Bytes JMP 28009F00 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] WS2_32.dll!WSASend 75F74EE9 2 Bytes JMP 2800A4A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] WS2_32.dll!WSASend + 3 75F74EEC 2 Bytes [ 09, B2 ]
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] WS2_32.dll!WSARecv 75F772B5 5 Bytes JMP 2800A0A0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] SHELL32.dll!Shell_NotifyIconW 7608310C 5 Bytes JMP 28003000 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] ole32.dll!CoRegisterClassObject 770239AC 5 Bytes JMP 28002210 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] ole32.dll!CoInitializeEx 7705885D 5 Bytes JMP 28002110 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] WININET.dll!InternetCloseHandle 75C5DA79 5 Bytes JMP 28009110 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] WININET.dll!HttpOpenRequestA 75C64341 5 Bytes JMP 28008DD0 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] WININET.dll!InternetReadFile 75C6ABAC 5 Bytes JMP 28008F60 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1764] WININET.dll!HttpSendRequestA 75C6CD38 5 Bytes JMP 28009040 C:\Program Files\Messenger Plus! Live\MsgPlusLive1.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolIo + FFF48011 75AB1809 17 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetSystemTime + B 75AB181B 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetSystemTime + 11 75AB1821 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetSystemTime + 17 75AB1827 95 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetSystemTime + 77 75AB1887 16 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetSystemTimeAsFileTime + 8 75AB1898 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetSystemTimeAsFileTime + E 75AB189E 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetSystemTimeAsFileTime + 14 75AB18A4 17 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetSystemTimeAsFileTime + 26 75AB18B6 32 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!VirtualProtect + 18 75AB18D7 3 Bytes [ 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!VirtualProtect + 1C 75AB18DB 13 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!TerminateProcess + 9 75AB18E9 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!TerminateProcess + 22 75AB1902 6 Bytes [ 00, 00, 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!TerminateProcess + 29 75AB1909 7 Bytes [ 00, 00, 00, 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!TerminateProcess + 31 75AB1911 17 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW + B 75AB1925 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW + 16 75AB1930 1 Byte [ 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW + 1A 75AB1934 3 Bytes [ 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW + 20 75AB193A 67 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW + 64 75AB197E 13 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA + B 75AB19C3 99 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA + 6F 75AB1A27 27 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA + 8C 75AB1A44 18 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA + 9F 75AB1A57 3 Bytes [ 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA + A5 75AB1A5D 31 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ReadProcessMemory + 2D 75AB1C0F 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ReadProcessMemory + 3A 75AB1C1C 119 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WriteProcessMemory + 71 75AB1C96 20 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WriteProcessMemory + 86 75AB1CAB 81 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WriteProcessMemory + D8 75AB1CFD 4 Bytes [ 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WriteProcessMemory + DE 75AB1D03 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WriteProcessMemory + E4 75AB1D09 36 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateProcessW + 7 75AB1D2E 31 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateProcessW + 27 75AB1D4E 4 Bytes [ 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateProcessW + 2C 75AB1D53 3 Bytes [ 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateProcessW + 30 75AB1D57 11 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateProcessA + 7 75AB1D63 31 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateProcessA + 27 75AB1D83 4 Bytes [ 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateProcessA + 2C 75AB1D88 3 Bytes [ 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateProcessA + 30 75AB1D8C 11 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!Sleep + 7 75AB1D98 7 Bytes [ 00, 00, 00, 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!Sleep + F 75AB1DA0 3 Bytes [ 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!Sleep + 13 75AB1DA4 18 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!Sleep + 26 75AB1DB7 7 Bytes [ 00, 00, 00, 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!Sleep + 2E 75AB1DBF 5 Bytes [ 00, 00, 00, 00, 00 ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!RegisterWaitForSingleObjectEx + C 75AB1ECF 11 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!RegisterWaitForSingleObjectEx + 18 75AB1EDB 8 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!RegisterWaitForSingleObjectEx + 21 75AB1EE4 8 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!RegisterWaitForSingleObjectEx + 2A 75AB1EED 3 Bytes [ 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!RegisterWaitForSingleObjectEx + 2E 75AB1EF1 5 Bytes [ 00, 00, 00, 00, 00 ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!InitAtomTable + 1C 75AB1F96 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!InitAtomTable + 22 75AB1F9C 18 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!InitAtomTable + 35 75AB1FAF 1 Byte [ 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!InitAtomTable + 37 75AB1FB1 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!InitAtomTable + 44 75AB1FBE 7 Bytes [ 00, 00, 00, 00, 00, 00, 00 ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetMailslotInfo + 37 75AB208E 91 Bytes [ 16, 77, 8E, 7D, 1B, 77, 0F, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetMailslotInfo + 93 75AB20EA 311 Bytes [ 1A, 77, 64, 04, 1B, 77, 59, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!SetThreadpoolThreadMinimum + AF 75AB2222 460 Bytes [ 1A, 77, 80, 49, 19, 77, 04, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WerRegisterFile + 1B6 75AB23EF 253 Bytes [ 77, 86, 06, 1E, 77, 79, AE, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA + 69 75AB24ED 399 Bytes [ DC, 18, 77, EC, B7, 15, 77, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!EnumResourceLanguagesW + 3A 75AB267D 425 Bytes [ 05, 1B, 77, 74, 03, 1B, 77, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!EnumResourceLanguagesW + 1E4 75AB2827 13 Bytes [ FE, 7F, 3B, C2, 75, 5A, 89, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!EnumResourceLanguagesW + 1F2 75AB2835 54 Bytes [ 45, F8, 50, 89, 4D, F8, FF, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!EnumResourceLanguagesW + 229 75AB286C 73 Bytes [ 8B, 4D, F0, 66, 89, 48, 0A, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!EnumResourceLanguagesExW + 4 75AB28B6 21 Bytes [ F3, 90, EB, DB, 90, 90, 90, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!EnumResourceLanguagesExW + 1B 75AB28CD 4 Bytes [ FF, 75, 08, 6A ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!EnumResourceLanguagesExW + 20 75AB28D2 25 Bytes CALL 75AD70AB C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!EnumResourceLanguagesExW + 3A 75AB28EC 5 Bytes [ 75, 0C, FF, 75, 08 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!EnumResourceLanguagesExW + 40 75AB28F2 49 Bytes [ 15, BC, 14, AB, 75, 85, C0, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolTimer + C3 75AB2D79 5 Bytes [ 75, 10, FF, 75, 0C ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolTimer + C9 75AB2D7F 24 Bytes CALL 75AC917E C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolTimer + E3 75AB2D99 10 Bytes CALL 75AF888C C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolTimer + EE 75AB2DA4 18 Bytes [ FF, 75, 0C, FF, 75, 08, 68, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolTimer + 101 75AB2DB7 34 Bytes [ 3B, C3, 0F, 84, 1A, 71, 05, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!DefineDosDeviceA + 16 75AB2E8F 86 Bytes [ AB, 75, 85, C0, 0F, 8D, 34, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!DefineDosDeviceA + 6D 75AB2EE6 28 Bytes [ F6, 0F, 84, 42, 1B, 06, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!DefineDosDeviceA + 8A 75AB2F03 4 Bytes [ 84, 63, 1B, 06 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!DefineDosDeviceA + 8F 75AB2F08 42 Bytes [ FF, 75, 18, FF, 75, 14, FF, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!DefineDosDeviceA + BA 75AB2F33 4 Bytes [ 8C, 5C, 1B, 06 ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!EnumSystemLocalesW + E 75AB2F64 17 Bytes [ 90, 90, 90, 90, 90, 8B, 45, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!BaseInitAppcompatCacheSupport 75AB2F76 59 Bytes [ 90, 90, 90, 90, 8B, FF, 55, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!BaseInitAppcompatCacheSupport + 3C 75AB2FB2 62 Bytes [ 75, FC, 68, 68, A5, B7, 75, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!BaseInitAppcompatCacheSupport + 7B 75AB2FF1 4 Bytes [ 10, FF, 75, 0C ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!BaseInitAppcompatCacheSupport + 80 75AB2FF6 2 Bytes [ 75, 08 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!BaseInitAppcompatCacheSupport + 83 75AB2FF9 107 Bytes [ 15, A4, 13, AB, 75, 85, C0, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ScrollConsoleScreenBufferW + B 75AB314F 19 Bytes [ FF, 50, 8B, 85, 58, FD, FF, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ScrollConsoleScreenBufferW + 1F 75AB3163 106 Bytes [ 8D, B5, 5C, FF, FF, FF, E9, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ScrollConsoleScreenBufferW + 8A 75AB31CE 15 Bytes [ 5D, FC, 8B, B0, 30, 02, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ScrollConsoleScreenBufferW + 9B 75AB31DF 43 Bytes CALL 75ABC559 C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ScrollConsoleScreenBufferW + C8 75AB320C 8 Bytes [ FF, 8B, 45, E4, E8, 60, 56, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WinExec + 1E 75AB32FD 9 Bytes [ 8B, 46, 2C, 03, C6, FF, 75, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WinExec + 29 75AB3308 2 Bytes [ 1F, 21 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WinExec + 2D 75AB330C 4 Bytes [ 89, 45, E4, 85 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WinExec + 32 75AB3311 20 Bytes CALL 75AB8FA6 C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WinExec + 47 75AB3326 5 Bytes [ 00, 00, 8B, 45, E4 ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetComputerNameExA + B 75AB33B7 62 Bytes [ 89, 7D, FC, 8B, B3, 30, 02, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetComputerNameExA + 4A 75AB33F6 22 Bytes CALL 75AB3427 C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetComputerNameExA + 61 75AB340D 12 Bytes [ 00, 00, 00, CC, FF, FF, FF, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetComputerNameExA + 6F 75AB341B 35 Bytes [ FF, 00, 00, 00, 00, 29, 24, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetComputerNameExA + 93 75AB343F 11 Bytes [ 01, 00, 00, FF, 75, 08, 50, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!QueryInformationJobObject + 17 75AB3695 13 Bytes JMP 75B10619 C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!QueryInformationJobObject + 25 75AB36A3 23 Bytes [ 85, B0, F5, FF, FF, 50, 8D, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!QueryInformationJobObject + 3D 75AB36BB 46 Bytes [ FF, 50, 8D, 85, 60, F5, FF, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!QueryInformationJobObject + 6C 75AB36EA 20 Bytes JMP 75AB37FF C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!QueryInformationJobObject + 81 75AB36FF 16 Bytes [ 00, A1, AC, A4, B7, 75, 33, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!OpenFile + 23 75AB380F 65 Bytes CALL 75AF5EBC C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!OpenFile + 65 75AB3851 17 Bytes [ 89, 85, E0, FE, FF, FF, 3B, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!OpenFile + 77 75AB3863 15 Bytes [ 00, 00, 8B, 85, D8, FE, FF, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!OpenFile + 88 75AB3874 9 Bytes [ 85, D8, FE, FF, FF, FF, 75, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!OpenFile + 92 75AB387E 4 Bytes [ B5, B0, FE, FF ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetVolumeInformationA + C 75AB3DA2 195 Bytes [ 00, 00, 8B, 40, 30, 6A, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetVolumeInformationA + D0 75AB3E66 46 Bytes [ 8B, C6, 5E, C9, C2, 04, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetVolumeInformationA + FF 75AB3E95 2 Bytes [ 74, 39 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetVolumeInformationA + 102 75AB3E98 44 Bytes [ 75, 10, 8D, 45, F8, 50, E8, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetNumberOfConsoleInputEvents + 19 75AB3EC5 21 Bytes [ C7, 5F, 5E, C9, C2, 0C, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetNumberOfConsoleInputEvents + 2F 75AB3EDB 28 Bytes [ 55, 8B, EC, 51, 51, FF, 75, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetNumberOfConsoleInputEvents + 4C 75AB3EF8 47 Bytes [ 75, 08, FF, 15, A0, 10, AB, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetNumberOfConsoleInputEvents + 7C 75AB3F28 7 Bytes [ 85, C0, 0F, 85, 69, 16, 04 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetNumberOfConsoleInputEvents + 84 75AB3F30 17 Bytes [ 85, DB, 0F, 85, CB, 5C, 05, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolWork + 27 75AB40A2 13 Bytes [ 72, 00, 69, 00, 76, 00, 65, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolWork + 35 75AB40B0 5 Bytes [ 45, 00, 4D, 00, 50 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolWork + 3B 75AB40B6 5 Bytes [ 00, 00, B8, 80, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolWork + 41 75AB40BC 9 Bytes JMP 75AB9760 C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolWork + 4B 75AB40C6 74 Bytes JMP 75AB9760 C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WriteFileEx + 39 75AB4112 74 Bytes JMP 75ABF001 C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WriteFileEx + 84 75AB415D 31 Bytes [ 00, 00, 5D, C2, 14, 00, 90, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WriteFileEx + A4 75AB417D 65 Bytes [ 8B, 40, 30, 8B, 40, 10, 8B, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WriteFileEx + E6 75AB41BF 7 Bytes [ 89, 75, 84, 8B, 45, 18, 8B ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WriteFileEx + EE 75AB41C7 141 Bytes [ 89, 45, 8C, 8B, 45, 14, 89, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateDirectoryA + C 75AB42AD 58 Bytes [ EB, DF, C7, 45, 20, 02, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateDirectoryA + 47 75AB42E8 22 Bytes [ 00, 00, 53, 8B, 5D, 0C, 56, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateDirectoryA + 5E 75AB42FF 95 Bytes [ 0C, 6A, 44, 8D, 45, 80, 56, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ReadFileScatter + E 75AB435F 53 Bytes CALL 85F778EF
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ReadFileScatter + 44 75AB4395 75 Bytes [ 45, 0C, 50, 8D, 45, F8, 50, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ReadFileScatter + 90 75AB43E1 6 Bytes [ 00, 0F, 84, CC, 5F, 05 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!ReadFileScatter + 97 75AB43E8 116 Bytes [ 85, C0, 0F, 84, 3E, 5F, 05, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetNLSVersion + 6E 75AB445D 6 Bytes [ 40, 00, 00, E9, 9A, 02 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetNLSVersion + 75 75AB4464 4 Bytes [ 00, C7, 45, B4 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetNLSVersion + 7A 75AB4469 6 Bytes [ 01, 00, 00, E9, 8E, 02 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetNLSVersion + 81 75AB4470 107 Bytes [ 00, C7, 45, B4, 80, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!GetNLSVersion + ED 75AB44DC 19 Bytes [ 83, 3E, 03, 0F, 84, 98, 6E, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!BindIoCompletionCallback + 23 75AB4518 44 Bytes JMP 75ABA6DB C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!BindIoCompletionCallback + 50 75AB4545 32 Bytes [ 8D, 85, 4C, FF, FF, FF, 50, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!BindIoCompletionCallback + 71 75AB4566 7 Bytes [ 00, 57, 8D, 85, 24, FF, FF ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!BindIoCompletionCallback + 79 75AB456E 73 Bytes [ 50, FF, 15, 48, 10, AB, 75, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!BindIoCompletionCallback + C3 75AB45B8 20 Bytes [ B5, 2C, FF, FF, FF, FF, B5, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!SetThreadAffinityMask + 3F 75AB468D 61 Bytes [ 7D, 14, 0F, 84, 0F, 11, 06, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!SetThreadAffinityMask + 7D 75AB46CB 12 Bytes [ 3B, F0, 75, 40, 8B, 45, B4, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateMailslotW + A 75AB46D8 23 Bytes [ FF, 48, 74, 1C, 48, 0F, 84, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateMailslotW + 22 75AB46F0 17 Bytes [ FF, 48, 0F, 84, C5, 10, 06, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateMailslotW + 34 75AB4702 21 Bytes [ 90, 50, FF, 75, 10, E8, FB, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateMailslotW + 4A 75AB4718 7 Bytes [ F7, 85, B8, FD, FF, FF, 00 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateMailslotW + 52 75AB4720 1 Byte [ 20 ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateMailslotA + B 75AB47C1 16 Bytes [ FF, 15, B8, 14, AB, 75, 5D, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateMailslotA + 1C 75AB47D2 152 Bytes CALL 75AF919D C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!SetMailslotInfo + 63 75AB486B 60 Bytes [ 2C, FF, FF, FF, C7, 85, 40, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateWaitableTimerA + 2 75AB48A8 16 Bytes CALL 75ABBF9B C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateWaitableTimerA + 13 75AB48B9 11 Bytes [ 3B, C6, 75, 30, C7, 85, 4C, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateWaitableTimerA + 21 75AB48C7 10 Bytes [ 8D, 85, 3C, FF, FF, FF, 50, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateWaitableTimerExA + 2 75AB48D2 31 Bytes [ B5, 48, FF, FF, FF, E8, 9D, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateWaitableTimerExA + 22 75AB48F2 11 Bytes [ 40, 0F, 84, A6, FC, FF, FF, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateWaitableTimerExA + 2E 75AB48FE 46 Bytes [ FF, 0F, 85, 9A, FC, FF, FF, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateWaitableTimerExA + 5D 75AB492D 20 Bytes [ 58, FF, FF, FF, 01, 00, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateWaitableTimerExA + 72 75AB4942 3 Bytes [ 00, 00, 8B ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CancelIo + 4 75AB4AE8 3 Bytes [ F8, 6A, 01 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CancelIo + 9 75AB4AED 1 Byte [ F4 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CancelIo + B 75AB4AEF 27 Bytes [ 8D, 45, EC, 50, FF, 15, 90, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CancelIo + 27 75AB4B0B 210 Bytes [ 90, 90, 90, 90, 90, 8B, FF, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CancelIo + FA 75AB4BDE 11 Bytes [ 46, 00, 4F, 00, 00, 00, 50, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!SetClientTimeZoneInformation + 20 75AB4D69 21 Bytes JMP 75AB6B27 C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!SetClientTimeZoneInformation + 36 75AB4D7F 111 Bytes [ 8B, 40, 08, 89, 46, 08, C7, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!SetClientTimeZoneInformation + A6 75AB4DEF 5 Bytes [ 75, FC, 3B, CE, 0F ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!SetClientTimeZoneInformation + AC 75AB4DF5 95 Bytes [ 7D, B2, 04, 00, 39, 75, 20, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!SetClientTimeZoneInformation + 10C 75AB4E55 42 Bytes [ 00, 00, 00, B4, FF, FF, FF, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!FindVolumeClose + 22 75AB4F84 35 Bytes [ 59, 39, 4E, 04, 75, 35, 85, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!FindNextVolumeW + 10 75AB4FA8 1 Byte [ 4E ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!FindNextVolumeW + 12 75AB4FAA 80 Bytes [ 8B, 09, 89, 48, 0C, 89, 4D, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!FindNextVolumeW + 63 75AB4FFB 32 Bytes [ 00, BA, 00, 00, 00, 40, E9, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!FindNextVolumeW + 84 75AB501C 26 Bytes [ 8D, 45, FC, 50, FF, 15, 60, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!FindNextVolumeW + 9F 75AB5037 82 Bytes [ 15, 34, 11, AB, 75, 53, FF, ... ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!FindFirstVolumeW + B 75AB5247 6 Bytes [ FF, 8B, D1, 81, E2, E0 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!FindFirstVolumeW + 12 75AB524E 164 Bytes [ 00, 00, 0F, 84, 68, 19, 00, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!FindFirstVolumeW + B7 75AB52F3 100 Bytes JMP 4025FF90
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!FindFirstVolumeW + 11C 75AB5358 56 Bytes CALL 75AF8830 C:\Windows\system32\kernel32.dll (Windows NT BASE API Client DLL/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolWait + 4 75AB5391 7 Bytes [ 48, 10, 57, 8D, 55, E0, 52 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolWait + D 75AB539A 1 Byte [ 10 ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolWait + 10 75AB539D 1 Byte [ 0C ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolWait + 12 75AB539F 54 Bytes [ 8B, D1, 80, E2, 01, F6, DA, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!CreateThreadpoolWait + 49 75AB53D6 6 Bytes [ 00, 33, C0, E8, 97, 34 ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!PrivCopyFileExW + 26 75AB54B6 12 Bytes [ 48, 04, 8B, 0D, F4, 9B, AD, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!PrivCopyFileExW + 33 75AB54C3 24 Bytes [ 00, 33, F6, 46, 3B, D6, 89, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!PrivCopyFileExW + 4C 75AB54DC 30 Bytes [ 33, C0, 5F, 40, 5E, 5B, 8B, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!PrivCopyFileExW + 6B 75AB54FB 28 Bytes [ 75, 10, FF, 75, 0C, FF, 75, ... ]
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!PrivCopyFileExW + 88 75AB5518 5 Bytes [ 66, C7, 45, D8, 06 ]
.text ...
.text C:\Windows\system32\svchost.exe[1836] kernel32.dll!WerpNotifyUseStringResource + 20

#9 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 June 2008 - 01:41 AM



#10 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 June 2008 - 01:41 AM



#11 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 June 2008 - 02:54 AM

please delete this post

Edited by MushyP, 21 June 2008 - 03:03 AM.


#12 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 21 June 2008 - 04:11 AM

Hi again MushyP!!..:).

The Gmer log was too long... Could you paste the rest of it??..

Just paste the rest of this log, which didn't fit into that post... Use Preview message button to see if it fits into one post... If not, split the log into 2 or 3 posts... :thumbup:
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#13 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 June 2008 - 05:31 AM

The txt file is over 1 MB so would be god knows how many posts, I have uploaded it to www.djsuperman.co.uk/GMERLog.txt

Hope that's ok.

Thanks you once again

Graham

#14 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 21 June 2008 - 05:55 AM

Thank you for the logs, MushyP!!..:).

The logs look clean to me... Just one additional scan and one update of the program...

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, your Language, check the "agree" box and click Continue.
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start -> Control Panel -> Programs and Features, highlight a program to see the available option on the toolbar for it. Choose Uninstall for any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Programs and Features:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe that you downloaded to install the newest version.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Also, your latest HijackThis log was posted from an old version of Hijack this: Logfile of HijackThis v1.99.1...
Please post a fresh HijackThis log, from version v2.0.2 - it's located in: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe... :)..
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#15 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 22 June 2008 - 03:22 AM

That Kapersky was going all night!

Here's what it found

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, June 22, 2008
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit (build 6000)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 21, 2008 20:22:03
Records in database: 880049
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
H:\

Scan statistics:
Files scanned: 196406
Threat name: 2
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 07:14:57


File name / Threat name / Threats count
C:\Windows\System32\drivers\etc\cm\Nero-7.7.5.1_eng.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1
C:\Windows\System32\drivers\etc\cm\spsexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 1
D:\Documents and Settings\Administrator\Local Settings\Temp\NeroDemo12065\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1
E:\Programs\Ahead.Nero.Premium.Edition.PROPER.v7.7.5.1-GHOST\Nero-7.7.5.1_eng\Nero-7.7.5.1_eng.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm 1
E:\Programs\Ahead.Nero.Premium.Edition.PROPER.v7.7.5.1-GHOST\Nero-7.7.5.1_eng\spsexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 1

The selected area was scanned.


and here's the HJT log!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:49, on 22/06/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\DeltaIITray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: (no name) - {B1BE73AB-565C-4A1E-9D94-8F46DE3082F3} - (no file)
O2 - BHO: (no name) - {d5aeea34-3986-4773-8400-56e77b52671f} - (no file)
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\Windows\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\Windows\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 5032 bytes



#16 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 22 June 2008 - 05:45 AM

Hi again!!..:).

We have almost finished...

Please run a scan in HijackThis and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {B1BE73AB-565C-4A1E-9D94-8F46DE3082F3} - (no file)
O2 - BHO: (no name) - {d5aeea34-3986-4773-8400-56e77b52671f} - (no file)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -


Then, close all open windows, except HijackThis and click: Fix checked.


Kaspersky scan showed that your copy of Nero-7.7.5.1_eng is infected...

We will remove infected files:

Please download the OTMoveIt2 by OldTimer.
  • Save it to your Desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Windows\System32\drivers\etc\cm\Nero-7.7.5.1_eng.exe
    C:\Windows\System32\drivers\etc\cm\spsexec.exe
    D:\Documents and Settings\Administrator\Local Settings\Temp\NeroDemo12065\Toolbar.exe
    E:\Programs\Ahead.Nero.Premium.Edition.PROPER.v7.7.5.1-GHOST\Nero-7.7.5.1_eng\Nero-7.7.5.1_eng.exe
    E:\Programs\Ahead.Nero.Premium.Edition.PROPER.v7.7.5.1-GHOST\Nero-7.7.5.1_eng\spsexec.exe

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Does any problem persist??. If not, I'll just post final instructions then... :).

Edited by snemelk, 22 June 2008 - 05:45 AM.

c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#17 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 22 June 2008 - 10:06 AM

That was a quick one this time... here's the results...

C:\Windows\System32\drivers\etc\cm\Nero-7.7.5.1_eng.exe moved successfully.
C:\Windows\System32\drivers\etc\cm\spsexec.exe moved successfully.
D:\Documents and Settings\Administrator\Local Settings\Temp\NeroDemo12065\Toolbar.exe moved successfully.
E:\Programs\Ahead.Nero.Premium.Edition.PROPER.v7.7.5.1-GHOST\Nero-7.7.5.1_eng\Nero-7.7.5.1_eng.exe moved successfully.
E:\Programs\Ahead.Nero.Premium.Edition.PROPER.v7.7.5.1-GHOST\Nero-7.7.5.1_eng\spsexec.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06222008_170242


Haven't noticed any problems with windows closing and general slowness so fingers crossed I think it's sorted now, thank you so much for your help with this!!!

Graham

#18 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 22 June 2008 - 11:02 AM

Haven't noticed any problems with windows closing and general slowness so fingers crossed I think it's sorted now, thank you so much for your help with this!!!

No problem!..:).

Double click OTMoveIt2.exe.
  • Click the CleanUp! button.
  • If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the Internet, you should allow it to do so.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Please, set up a new System Restore point:

Turn off System Restore

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

The to turn it back on
1. Wait for Windows to finish clearing Restore Points.
2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.


In order to prevent future infections follow these recommendations:

1. Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or remember to visit Windows Update on a regular basis to stay current with critical updates!

2. Install and run the following free programs:

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Keep all these programs (including your anti-virus) up-to-date and run them regularly!
If you do not update regularly they will not be able to catch any of the new variants that may come out.

Whilst is important to have active protection against spyware, please do not run more than one antispyware program's real time protection at once, because they can conflict with each other.
The same applies to antiviruses and firewalls - only one program of the same type in resident mode.

3. Consider using an alternative browser, like Firefox or Opera . They are free, fast, fully customizable and secure - they are updated very quickly!

4. Last but not least, I recommend you to read Tony Klein's excellent article: How I got Infected in the First Place?

Hopefully this should take care of your problems! Good luck! :thumbup:
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#19 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 04 July 2008 - 11:04 AM

Since this issue appears resolved ... this Topic is closed.

[Reopened]

Everyone else please begin a New Topic.
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#20 MushyP

MushyP

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 05 July 2008 - 03:18 AM

Hi, just to say a thank you again for all your help, one last thing, I don't know if it's related but i cant change my background, it's just black, when i try to change the image, none of the standard pictures show, only a pixalated image holder?????
Any ideas?

#21 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 15 July 2008 - 05:43 PM

Reopened at request of snemelk.
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#22 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 16 July 2008 - 04:31 AM

Hi again MushyP!!..:).

Sorry for the delayed reply, but the thread has been closed and I was on holiday... :whistle:

The background problem is probably a leftover after the infection...

Let's try this:

Please download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your Desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].
If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.


If the logfile is too big, I suggest you upload it:

Please go to http://savefile.com and upload the log.

There is no need to register, just click the "UPLOAD MY FILE" button. After you upload the file, please post the link to the file in your topic. That way, anyone on the board can see the log almost as easily as if it were posted here.
c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#23 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,099 posts

Posted 24 August 2008 - 07:48 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Edited by snemelk, 24 August 2008 - 07:57 AM.

c18903e63196580f.gif

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




Member of UNITE
Support SpywareInfo Forum - click the button