[Not curable - Ramnit] Trojan Horse problem

cyclopspj · Dec 4, 2011

Hi I hope someone can help. AVG keeps popping up when it finds viruses, I heal them but they keep coming back. I'm running windows XP. Firefox is working but some sites it wont. IE is not working at all.

One of the viruses is called Trojan Horse Cryptic.BGF

I have also run Malwarebytes and it finds something but again it keeps coming back after healing.

I downloaded hijack this having read other threads and have attached the log file.

[HJT log removed by Broni]

Any more info you need please ask.

Broni · Dec 5, 2011

Welcome aboard

Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

cyclopspj · Dec 5, 2011

Hi Broni, many thanks for your offer of help.

I have done the Malwarebytes scan and it didn't detect anything (although it did yesterday and I removed the threat) the log is as follows:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8312

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

05/12/2011 13:37:44
mbam-log-2011-12-05 (13-37-44).txt

Scan type: Quick scan
Objects scanned: 222306
Time elapsed: 8 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I clicked both the links to download the GMER program but each time Firefox said the following:

Unable to connect

Firefox can't establish a connection to the server at www2.gmer.net.

The site could be temporarily unavailable or too busy. Try again in a few
moments.
If you are unable to load any pages, check your computer's network
connection.
If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.

Shall I wait for your instructions before I download the DDS program?

Broni · Dec 5, 2011

It's working for me right now.
Just in case I uploaded the file for you here: http://www.filedropper.com/967xzn8x

cyclopspj · Dec 8, 2011

Many thanks for the download Broni

This is the GMER kog report:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-07 07:42:06
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 Hitachi_HDP725050GLA360 rev.GM4OA5CA
Running: 967xzn8x.exe; Driver: C:\DOCUME~1\Pete\LOCALS~1\Temp\fwtcakow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB5604F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB5604FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB5605080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB560511C]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB90AE360, 0x30AD87, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
.text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
? C:\WINDOWS\system32\services.exe[808] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: NCObjAPI.DLLunknown module: SCESRV.dllunknown module: umpnpmgr.dll
.text C:\WINDOWS\system32\services.exe[808] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\system32\services.exe[808] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\system32\services.exe[808] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\system32\services.exe[808] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\system32\services.exe[808] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
.text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\system32\lsass.exe[820] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
? C:\WINDOWS\system32\svchost.exe[988] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
? C:\WINDOWS\system32\svchost.exe[1060] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\system32\svchost.exe[1060] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
? C:\WINDOWS\System32\svchost.exe[1100] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\System32\svchost.exe[1100] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200B3715
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200B33A0
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200B33F6
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200B37D0
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200B2C37
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200B37FD
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 200B2C02
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 200B382A
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200B35FA
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 200B3553
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 200B2C69
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 200B3851
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 200B2BBC
.text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 200B2B76
? C:\WINDOWS\system32\svchost.exe[1156] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\system32\svchost.exe[1156] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
? C:\WINDOWS\system32\svchost.exe[1184] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
.text C:\WINDOWS\system32\spoolsv.exe[1344] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\system32\spoolsv.exe[1344] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\system32\spoolsv.exe[1344] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\system32\spoolsv.exe[1344] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\system32\spoolsv.exe[1344] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200B3715
.text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200B33A0
.text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200B33F6
.text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200B37D0
.text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200B2C37
.text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200B37FD

continued on next post

cyclopspj · Dec 8, 2011

.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 200B2C02
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 200B382A
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200B35FA
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 200B3553
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 200B2C69
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 200B3851
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 200B2BBC
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 200B2B76
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
? C:\WINDOWS\system32\svchost.exe[1912] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\system32\svchost.exe[1912] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200B3715
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200B33A0
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200B33F6
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200B37D0
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200B2C37
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200B37FD
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 200B2C02
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 200B382A
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200B35FA
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 200B3553
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 200B2C69
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 200B3851
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 200B2BBC
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 200B2B76
.text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2016] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2016] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2016] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2016] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2016] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\system32\wuauclt.exe[2040] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
.text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
.text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
.text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
.text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
.text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
.text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
.text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
.text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
.text C:\Documents and Settings\Pete\Desktop\967xzn8x.exe[2208] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
.text C:\Documents and Settings\Pete\Desktop\967xzn8x.exe[2208] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
.text C:\Documents and Settings\Pete\Desktop\967xzn8x.exe[2208] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
.text C:\Documents and Settings\Pete\Desktop\967xzn8x.exe[2208] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
.text C:\Documents and Settings\Pete\Desktop\967xzn8x.exe[2208] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
? C:\WINDOWS\Explorer.EXE[2232] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: BROWSEUI.dllunknown module: OLEAUT32.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
.text C:\WINDOWS\Explorer.EXE[2232] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
.text C:\WINDOWS\Explorer.EXE[2232] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
.text C:\WINDOWS\Explorer.EXE[2232] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
.text C:\WINDOWS\Explorer.EXE[2232] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
.text C:\WINDOWS\Explorer.EXE[2232] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200B3715
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200B33A0
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200B33F6
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200B37D0
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200B2C37
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200B37FD
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 200B2C02
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 200B382A
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200B35FA
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 200B3553
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 200B2C69
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 200B3851
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 200B2BBC
.text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 200B2B76
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 20023715
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200233A0
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200233F6
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200237D0
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 20022C37
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200237FD
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 20022C02
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 2002382A
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200235FA
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 20023553
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 20022C69
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 20023851
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 20022BBC
.text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 20022B76
.text C:\WINDOWS\System32\alg.exe[3292] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
.text C:\WINDOWS\System32\alg.exe[3292] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
.text C:\WINDOWS\System32\alg.exe[3292] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
.text C:\WINDOWS\System32\alg.exe[3292] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
.text C:\WINDOWS\System32\alg.exe[3292] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
.text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20021D95
.text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200220BF
.text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200223D8
.text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20021D47
.text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2002221C
.text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20022050
.text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20022134
.text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200222F7
.text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!WSASendTo

cyclopspj · Dec 8, 2011

71AC0AAD 5 Bytes JMP 200221A5
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20021D95
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200220BF
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200223D8
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20021D47
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2002221C
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20022050
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20022134
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200222F7
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200221A5
.text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20021D95
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200220BF
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200223D8
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20021D47
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2002221C
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20022050
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20022134
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200222F7
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200221A5
.text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
.text C:\WINDOWS\system32\ctfmon.exe[3476] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
.text C:\WINDOWS\system32\ctfmon.exe[3476] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
.text C:\WINDOWS\system32\ctfmon.exe[3476] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
.text C:\WINDOWS\system32\ctfmon.exe[3476] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
.text C:\WINDOWS\system32\ctfmon.exe[3476] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
.text C:\WINDOWS\system32\RUNDLL32.EXE[3640] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
.text C:\WINDOWS\system32\RUNDLL32.EXE[3640] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
.text C:\WINDOWS\system32\RUNDLL32.EXE[3640] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
.text C:\WINDOWS\system32\RUNDLL32.EXE[3640] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
.text C:\WINDOWS\system32\RUNDLL32.EXE[3640] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 20023715
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200233A0
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200233F6
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200237D0
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 20022C37
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200237FD
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 20022C02
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 2002382A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200235FA
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 20023553
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 20022C69
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 20023851
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 20022BBC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 20022B76
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20021D95
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200220BF
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200223D8
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20021D47
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2002221C
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20022050
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20022134
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200222F7
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200221A5
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[4016] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20066798
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[4016] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005A3DB
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[4016] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20066614
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[4016] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [75, A3] {JNZ 0xffffffffffffffa5}
.text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[4016] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20060FB8
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4044] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4044] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4044] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4044] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
.text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4044] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Pete\Local Settings\Application Data\nprftrxp\vvjrereg.exe 90639 bytes executable
File C:\Documents and Settings\Pete\Start Menu\Programs\Startup\vvjrereg.exe 90639 bytes executable

---- EOF - GMER 1.0.15 ----

cyclopspj · Dec 8, 2011

DDS log 1

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Pete at 13:23:31 on 2011-12-08
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2943.1634 [GMT 0:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\pete\local settings\application data\nprftrxp\vvjrereg.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [VvjRereg] c:\documents and settings\pete\local settings\application data\nprftrxp\vvjrereg.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\9.0.1\ViProtocol.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\pete\application data\mozilla\firefox\profiles\qdh8ndvo.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4df78ea4&v=7.008.031.001&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
FF - component: c:\documents and settings\pete\application data\mozilla\firefox\profiles\qdh8ndvo.default\extensions\twitternotifier@naan.net\platform\winnt\components\nsTwitterFoxSign.dll
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\daniel\application data\mozilla\firefox\profiles\77qlg5i5.default\extensions\{000f1ea4-5e08-4564-a29b-29076f63a37a}\plugins\npsoe.dll
FF - plugin: c:\documents and settings\pete\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2011-3-2 54760]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-23 366152]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\9.0.1\ToolbarUpdater.exe [2011-12-3 855904]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-23 22216]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-8-2 215936]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-18 136176]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 1025352]
S3 cpuz132;cpuz132;\??\c:\docume~1\alison\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\alison\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-18 136176]
.
=============== Created Last 30 ================
.
2011-12-05 01:13:14 388096 ----a-w- c:\documents and settings\pete\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-05 01:08:02 -------- d-----w- c:\program files\Trend Micro
2011-12-05 00:33:05 -------- d-----w- c:\documents and settings\pete\application data\AVG Secure Search
2011-12-03 08:50:46 -------- d-----w- c:\windows\system32\cache
2011-12-03 08:50:44 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search
2011-12-02 13:43:33 -------- d-----w- c:\documents and settings\pete\local settings\application data\nprftrxp
.
==================== Find3M ====================
.
2011-10-30 14:57:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 16:05:50 323624 ----a-w- c:\windows\system32\wiaaut.dll
2011-10-07 06:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 06:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 05:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
.
============= FINISH: 13:24:08.84 ===============

cyclopspj · Dec 8, 2011

DDS log 2

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 30/07/2010 14:22:02
System Uptime: 08/12/2011 03:38:04 (10 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | M2N-CM DVI
Processor: AMD Phenom(tm) 9550 Quad-Core Processor | AM2 | 2200/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 396.943 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Photosmart C5200 series
Device ID: USB\VID_03F0&PID_5D11&MI_00\6&1E99B3BF&0&0000
Manufacturer:
Name: Photosmart C5200 series
PNP Device ID: USB\VID_03F0&PID_5D11&MI_00\6&1E99B3BF&0&0000
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV054C\4&68FE5E4&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV054C\4&68FE5E4&0&00
Service: NVENETFD
.
==== System Restore Points ===================
.
RP389: 10/09/2011 09:53:53 - System Checkpoint
RP390: 11/09/2011 11:26:35 - System Checkpoint
RP391: 12/09/2011 12:00:03 - System Checkpoint
RP392: 13/09/2011 13:59:19 - System Checkpoint
RP393: 14/09/2011 18:17:20 - System Checkpoint
RP394: 15/09/2011 20:17:29 - System Checkpoint
RP395: 16/09/2011 03:00:25 - Software Distribution Service 3.0
RP396: 17/09/2011 09:59:42 - System Checkpoint
RP397: 18/09/2011 12:59:26 - System Checkpoint
RP398: 19/09/2011 15:14:29 - System Checkpoint
RP399: 20/09/2011 16:04:45 - System Checkpoint
RP400: 21/09/2011 18:25:06 - System Checkpoint
RP401: 22/09/2011 18:27:00 - System Checkpoint
RP402: 23/09/2011 18:45:06 - System Checkpoint
RP403: 24/09/2011 19:06:12 - System Checkpoint
RP404: 25/09/2011 19:42:10 - System Checkpoint
RP405: 26/09/2011 19:59:56 - System Checkpoint
RP406: 28/09/2011 07:39:44 - System Checkpoint
RP407: 29/09/2011 07:48:22 - Software Distribution Service 3.0
RP408: 30/09/2011 14:25:57 - System Checkpoint
RP409: 01/10/2011 15:18:13 - System Checkpoint
RP410: 02/10/2011 16:25:53 - System Checkpoint
RP411: 03/10/2011 18:04:12 - System Checkpoint
RP412: 04/10/2011 18:22:30 - System Checkpoint
RP413: 05/10/2011 18:53:14 - System Checkpoint
RP414: 06/10/2011 19:15:56 - System Checkpoint
RP415: 07/10/2011 19:52:32 - System Checkpoint
RP416: 08/10/2011 20:51:39 - System Checkpoint
RP417: 10/10/2011 19:46:15 - System Checkpoint
RP418: 11/10/2011 19:53:17 - System Checkpoint
RP419: 12/10/2011 20:16:08 - System Checkpoint
RP420: 12/10/2011 20:48:38 - Installed AVG 2012
RP421: 12/10/2011 20:48:54 - Removed AVG 2011
RP422: 12/10/2011 20:49:15 - Installed AVG 2012
RP423: 13/10/2011 00:41:09 - Software Distribution Service 3.0
RP424: 13/10/2011 12:55:43 - Installed AVG 2012
RP425: 13/10/2011 13:00:07 - Removed AVG 2011
RP426: 13/10/2011 13:04:46 - Paint.NET v3.5.10
RP427: 14/10/2011 15:29:02 - System Checkpoint
RP428: 15/10/2011 16:14:50 - System Checkpoint
RP429: 16/10/2011 17:54:30 - System Checkpoint
RP430: 17/10/2011 18:24:58 - System Checkpoint
RP431: 18/10/2011 19:28:44 - System Checkpoint
RP432: 19/10/2011 20:08:37 - System Checkpoint
RP433: 20/10/2011 20:22:44 - System Checkpoint
RP434: 21/10/2011 21:40:03 - System Checkpoint
RP435: 22/10/2011 16:11:37 - Installed Bounty Hounds Online
RP436: 23/10/2011 17:27:02 - System Checkpoint
RP437: 24/10/2011 18:06:40 - System Checkpoint
RP438: 25/10/2011 19:25:54 - System Checkpoint
RP439: 26/10/2011 19:41:07 - System Checkpoint
RP440: 27/10/2011 19:54:20 - System Checkpoint
RP441: 28/10/2011 20:29:41 - System Checkpoint
RP442: 29/10/2011 21:02:44 - System Checkpoint
RP443: 30/10/2011 20:04:00 - System Checkpoint
RP444: 31/10/2011 21:21:03 - System Checkpoint
RP445: 01/11/2011 21:30:34 - System Checkpoint
RP446: 02/11/2011 21:48:04 - System Checkpoint
RP447: 03/11/2011 22:38:53 - System Checkpoint
RP448: 04/11/2011 23:24:23 - System Checkpoint
RP449: 07/11/2011 17:25:12 - System Checkpoint
RP450: 08/11/2011 18:10:25 - System Checkpoint
RP451: 09/11/2011 18:53:31 - System Checkpoint
RP452: 10/11/2011 03:00:14 - Software Distribution Service 3.0
RP453: 11/11/2011 03:35:12 - System Checkpoint
RP454: 12/11/2011 03:00:14 - Software Distribution Service 3.0
RP455: 13/11/2011 10:12:43 - System Checkpoint
RP456: 14/11/2011 16:36:44 - System Checkpoint
RP457: 15/11/2011 17:08:37 - System Checkpoint
RP458: 16/11/2011 17:56:38 - System Checkpoint
RP459: 18/11/2011 08:53:43 - System Checkpoint
RP460: 19/11/2011 15:18:29 - System Checkpoint
RP461: 20/11/2011 15:46:27 - System Checkpoint
RP462: 21/11/2011 15:54:36 - System Checkpoint
RP463: 22/11/2011 18:05:50 - System Checkpoint
RP464: 24/11/2011 07:28:34 - System Checkpoint
RP465: 25/11/2011 16:03:32 - System Checkpoint
RP466: 25/11/2011 17:19:30 - Configured Microsoft Office Home and Student 2007
RP467: 27/11/2011 14:15:05 - System Checkpoint
RP468: 28/11/2011 17:24:56 - System Checkpoint
RP469: 29/11/2011 18:13:56 - System Checkpoint
RP470: 30/11/2011 18:15:12 - System Checkpoint
RP471: 01/12/2011 18:18:38 - System Checkpoint
RP472: 03/12/2011 10:10:50 - System Checkpoint
RP473: 04/12/2011 14:47:31 - System Checkpoint
RP474: 05/12/2011 01:13:07 - Installed HiJackThis
RP475: 06/12/2011 01:33:57 - System Checkpoint
RP476: 07/12/2011 01:46:35 - System Checkpoint
RP477: 08/12/2011 07:30:47 - System Checkpoint
.
==== Installed Programs ======================
.
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.4.5
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
µTorrent
AVG 2012
AVG PC Tuneup 2011
Belarc Advisor 8.1
Betfred Poker
BlackBerry Desktop Software 6.1
BlackBerry Device Software Updater
Bonjour
Bounty Hounds Online
BT Broadband Desktop Help
BTHomeHub
CCleaner
CDDRV_Installer
CutePDF Writer 2.8
Defraggler
DivX Setup
DownloadHQ
Driver Mender
FormatFactory 2.60
Garfield's Typing Pal
Google Chrome
Google Earth
Google Update Helper
GoToAssist Corporate
HiJackThis
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java Auto Updater
Java(TM) 6 Update 24
Junk Mail filter update
KhalInstallWrapper
LEGO Universe
Logitech SetPoint
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
MobileMe Control Panel
Mozilla Firefox 8.0 (x86 en-GB)
MSVCRT
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
OGA Notifier 2.0.0048.0
Paint.NET v3.5.10
Pando Media Booster
Platform
PornFlicks
QuickTime
Recover My Files
Safari
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553074)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Excel 2007 (KB2553073)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB923789)
Segoe UI
Steam
System Requirements Lab
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB2641690)
VC80CRTRedist - 8.0.50727.4053
VIA Platform Device Manager
WebFldrs XP
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows XP Service Pack 3
WinRAR archiver
Xvid 1.2.1 final uninstall
Yahoo! BrowserPlus 2.9.8
Yahoo! Messenger
Yahoo! Software Update
.
==== Event Viewer Messages From Past Week ========
.
06/12/2011 22:37:51, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows nt\accessories\wordpad.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6010.
06/12/2011 22:31:35, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wab.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.6040.
06/12/2011 22:31:32, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\msoe.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5931.
06/12/2011 22:30:55, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2.1.4028.0.
06/12/2011 22:19:07, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\hmmapi.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.
06/12/2011 22:14:31, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadco.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
06/12/2011 22:14:30, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadce.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3002.0.
06/12/2011 22:14:28, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msjro.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
06/12/2011 22:14:28, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadox.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
06/12/2011 22:14:27, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadomd.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
06/12/2011 22:14:26, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msado15.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
06/12/2011 22:13:50, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\vgx\vgx.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.23167.
06/12/2011 22:13:49, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\triedit\triedit.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.1.0.9246.
05/12/2011 13:29:28, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================

cyclopspj · Dec 8, 2011

I hope I've done it all correctly.

Many Thanks

cyclopspj · Dec 8, 2011

I just did another Malwarebytes scan and it found 20 items this time. This is the log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8320

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/12/2011 18:04:42
mbam-log-2011-12-08 (18-04-41).txt

Scan type: Quick scan
Objects scanned: 223141
Time elapsed: 11 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0730F132-BCC0-473E-9C5A-918E10F8CE57} (Virus.Ramnit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0730F132-BCC0-473E-9C5A-918E10F8CE57} (Virus.Ramnit) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA} (Virus.Ramnit) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\common files\microsoft shared\MSInfo\OFFPRV10.DLL (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\internet explorer\ieproxy.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\internet explorer\Plugins\npqtplugin.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\internet explorer\Plugins\npqtplugin2.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\internet explorer\Plugins\npqtplugin3.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\internet explorer\Plugins\npqtplugin4.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\internet explorer\Plugins\npqtplugin5.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\internet explorer\Plugins\npqtplugin6.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\internet explorer\Plugins\npqtplugin7.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\npqtplugin.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\npqtplugin2.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\npqtplugin3.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\npqtplugin4.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\npqtplugin5.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\npqtplugin6.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\npqtplugin7.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
c:\documents and settings\Pete\local settings\Temp\nbhmgtgmaeybirsd.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.

Broni · Dec 8, 2011

I'm afraid I have very bad news.

You're infected with Ramnit file infector virus.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

Understanding virus names

Threat aliases for Win32/Ramnit.A

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?

Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

cyclopspj · Dec 9, 2011

Hi Broni not good news eh?

Many thanks for your efforts though, they are very much appreciated.

Just some questions before I reformat.

I will want to save photos and some office files before I reformat. I am planning to burn them onto a disk (I have read somewhere that this virus can pass from computer to computer via removable hardware like memory sticks).

Is this the best way to do it? Will these files be infected as well and how will I know?

Broni · Dec 9, 2011

You can use USB flash drive on one condition.

When you're done with reinstalling Windows install following program, which will make connecting any external device safe....

Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.

Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.

Wait until it has finished scanning and then exit the program.

Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine, or BitDefender’s USB Immunizer

Make sure to scan all backed up files with your AV program before moving them back to your fresh installation.

TechSpot

Welcome to TechSpot

[Not curable - Ramnit] Trojan Horse problem

cyclopspj Newcomer, in training

Attached Files:

hijackthis.log

Broni Malware Annihilator Posts: 39,189 +175

cyclopspj Newcomer, in training

Broni Malware Annihilator Posts: 39,189 +175

cyclopspj Newcomer, in training

cyclopspj Newcomer, in training

cyclopspj Newcomer, in training

cyclopspj Newcomer, in training

cyclopspj Newcomer, in training

cyclopspj Newcomer, in training

cyclopspj Newcomer, in training

Broni Malware Annihilator Posts: 39,189 +175

cyclopspj Newcomer, in training

Broni Malware Annihilator Posts: 39,189 +175

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.