TechSpot

[Not curable - Ramnit] Trojan Horse problem

Inactive
By cyclopspj
Dec 4, 2011
  1. Hi I hope someone can help. AVG keeps popping up when it finds viruses, I heal them but they keep coming back. I'm running windows XP. Firefox is working but some sites it wont. IE is not working at all.

    One of the viruses is called Trojan Horse Cryptic.BGF

    I have also run Malwarebytes and it finds something but again it keeps coming back after healing.

    I downloaded hijack this having read other threads and have attached the log file.

    [HJT log removed by Broni]


    Any more info you need please ask.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. cyclopspj

    cyclopspj TS Rookie Topic Starter

    Hi Broni, many thanks for your offer of help.

    I have done the Malwarebytes scan and it didn't detect anything (although it did yesterday and I removed the threat) the log is as follows:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8312

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    05/12/2011 13:37:44
    mbam-log-2011-12-05 (13-37-44).txt

    Scan type: Quick scan
    Objects scanned: 222306
    Time elapsed: 8 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)





    I clicked both the links to download the GMER program but each time Firefox said the following:

    Unable to connect







    Firefox can't establish a connection to the server at www2.gmer.net.





    The site could be temporarily unavailable or too busy. Try again in a few
    moments.
    If you are unable to load any pages, check your computer's network
    connection.
    If your computer or network is protected by a firewall or proxy, make sure
    that Firefox is permitted to access the Web.​

    Shall I wait for your instructions before I download the DDS program?
     
  4. Broni

    Broni Malware Annihilator Posts: 47,986   +271

  5. cyclopspj

    cyclopspj TS Rookie Topic Starter

    Many thanks for the download Broni

    This is the GMER kog report:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-07 07:42:06
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 Hitachi_HDP725050GLA360 rev.GM4OA5CA
    Running: 967xzn8x.exe; Driver: C:\DOCUME~1\Pete\LOCALS~1\Temp\fwtcakow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB5604F3C]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB5604FE4]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB5605080]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB560511C]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB90AE360, 0x30AD87, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe[156] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    .text C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe[176] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    ? C:\WINDOWS\system32\services.exe[808] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: NCObjAPI.DLLunknown module: SCESRV.dllunknown module: umpnpmgr.dll
    .text C:\WINDOWS\system32\services.exe[808] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\system32\services.exe[808] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\system32\services.exe[808] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\system32\services.exe[808] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\services.exe[808] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\WINDOWS\system32\services.exe[808] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    .text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\lsass.exe[820] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\WINDOWS\system32\lsass.exe[820] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    ? C:\WINDOWS\system32\svchost.exe[988] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\system32\svchost.exe[988] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\svchost.exe[988] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\WINDOWS\system32\svchost.exe[988] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    ? C:\WINDOWS\system32\svchost.exe[1060] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\svchost.exe[1060] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    ? C:\WINDOWS\System32\svchost.exe[1100] time/date stamp mismatch;
    .text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\System32\svchost.exe[1100] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\System32\svchost.exe[1100] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\WINDOWS\System32\svchost.exe[1100] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200B3715
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200B33A0
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200B33F6
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200B37D0
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200B2C37
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200B37FD
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 200B2C02
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 200B382A
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200B35FA
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 200B3553
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 200B2C69
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 200B3851
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 200B2BBC
    .text C:\WINDOWS\System32\svchost.exe[1100] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 200B2B76
    ? C:\WINDOWS\system32\svchost.exe[1156] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\svchost.exe[1156] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\WINDOWS\system32\svchost.exe[1156] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    ? C:\WINDOWS\system32\svchost.exe[1184] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\svchost.exe[1184] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    .text C:\WINDOWS\system32\spoolsv.exe[1344] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\system32\spoolsv.exe[1344] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\system32\spoolsv.exe[1344] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\system32\spoolsv.exe[1344] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\spoolsv.exe[1344] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200B3715
    .text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200B33A0
    .text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200B33F6
    .text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200B37D0
    .text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200B2C37
    .text C:\WINDOWS\system32\spoolsv.exe[1344] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200B37FD

    continued on next post
     
  6. cyclopspj

    cyclopspj TS Rookie Topic Starter

    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 200B2C02
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 200B382A
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200B35FA
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 200B3553
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 200B2C69
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 200B3851
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 200B2BBC
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 200B2B76
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1792] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    ? C:\WINDOWS\system32\svchost.exe[1912] time/date stamp mismatch;
    .text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\system32\svchost.exe[1912] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\svchost.exe[1912] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200B3715
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200B33A0
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200B33F6
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200B37D0
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200B2C37
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200B37FD
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 200B2C02
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 200B382A
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200B35FA
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 200B3553
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 200B2C69
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 200B3851
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 200B2BBC
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 200B2B76
    .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe[1972] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2016] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2016] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2016] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2016] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[2016] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\system32\wuauclt.exe[2040] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\wuauclt.exe[2040] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B1D95
    .text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B20BF
    .text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B23D8
    .text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B1D47
    .text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B221C
    .text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B2050
    .text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B2134
    .text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B22F7
    .text C:\WINDOWS\system32\wuauclt.exe[2040] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B21A5
    .text C:\Documents and Settings\Pete\Desktop\967xzn8x.exe[2208] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
    .text C:\Documents and Settings\Pete\Desktop\967xzn8x.exe[2208] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
    .text C:\Documents and Settings\Pete\Desktop\967xzn8x.exe[2208] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
    .text C:\Documents and Settings\Pete\Desktop\967xzn8x.exe[2208] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
    .text C:\Documents and Settings\Pete\Desktop\967xzn8x.exe[2208] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
    ? C:\WINDOWS\Explorer.EXE[2232] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: BROWSEUI.dllunknown module: OLEAUT32.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
    .text C:\WINDOWS\Explorer.EXE[2232] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B6798
    .text C:\WINDOWS\Explorer.EXE[2232] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200AA3DB
    .text C:\WINDOWS\Explorer.EXE[2232] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 200B6614
    .text C:\WINDOWS\Explorer.EXE[2232] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [7A, A3] {JP 0xffffffffffffffa5}
    .text C:\WINDOWS\Explorer.EXE[2232] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B0FB8
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200B3715
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200B33A0
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200B33F6
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200B37D0
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200B2C37
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200B37FD
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 200B2C02
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 200B382A
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200B35FA
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 200B3553
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 200B2C69
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 200B3851
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 200B2BBC
    .text C:\WINDOWS\Explorer.EXE[2232] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 200B2B76
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 20023715
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200233A0
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200233F6
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200237D0
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 20022C37
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200237FD
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 20022C02
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 2002382A
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200235FA
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 20023553
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 20022C69
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 20023851
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 20022BBC
    .text C:\Program Files\AVG Secure Search\vprot.exe[2568] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 20022B76
    .text C:\WINDOWS\System32\alg.exe[3292] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
    .text C:\WINDOWS\System32\alg.exe[3292] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
    .text C:\WINDOWS\System32\alg.exe[3292] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
    .text C:\WINDOWS\System32\alg.exe[3292] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
    .text C:\WINDOWS\System32\alg.exe[3292] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
    .text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20021D95
    .text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200220BF
    .text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200223D8
    .text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20021D47
    .text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2002221C
    .text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20022050
    .text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20022134
    .text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200222F7
    .text C:\WINDOWS\System32\alg.exe[3292] WS2_32.dll!WSASendTo
     
  7. cyclopspj

    cyclopspj TS Rookie Topic Starter

    71AC0AAD 5 Bytes JMP 200221A5
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20021D95
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200220BF
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200223D8
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20021D47
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2002221C
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20022050
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20022134
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200222F7
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200221A5
    .text C:\Program Files\AVG\AVG2012\avgnsx.exe[3416] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20021D95
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200220BF
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200223D8
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20021D47
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2002221C
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20022050
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20022134
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200222F7
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200221A5
    .text C:\Program Files\AVG\AVG2012\avgemcx.exe[3472] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
    .text C:\WINDOWS\system32\ctfmon.exe[3476] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
    .text C:\WINDOWS\system32\ctfmon.exe[3476] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
    .text C:\WINDOWS\system32\ctfmon.exe[3476] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
    .text C:\WINDOWS\system32\ctfmon.exe[3476] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\ctfmon.exe[3476] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
    .text C:\WINDOWS\system32\RUNDLL32.EXE[3640] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
    .text C:\WINDOWS\system32\RUNDLL32.EXE[3640] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
    .text C:\WINDOWS\system32\RUNDLL32.EXE[3640] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
    .text C:\WINDOWS\system32\RUNDLL32.EXE[3640] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
    .text C:\WINDOWS\system32\RUNDLL32.EXE[3640] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 20023715
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200233A0
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 200233F6
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200237D0
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 20022C37
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200237FD
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 20022C02
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 2002382A
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetReadFileExW 3D963229 5 Bytes JMP 200235FA
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetReadFileExA 3D963261 5 Bytes JMP 20023553
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetWriteFile 3D9A6086 5 Bytes JMP 20022C69
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 20023851
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpSendRequestExA 3D9BA65A 5 Bytes JMP 20022BBC
    .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3852] WININET.dll!HttpSendRequestExW 3D9BA6B3 5 Bytes JMP 20022B76
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 20021D95
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200220BF
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200223D8
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!send 71AB4C27 5 Bytes JMP 20021D47
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2002221C
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20022050
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20022134
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200222F7
    .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3996] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200221A5
    .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[4016] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20066798
    .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[4016] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2005A3DB
    .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[4016] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20066614
    .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[4016] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [75, A3] {JNZ 0xffffffffffffffa5}
    .text C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE[4016] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20060FB8
    .text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4044] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 20026798
    .text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4044] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001A3DB
    .text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4044] ntdll.dll!LdrLoadDll 7C91632D 2 Bytes JMP 20026614
    .text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4044] ntdll.dll!LdrLoadDll + 3 7C916330 2 Bytes [71, A3] {JNO 0xffffffffffffffa5}
    .text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4044] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 20020FB8

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\Pete\Local Settings\Application Data\nprftrxp\vvjrereg.exe 90639 bytes executable
    File C:\Documents and Settings\Pete\Start Menu\Programs\Startup\vvjrereg.exe 90639 bytes executable

    ---- EOF - GMER 1.0.15 ----
     
  8. cyclopspj

    cyclopspj TS Rookie Topic Starter

    DDS log 1

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
    Run by Pete at 13:23:31 on 2011-12-08
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2943.1634 [GMT 0:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
    C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
    C:\Program Files\Ask.com\Updater\Updater.exe
    C:\Program Files\AVG Secure Search\vprot.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
    C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
    C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
    C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpBrowser.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    mURLSearchHooks: H - No File
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\pete\local settings\application data\nprftrxp\vvjrereg.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.18\AVG Secure Search_toolbar.dll
    {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [VvjRereg] c:\documents and settings\pete\local settings\application data\nprftrxp\vvjrereg.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
    mRun: [RIMBBLaunchAgent.exe] c:\program files\common files\research in motion\usb drivers\RIMBBLaunchAgent.exe
    mRun: [<NO NAME>]
    mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
    mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    IE: &Search
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    LSP: %SYSTEMROOT%\system32\nvLsp.dll
    DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
    Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\9.0.1\ViProtocol.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
    Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\pete\application data\mozilla\firefox\profiles\qdh8ndvo.default\
    FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
    FF - prefs.js: browser.startup.homepage - www.google.co.uk
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4df78ea4&v=7.008.031.001&i=23&tp=ab&iy=&ychte=uk&lng=en-GB&q=
    FF - component: c:\documents and settings\pete\application data\mozilla\firefox\profiles\qdh8ndvo.default\extensions\twitternotifier@naan.net\platform\winnt\components\nsTwitterFoxSign.dll
    FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\documents and settings\daniel\application data\mozilla\firefox\profiles\77qlg5i5.default\extensions\{000f1ea4-5e08-4564-a29b-29076f63a37a}\plugins\npsoe.dll
    FF - plugin: c:\documents and settings\pete\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 230608]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2011-3-2 54760]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-23 366152]
    R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\9.0.1\ToolbarUpdater.exe [2011-12-3 855904]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-23 22216]
    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-8-2 215936]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-18 136176]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 1025352]
    S3 cpuz132;cpuz132;\??\c:\docume~1\alison\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\alison\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-9-18 136176]
    .
    =============== Created Last 30 ================
    .
    2011-12-05 01:13:14 388096 ----a-w- c:\documents and settings\pete\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-12-05 01:08:02 -------- d-----w- c:\program files\Trend Micro
    2011-12-05 00:33:05 -------- d-----w- c:\documents and settings\pete\application data\AVG Secure Search
    2011-12-03 08:50:46 -------- d-----w- c:\windows\system32\cache
    2011-12-03 08:50:44 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search
    2011-12-02 13:43:33 -------- d-----w- c:\documents and settings\pete\local settings\application data\nprftrxp
    .
    ==================== Find3M ====================
    .
    2011-10-30 14:57:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-10-07 16:05:50 323624 ----a-w- c:\windows\system32\wiaaut.dll
    2011-10-07 06:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2011-10-04 06:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-13 05:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    .
    ============= FINISH: 13:24:08.84 ===============
     
  9. cyclopspj

    cyclopspj TS Rookie Topic Starter

    DDS log 2

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 30/07/2010 14:22:02
    System Uptime: 08/12/2011 03:38:04 (10 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | M2N-CM DVI
    Processor: AMD Phenom(tm) 9550 Quad-Core Processor | AM2 | 2200/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 466 GiB total, 396.943 GiB free.
    D: is CDROM ()
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Photosmart C5200 series
    Device ID: USB\VID_03F0&PID_5D11&MI_00\6&1E99B3BF&0&0000
    Manufacturer:
    Name: Photosmart C5200 series
    PNP Device ID: USB\VID_03F0&PID_5D11&MI_00\6&1E99B3BF&0&0000
    Service:
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: NVIDIA nForce Networking Controller
    Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV054C\4&68FE5E4&0&00
    Manufacturer: NVIDIA
    Name: NVIDIA nForce Networking Controller
    PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV054C\4&68FE5E4&0&00
    Service: NVENETFD
    .
    ==== System Restore Points ===================
    .
    RP389: 10/09/2011 09:53:53 - System Checkpoint
    RP390: 11/09/2011 11:26:35 - System Checkpoint
    RP391: 12/09/2011 12:00:03 - System Checkpoint
    RP392: 13/09/2011 13:59:19 - System Checkpoint
    RP393: 14/09/2011 18:17:20 - System Checkpoint
    RP394: 15/09/2011 20:17:29 - System Checkpoint
    RP395: 16/09/2011 03:00:25 - Software Distribution Service 3.0
    RP396: 17/09/2011 09:59:42 - System Checkpoint
    RP397: 18/09/2011 12:59:26 - System Checkpoint
    RP398: 19/09/2011 15:14:29 - System Checkpoint
    RP399: 20/09/2011 16:04:45 - System Checkpoint
    RP400: 21/09/2011 18:25:06 - System Checkpoint
    RP401: 22/09/2011 18:27:00 - System Checkpoint
    RP402: 23/09/2011 18:45:06 - System Checkpoint
    RP403: 24/09/2011 19:06:12 - System Checkpoint
    RP404: 25/09/2011 19:42:10 - System Checkpoint
    RP405: 26/09/2011 19:59:56 - System Checkpoint
    RP406: 28/09/2011 07:39:44 - System Checkpoint
    RP407: 29/09/2011 07:48:22 - Software Distribution Service 3.0
    RP408: 30/09/2011 14:25:57 - System Checkpoint
    RP409: 01/10/2011 15:18:13 - System Checkpoint
    RP410: 02/10/2011 16:25:53 - System Checkpoint
    RP411: 03/10/2011 18:04:12 - System Checkpoint
    RP412: 04/10/2011 18:22:30 - System Checkpoint
    RP413: 05/10/2011 18:53:14 - System Checkpoint
    RP414: 06/10/2011 19:15:56 - System Checkpoint
    RP415: 07/10/2011 19:52:32 - System Checkpoint
    RP416: 08/10/2011 20:51:39 - System Checkpoint
    RP417: 10/10/2011 19:46:15 - System Checkpoint
    RP418: 11/10/2011 19:53:17 - System Checkpoint
    RP419: 12/10/2011 20:16:08 - System Checkpoint
    RP420: 12/10/2011 20:48:38 - Installed AVG 2012
    RP421: 12/10/2011 20:48:54 - Removed AVG 2011
    RP422: 12/10/2011 20:49:15 - Installed AVG 2012
    RP423: 13/10/2011 00:41:09 - Software Distribution Service 3.0
    RP424: 13/10/2011 12:55:43 - Installed AVG 2012
    RP425: 13/10/2011 13:00:07 - Removed AVG 2011
    RP426: 13/10/2011 13:04:46 - Paint.NET v3.5.10
    RP427: 14/10/2011 15:29:02 - System Checkpoint
    RP428: 15/10/2011 16:14:50 - System Checkpoint
    RP429: 16/10/2011 17:54:30 - System Checkpoint
    RP430: 17/10/2011 18:24:58 - System Checkpoint
    RP431: 18/10/2011 19:28:44 - System Checkpoint
    RP432: 19/10/2011 20:08:37 - System Checkpoint
    RP433: 20/10/2011 20:22:44 - System Checkpoint
    RP434: 21/10/2011 21:40:03 - System Checkpoint
    RP435: 22/10/2011 16:11:37 - Installed Bounty Hounds Online
    RP436: 23/10/2011 17:27:02 - System Checkpoint
    RP437: 24/10/2011 18:06:40 - System Checkpoint
    RP438: 25/10/2011 19:25:54 - System Checkpoint
    RP439: 26/10/2011 19:41:07 - System Checkpoint
    RP440: 27/10/2011 19:54:20 - System Checkpoint
    RP441: 28/10/2011 20:29:41 - System Checkpoint
    RP442: 29/10/2011 21:02:44 - System Checkpoint
    RP443: 30/10/2011 20:04:00 - System Checkpoint
    RP444: 31/10/2011 21:21:03 - System Checkpoint
    RP445: 01/11/2011 21:30:34 - System Checkpoint
    RP446: 02/11/2011 21:48:04 - System Checkpoint
    RP447: 03/11/2011 22:38:53 - System Checkpoint
    RP448: 04/11/2011 23:24:23 - System Checkpoint
    RP449: 07/11/2011 17:25:12 - System Checkpoint
    RP450: 08/11/2011 18:10:25 - System Checkpoint
    RP451: 09/11/2011 18:53:31 - System Checkpoint
    RP452: 10/11/2011 03:00:14 - Software Distribution Service 3.0
    RP453: 11/11/2011 03:35:12 - System Checkpoint
    RP454: 12/11/2011 03:00:14 - Software Distribution Service 3.0
    RP455: 13/11/2011 10:12:43 - System Checkpoint
    RP456: 14/11/2011 16:36:44 - System Checkpoint
    RP457: 15/11/2011 17:08:37 - System Checkpoint
    RP458: 16/11/2011 17:56:38 - System Checkpoint
    RP459: 18/11/2011 08:53:43 - System Checkpoint
    RP460: 19/11/2011 15:18:29 - System Checkpoint
    RP461: 20/11/2011 15:46:27 - System Checkpoint
    RP462: 21/11/2011 15:54:36 - System Checkpoint
    RP463: 22/11/2011 18:05:50 - System Checkpoint
    RP464: 24/11/2011 07:28:34 - System Checkpoint
    RP465: 25/11/2011 16:03:32 - System Checkpoint
    RP466: 25/11/2011 17:19:30 - Configured Microsoft Office Home and Student 2007
    RP467: 27/11/2011 14:15:05 - System Checkpoint
    RP468: 28/11/2011 17:24:56 - System Checkpoint
    RP469: 29/11/2011 18:13:56 - System Checkpoint
    RP470: 30/11/2011 18:15:12 - System Checkpoint
    RP471: 01/12/2011 18:18:38 - System Checkpoint
    RP472: 03/12/2011 10:10:50 - System Checkpoint
    RP473: 04/12/2011 14:47:31 - System Checkpoint
    RP474: 05/12/2011 01:13:07 - Installed HiJackThis
    RP475: 06/12/2011 01:33:57 - System Checkpoint
    RP476: 07/12/2011 01:46:35 - System Checkpoint
    RP477: 08/12/2011 07:30:47 - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.4.5
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    µTorrent
    AVG 2012
    AVG PC Tuneup 2011
    Belarc Advisor 8.1
    Betfred Poker
    BlackBerry Desktop Software 6.1
    BlackBerry Device Software Updater
    Bonjour
    Bounty Hounds Online
    BT Broadband Desktop Help
    BTHomeHub
    CCleaner
    CDDRV_Installer
    CutePDF Writer 2.8
    Defraggler
    DivX Setup
    DownloadHQ
    Driver Mender
    FormatFactory 2.60
    Garfield's Typing Pal
    Google Chrome
    Google Earth
    Google Update Helper
    GoToAssist Corporate
    HiJackThis
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 24
    Junk Mail filter update
    KhalInstallWrapper
    LEGO Universe
    Logitech SetPoint
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office Live Add-in 1.3
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office Word Viewer 2003
    Microsoft Office XP Professional
    Microsoft Publisher 2002
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MobileMe Control Panel
    Mozilla Firefox 8.0 (x86 en-GB)
    MSVCRT
    NVIDIA Drivers
    NVIDIA ForceWare Network Access Manager
    OGA Notifier 2.0.0048.0
    Paint.NET v3.5.10
    Pando Media Booster
    Platform
    PornFlicks
    QuickTime
    Recover My Files
    Safari
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2553074)
    Security Update for 2007 Microsoft Office System (KB2553089)
    Security Update for 2007 Microsoft Office System (KB2553090)
    Security Update for 2007 Microsoft Office System (KB2584063)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Excel 2007 (KB2553073)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB923789)
    Segoe UI
    Steam
    System Requirements Lab
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB982632)
    Update for Windows XP (KB2641690)
    VC80CRTRedist - 8.0.50727.4053
    VIA Platform Device Manager
    WebFldrs XP
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows XP Service Pack 3
    WinRAR archiver
    Xvid 1.2.1 final uninstall
    Yahoo! BrowserPlus 2.9.8
    Yahoo! Messenger
    Yahoo! Software Update
    .
    ==== Event Viewer Messages From Past Week ========
    .
    06/12/2011 22:37:51, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows nt\accessories\wordpad.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6010.
    06/12/2011 22:31:35, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wab.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.6040.
    06/12/2011 22:31:32, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\msoe.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5931.
    06/12/2011 22:30:55, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2.1.4028.0.
    06/12/2011 22:19:07, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\hmmapi.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.
    06/12/2011 22:14:31, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadco.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
    06/12/2011 22:14:30, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadce.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3002.0.
    06/12/2011 22:14:28, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msjro.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
    06/12/2011 22:14:28, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadox.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
    06/12/2011 22:14:27, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadomd.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
    06/12/2011 22:14:26, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msado15.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
    06/12/2011 22:13:50, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\vgx\vgx.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.23167.
    06/12/2011 22:13:49, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\triedit\triedit.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.1.0.9246.
    05/12/2011 13:29:28, error: Service Control Manager [7000] - The MBAMSwissArmy service failed to start due to the following error: The system cannot find the file specified.
    .
    ==== End Of File ===========================
     
  10. cyclopspj

    cyclopspj TS Rookie Topic Starter

    I hope I've done it all correctly.

    Many Thanks
     
  11. cyclopspj

    cyclopspj TS Rookie Topic Starter

    I just did another Malwarebytes scan and it found 20 items this time. This is the log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8320

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    08/12/2011 18:04:42
    mbam-log-2011-12-08 (18-04-41).txt

    Scan type: Quick scan
    Objects scanned: 223141
    Time elapsed: 11 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 17

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{0730F132-BCC0-473E-9C5A-918E10F8CE57} (Virus.Ramnit) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{0730F132-BCC0-473E-9C5A-918E10F8CE57} (Virus.Ramnit) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA} (Virus.Ramnit) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\program files\common files\microsoft shared\MSInfo\OFFPRV10.DLL (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\internet explorer\ieproxy.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\internet explorer\Plugins\npqtplugin.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\internet explorer\Plugins\npqtplugin2.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\internet explorer\Plugins\npqtplugin3.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\internet explorer\Plugins\npqtplugin4.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\internet explorer\Plugins\npqtplugin5.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\internet explorer\Plugins\npqtplugin6.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\internet explorer\Plugins\npqtplugin7.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\plugins\npqtplugin.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\plugins\npqtplugin2.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\plugins\npqtplugin3.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\plugins\npqtplugin4.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\plugins\npqtplugin5.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\plugins\npqtplugin6.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\program files\mozilla firefox\plugins\npqtplugin7.dll (Virus.Ramnit) -> Quarantined and deleted successfully.
    c:\documents and settings\Pete\local settings\Temp\nbhmgtgmaeybirsd.exe (Trojan.Downloader.bh) -> Quarantined and deleted successfully.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    I'm afraid I have very bad news.

    You're infected with Ramnit file infector virus.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
     
  13. cyclopspj

    cyclopspj TS Rookie Topic Starter

    Hi Broni not good news eh?

    Many thanks for your efforts though, they are very much appreciated.

    Just some questions before I reformat.

    I will want to save photos and some office files before I reformat. I am planning to burn them onto a disk (I have read somewhere that this virus can pass from computer to computer via removable hardware like memory sticks).

    Is this the best way to do it? Will these files be infected as well and how will I know?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    You can use USB flash drive on one condition.

    When you're done with reinstalling Windows install following program, which will make connecting any external device safe....

    Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

    *Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
    • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

    Windows Vista and Windows 7 users
    Flash Disinfector is not compatible with the above Windows version.
    Please, use Panda USB Vaccine, or BitDefender’s USB Immunizer

    Make sure to scan all backed up files with your AV program before moving them back to your fresh installation.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.