wintest.exe\startup PROBLEM HELP!!!!

**jholland1964** · 04-17-2007, 10:38 PM

Do this;

*Open HijackThis.
*Click on "Open Misc Tools Section"
*Make sure that both boxes beside "Generate StartupList Log" are checked:

List all minor sections(Full)

and

List Empty Sections(Complete)

Click "Generate StartupList Log".
Click "Yes" at the prompt.

It will produce a log in Notepad. I need you to copy the entire contents of that Notepad and paste it here.

Another search of various entries in the HJT log shows the possibility of at least one trojan, one worm and an adware infection.

**Ja-c-to-the-K** · 04-18-2007, 01:33 AM

StartupList report, 4/17/2007, 11:31:14 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Balbinka\My Documents\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\wintest.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Balbinka\My Documents\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Balbinka\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
BigFix.lnk = C:\Program Files\BigFix\BigFix.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Win logon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Win logon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CARPService = carpserv.exe
Removecpl = removecpl.exe
bcmwltry = bcmwltry.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
Microsoft Update = wintest.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

Microsoft Update = wintest.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Magentic = C:\PROGRA~1\Magentic\bin\Magentic.exe /c
Microsoft Update = wintest.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser .NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - blank (file missing) - {73364D99-1240-4dff-B12A-67E448373148}
(no name) - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Java Plug-in 1.5.0_08]
InProcServer32 = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

[Java Plug-in 1.3.1]
InProcServer32 = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/...ll-131-win.cab

[Java Plug-in 1.3.1_02]
InProcServer32 = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/...131_02-win.cab

[Java Plug-in 1.5.0_08]
InProcServer32 = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

[Java Plug-in 1.5.0_08]
InProcServer32 = C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
CODEBASE = http://java.sun.com/update/1.5.0/jin...ndows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
aeaudio: system32\drivers\aeaudio.sys (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
ALi Audio Accelerator WDM driver: system32\drivers\ac97ali.sys (manual start)
AliIde: System32\DRIVERS\aliide.sys (system)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
BCM 802.11g Network Adapter Driver: System32\DRIVERS\bcmwl5.sys (manual start)
Broadcom 440x 10/100 Integrated Controller XP Driver: System32\DRIVERS\bcm4sbxp.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
ATI Cabo AGP Filter: System32\DRIVERS\atisgkaf.sys (system)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
HSFHWALI: System32\DRIVERS\HSFHWALI.sys (manual start)
HSF_DP: System32\DRIVERS\HSF_DP.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
File Security Kernel Anti-Spyware Driver: system32\drivers\ikhfile.sys (system)
Kernel Anti-Spyware Driver: system32\drivers\ikhlayer.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
mchInjDrv: \??\C:\WINDOWS\TEMP\mc21.tmp (disabled)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
oreans32: \??\C:\WINDOWS\system32\drivers\oreans32.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCANDIS5 NDIS Protocol Driver: \??\C:\WINDOWS\System32\PCANDIS5.SYS (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PC Tools Spyware Doctor: C:\Program Files\Spyware Doctor\sdhelp.exe (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
High-Capacity Floppy Disk Drive: System32\DRIVERS\sfloppy.sys (manual start)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
smwdm: system32\drivers\smwdm.sys (manual start)
Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
StreamDispatcher: System32\DRIVERS\strmdisp.sys (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{177E01FD-C27B-47EE-B1E9-D78804328482} (manual start)
Synaptics TouchPad Driver: System32\DRIVERS\SynTP.sys (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
winachsf: System32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\pol icies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\pol icies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 31,835 bytes
Report generated in 0.661 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

**jholland1964** · 04-18-2007, 09:22 AM

Please now follow the steps in PP's Link
Follow his steps exactly and post the logs requested. Also please download and run
Gmer
And give us that log also. There are some very suspicious entries in your logs and the Gmer will give us a better look at these also.

**Ja-c-to-the-K** · 04-18-2007, 09:33 PM

You gotta be kinding me, I supposto install 10 diffrent things, just to clean this up?????????????? OK but it might just be awhile before I post the log.
I don't need another spyware program, I have PCtools spyware doctor......
I don't understand why HJT needs to be renamed, that's kinda odd. But I WILL do all this.

I'll do the Gmer thing right now.

Thankz! Alot for your help jholland1964, you are a life-saver!!!

Gmer Scan log:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-04-18 19:30:47
Windows 5.1.2600 Service Pack 1

---- Kernel code sections - GMER 1.0.12 ----

.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 72033FC8
.text ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]

---- User code sections - GMER 1.0.12 ----

.text C:\WINDOWS\system32\csrss.exe[408] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\csrss.exe[408] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\csrss.exe[408] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\csrss.exe[408] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\csrss.exe[408] KERNEL32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\csrss.exe[408] KERNEL32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\csrss.exe[408] KERNEL32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\csrss.exe[408] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[432] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\winlogon.exe[432] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[432] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[432] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[432] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[432] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[432] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\winlogon.exe[432] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\services.exe[476] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\services.exe[476] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\services.exe[476] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\services.exe[476] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\services.exe[476] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\services.exe[476] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\services.exe[476] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\services.exe[476] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\lsass.exe[488] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\lsass.exe[488] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\lsass.exe[488] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\lsass.exe[488] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\lsass.exe[488] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\lsass.exe[488] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\lsass.exe[488] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\lsass.exe[488] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[660] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[660] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\svchost.exe[660] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[704] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[704] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[704] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[704] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[704] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[704] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[704] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[704] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[788] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[788] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[788] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[788] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[788] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[788] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[788] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[788] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[788] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[852] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[852] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[852] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[852] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[852] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\svchost.exe[852] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[876] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\svchost.exe[876] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\svchost.exe[876] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\svchost.exe[876] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\svchost.exe[876] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\explorer.exe[980] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[980] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\explorer.exe[980] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\explorer.exe[980] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\explorer.exe[980] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\explorer.exe[980] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\explorer.exe[980] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\explorer.exe[980] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\carpserv.exe[1092] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\carpserv.exe[1092] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\carpserv.exe[1092] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\carpserv.exe[1092] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\carpserv.exe[1092] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\carpserv.exe[1092] user32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\carpserv.exe[1092] user32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\carpserv.exe[1092] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1112] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\spoolsv.exe[1112] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1112] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1112] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1112] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1112] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1112] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\spoolsv.exe[1112] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\bcmwltry.exe[1120] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\bcmwltry.exe[1120] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\bcmwltry.exe[1120] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\bcmwltry.exe[1120] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\bcmwltry.exe[1120] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\bcmwltry.exe[1120] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\bcmwltry.exe[1120] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\bcmwltry.exe[1120] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgcc.exe[1128] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\Grisoft\AVG7\avgcc.exe[1128] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgcc.exe[1128] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgcc.exe[1128] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgcc.exe[1128] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgcc.exe[1128] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgcc.exe[1128] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgcc.exe[1128] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\WINDOWS\system32\wintest.exe[1140] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\wintest.exe[1140] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\wintest.exe[1140] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\wintest.exe[1140] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\wintest.exe[1140] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\wintest.exe[1140] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\wintest.exe[1140] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\wintest.exe[1140] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\BigFix\BigFix.exe[1212] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\BigFix\BigFix.exe[1212] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\Program Files\BigFix\BigFix.exe[1212] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\BigFix\BigFix.exe[1212] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\BigFix\BigFix.exe[1212] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\BigFix\BigFix.exe[1212] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\BigFix\BigFix.exe[1212] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\BigFix\BigFix.exe[1212] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\alg.exe[1272] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\alg.exe[1272] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\WINDOWS\system32\alg.exe[1272] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\WINDOWS\system32\alg.exe[1272] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\WINDOWS\system32\alg.exe[1272] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\WINDOWS\system32\alg.exe[1272] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\WINDOWS\system32\alg.exe[1272] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\WINDOWS\system32\alg.exe[1272] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1284] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1284] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1284] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1284] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1284] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1284] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1284] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe[1284] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\PROGRA~1\Magentic\bin\MgApp.exe[1296] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\Magentic\bin\MgApp.exe[1296] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\Magentic\bin\MgApp.exe[1296] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\PROGRA~1\Magentic\bin\MgApp.exe[1296] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\PROGRA~1\Magentic\bin\MgApp.exe[1296] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\Magentic\bin\MgApp.exe[1296] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\PROGRA~1\Magentic\bin\MgApp.exe[1296] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\PROGRA~1\Magentic\bin\MgApp.exe[1296] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[1308] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[1308] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[1308] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[1308] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[1308] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[1308] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[1308] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe[1308] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[1320] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[1320] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[1320] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[1320] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[1320] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[1320] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[1320] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\PROGRA~1\Grisoft\AVG7\avgemc.exe[1320] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Spyware Doctor\sdhelp.exe[1396] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Spyware Doctor\sdhelp.exe[1396] user32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Spyware Doctor\sdhelp.exe[1396] user32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 0F, 5F ]
.text C:\Program Files\Spyware Doctor\sdhelp.exe[1396] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\PROGRA~1\SPYWAR~1\swdoctor.exe[1920] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\PROGRA~1\SPYWAR~1\swdoctor.exe[1920] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\PROGRA~1\SPYWAR~1\swdoctor.exe[1920] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\PROGRA~1\SPYWAR~1\swdoctor.exe[1920] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\PROGRA~1\SPYWAR~1\swdoctor.exe[1920] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\PROGRA~1\SPYWAR~1\swdoctor.exe[1920] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\PROGRA~1\SPYWAR~1\swdoctor.exe[1920] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\PROGRA~1\SPYWAR~1\swdoctor.exe[1920] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\PROGRA~1\SPYWAR~1\swdoctor.exe[1920] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Documents and Settings\Balbinka\My Documents\gmer.exe[3256] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\Documents and Settings\Balbinka\My Documents\gmer.exe[3256] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\Documents and Settings\Balbinka\My Documents\gmer.exe[3256] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Documents and Settings\Balbinka\My Documents\gmer.exe[3256] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Documents and Settings\Balbinka\My Documents\gmer.exe[3256] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Documents and Settings\Balbinka\My Documents\gmer.exe[3256] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Documents and Settings\Balbinka\My Documents\gmer.exe[3256] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Documents and Settings\Balbinka\My Documents\gmer.exe[3256] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Documents and Settings\Balbinka\My Documents\gmer.exe[3256] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3960] ntdll.dll!NtTerminateProcess 77F5C448 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3960] ntdll.dll!NtTerminateProcess + 4 77F5C44C 2 Bytes [ 0E, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3960] kernel32.dll!CreateProcessW 77E61B8E 6 Bytes [ FF, 25, 1E, 00, 0B, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3960] kernel32.dll!CreateProcessA 77E61BBC 6 Bytes [ FF, 25, 1E, 00, 05, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3960] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes [ FF, 25, 1E, 00, 08, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3960] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3960] USER32.dll!SetWindowsHookExA 77D48A1C 6 Bytes [ FF, 25, 1E, 00, 15, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3960] USER32.dll!SetWindowsHookExW 77D67297 6 Bytes [ FF, 25, 1E, 00, 19, 5F ]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3960] GDI32.dll!Escape 77C7D846 6 Bytes [ FF, 25, 1E, 00, 11, 5F ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7A5F85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7A5F85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7A5F85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7A5F85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7A5F85A] avgtdi.sys

---- Files - GMER 1.0.12 ----

ADS C:\System Volume Information\_restore{EEF84697-6736-4397-BC02-2C9522B52F41}\RP282\A0174606.exe:SummaryInformati on
ADS C:\System Volume Information\_restore{EEF84697-6736-4397-BC02-2C9522B52F41}\RP282\A0174606.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\AIM.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\emachines_32.bmp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\encarta.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\ICQ.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\Netscape.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\PCHealth\EMCImage\e_back.gif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\system32\OemLinkIcon.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\WINDOWS\system32\OEMLOGO.BMP:Q30lsldxJoudresxA aaqpcawXc
ADS C:\WINDOWS\system32\OEMLOGO.BMP:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...

---- EOF - GMER 1.0.12 ----

**pheonix73** · 04-18-2007, 09:39 PM

In your HJT log I noticed that you have Big Fix.From past experience,this is a program that was situated with Norton AV and Symantics programming.When I had problems with a buddies system,I found that it conflicted with AVG.Not sure is this would or has happened to you,but it might be something worth consideration.I'm sure that Judy or PP will either add to this or dismiss it,but I thought it worth mentioning.

**jholland1964** · 04-18-2007, 10:36 PM

I supposto install 10 diffrent things,

What 10 different things are you talking about?
At most, not counting HJT which you all ready have I see 4 programs in PP's thread...+GMER that I told you to download. That is a total of 5, which is the barest number neede...I have seen threads where 8 or 9 tools have been used. You can make it simple and don't use any tools, just reformat.

I don't need another spyware program, I have PCtools spyware doctor......

Ok then go ahead and use spyware doctor. It hasn't worked yet, and if it had your problems would be gone.
You are asked to use AVG Anti-spy because it is the program of choice today...it will remove trojans, spyware, many hijackers. But since you don't need another spyware program proceed the way you wish.

You are asked to rename HiJackThis because some infections can now hide themselves when they detect HJT.exe is executed but if it is renamed the infection cannot detect that it is running.

Good Luck.

**jholland1964** · 04-18-2007, 10:53 PM

Originally Posted by pheonix73

In your HJT log I noticed that you have Big Fix.From past experience,this is a program that was situated with Norton AV and Symantics programming.When I had problems with a buddies system,I found that it conflicted with AVG.Not sure is this would or has happened to you,but it might be something worth consideration.I'm sure that Judy or PP will either add to this or dismiss it,but I thought it worth mentioning.

As far as I know BigFix has nothing to do with Norton or Symantec. Supposedly BigFix can automatically download and read technical support information provided by computer and software manufacturers and other technical support experts (published in the form of Fixlet® Messages) and can check your computer for bugs, configuration conflicts, and security holes.
It is a MAJOR Resource HOG and should only be run manually, never automatically.

**Ja-c-to-the-K** · 04-19-2007, 01:09 AM

It's not 10 programs, I was just over-exagurating, sorry about that...lol
I will get to work on that PP's thread link tonight.

Well I guess your right about spyware doc, I will consider AVG-AntiSpyware.
And will most likely switch!

As for renaming HJT...I diden't realize that, that actually makes alot of sense!

Bigfix is turned off, It does not download any patches, it only runs at startup, I guess your also right again about it being a resource hogg, how do I go about turning it off from running at startup, there is nothing in the program itself that has that option, and I don't really want to un-install it.
Since it was factory installed with my eMachines laptop.

Was that Gmer log helpful? Did I do it right?

Thanks!

**jholland1964** · 04-19-2007, 09:56 AM

BigFix is NOT turned off. It shows as a running process in your HJT log.
C:\Program Files\BigFix\BigFix.exe
Look in your TaskManager under Processess and you should see it running;BigFix.exe
Thus far I see nothing in the GMER log. I have asked somebody else to take a look at it. It is one of the largest ones I have ever seen. Can I ask a couple questions on how you ran it;
These are the instructions given on their pages, is this how you ran it?

Run gmer.exe, select Rootkit tab and click the "Scan" button.
Please, do not select the "Show all" checkbox during the scan.

If this is not what you did, can you run it again for me?

Now, again I say...you have to follow the instructions we give here if you want us to help remove spyware/malware/etc.

I will consider AVG-AntiSpyware.

We would not ask you to download a program like AVG Anti-spy if it was not a good program. These are the tools we use here, if you don't want to use the tools then we cannot help.
It is NEVER recommended that you only use one anti-spy program on a computer...each program looks for specific types of spyware/malware. There is no one program that does it all. For a PAID program SpywareDoctor is fine, it gets good reviews BUT it is NOT enough and on most spyware removal forums the programs used are FREE programs (and they are excellent I might add) because many people just don't have the money to pay.

We don't use SpywareDoctor here so we cannot give advice on it.

The most highly recommended and commonly recommended programs (including HERE) are AdAwareSE, SpyBot Search & Destroy, and AVG Anti-spyware....ALL are FREE, ALL are excellent and each one looks for something different. What one sees, another won't, by using these three you should be able to find most nasties. All of these programs have the ability to scan AND remove, this is why we use them. You will find these referenced as programs to use on probably every malware removal forum out there.

The one paid program we do use at times and do recommend is Webroot SpywareSweeper. If we see that in a person's log then we will ask for a scan and a log. But we are not here to push paid programs but to help remove malware and get a computer clean and up and running as fast and as smoothly as possible.

One of the most frustrating things about helping at a forum is to have a person post HELP!!!! but then is not willing to do what we ask, to follow steps in a timely manner but tell us "I will get to this tomorrow, or tonight".....Of course we realize all are under some sort of schedule but to post saying you need immediate help and then not be willing to do what is asked is totally frustrating, especially having to tell a person numerous times to take specific steps. There are many, many malware programs that, with each delay in removal, will download more items itself, more nasties, more hijackers which complicates matters immensely. We see this so often, something shows in a log, the person waits two or three days to follow instructions while continuing to use the computer to do file sharing(which is dangerous in itself), downloading music, playing games, etc., and the new HJT log will show more problems which adds steps to the clean up.
What I am saying here with this epistle, is if you want us to help then please do what is asked, in the manner directed (including downloading a specific program or programs) and to do it in a timely fashion.
Judy

**Ja-c-to-the-K** · 04-19-2007, 07:29 PM

What I meant by BixFix is turned off is that IT DOES NOT DOWNLOAD ANY PATCHES!!!! I clearly stated that! It just runs. And I even asked what to do to get it to "NOT" run at startup since BigFix itself does not have that option.

That's EXACTLY how I ran Gmer when you open the program it's already on the "rootkit" tab and the "show all" checkbox can't even be checked it's blacked out. So basicly I just ran it, and hit scan.

I'm sorry if I can't do all these things in a timely manner, I DO HAVE A LIFE, A JOB, AND MANY, MANY MORE THINGS TO DO. But when I do have FREE TIME, I will do what you asked of me, and I appreciate all this help ALOT, so please don't get it "Twisted" I know I ASKED for HELP and I'm GOING TO DO WHAT YOU TOLD ME. Simple as that!

Thread: wintest.exe\startup PROBLEM HELP!!!!

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions