Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

I Am Infected And Need Help.


  • Please log in to reply
30 replies to this topic

#16 vu_loki

vu_loki

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 20 April 2007 - 11:57 AM

I am once again experiencing some very limited popups. Nothing as bad as before but still concerns me. Here is a new hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 11:54:04 AM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\cygwin\usr\sbin\sshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AltDesk\AltDesk.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\Bin\NTx86\imagine.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\eml.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\viewer.exe
C:\Program Files\ArcGIS\bin\AppLockMgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ArcGIS\Bin\ArcMap.exe
C:\Program Files\ArcGIS\Bin\AppROT.exe
C:\WINDOWS\system32\cmd.exe
C:\cygwin\bin\bash.exe
C:\cygwin\bin\bash.exe
c:\ArcGIS\arcexe9x\bin\arc.exe
c:\arcgis\arcexe9x\bin\grid.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [AltDesk] C:\Program Files\AltDesk\AltDesk.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137446630656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wru.umt.edu
O17 - HKLM\Software\..\Telephony: DomainName = wru.umt.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{94AD5894-E43C-46C8-9A51-8B9982915D10}: NameServer = 10.10.7.6,10.10.11.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wru.umt.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wru.umt.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wru.umt.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wru.umt.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wru.umt.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: MobiLink Synchronization - coyotEYEPro (ASANYm_coyotEYEPro) - Unknown owner - C:\Program Files\Sybase\SQL Anywhere 9\win32\dbmlsrv9.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


I got one popup yesterday from zedo and I got one today that took me to the simpsons OJ simpson video.
Thanks

    Advertisements

Register to Remove


#17 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 20 April 2007 - 01:26 PM

I got one popup yesterday from zedo and I got one today that took me to the simpsons OJ simpson video.
Thanks

Were these two pop-ups online or offline? What sites were you at? Have they been the only two you have had?
I don't see anything in your log that indicates an infection at first glance and two pop-ups doesn't seem to be a particularly virulent infection.

Run the following online scan: Panda ActiveScan.
  • Please note that IE is required to run this scan.
  • You will need to fill in the "Country, region, email address" information before you can download and install the ActiveX components necessary to run the scan.
  • Decide whether you want to click the radio button underneath this part that says -
    "I do not want to receive marketing information from Panda Software and/or its International Representatives where applicable." - it's your choice!
  • When you are asked to "Select a device to scan...", click on "My Computer".
When the scan has finished, click See Report > Save Report which by default will save the scan results as Activescan.txt in My Documents.

Copy and paste the result of the above scan into your next reply along with a fresh HJT log AND a description of how your PC is running.
Death to the salad eaters!

#18 vu_loki

vu_loki

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 27 April 2007 - 09:31 AM

Good Morning to you! I have tried to run panda active scan twice. Both times it just disappears after a while of running. It does say it finds some spyware and hacking tools and rootkits but then eventually it disappears. I am at a loss. I am trying to run it once more and hopefully it doesn't disappear again. Here is my latest hjt log:


Logfile of HijackThis v1.99.1
Scan saved at 9:28:08 AM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\cygwin\usr\sbin\sshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AltDesk\AltDesk.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\Bin\NTx86\imagine.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\eml.exe
C:\Program Files\ArcGIS\bin\AppLockMgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\viewer.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\modelmaker.exe
C:\WINDOWS\system32\cmd.exe
C:\cygwin\bin\bash.exe
C:\cygwin\bin\bash.exe
c:\ArcGIS\arcexe9x\bin\arc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\ArcGIS\Bin\ArcMap.exe
C:\Program Files\ArcGIS\Bin\AppROT.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\modeler.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\modeler.exe
C:\Program Files\eCognition Professional 4.0\bin\DIAClientLDH.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\modeler.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\modeler.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [AltDesk] C:\Program Files\AltDesk\AltDesk.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137446630656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wru.umt.edu
O17 - HKLM\Software\..\Telephony: DomainName = wru.umt.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{94AD5894-E43C-46C8-9A51-8B9982915D10}: NameServer = 10.10.7.6,10.10.11.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wru.umt.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wru.umt.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wru.umt.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wru.umt.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wru.umt.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: MobiLink Synchronization - coyotEYEPro (ASANYm_coyotEYEPro) - Unknown owner - C:\Program Files\Sybase\SQL Anywhere 9\win32\dbmlsrv9.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#19 vu_loki

vu_loki

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 27 April 2007 - 09:35 AM

PS: I got a browser hijack this morning taking me to broadcaster.com. I'll post the results of the panda activescan later today If I can. later. Thanks Again!

#20 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 27 April 2007 - 01:20 PM

Were these two pop-ups online or offline? What sites were you at? Have they been the only two you have had?

I'd still like the answers to the above.

Skip the Panda scan and do the following:

Download gmer.zip from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


Double click gmer.exe to begin:
  • If you get a message about "system modification", click Yes and work through the rest of the instructions.
  • Ensure that the Rootkit Tab at the top is selected.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click the Scan button on the right.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Copy button underneath - this will save the report to your Clipboard.
  • Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
  • Click the >>> Tab at the top and select the Autostart Tab.
  • Click the Scan button on the right - this one should only take seconds to complete.
  • Save the log as before.
Copy and paste both reports into your next reply - you may need to post them separately.
The Preview option may show the whole logs being posted, but they sometimes get cut down when the actual post is made, so check the post once it is completed.
Death to the salad eaters!

#21 vu_loki

vu_loki

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 30 April 2007 - 09:42 AM

The popups were online. I believe the zedo one was probably legitimate but the other one is surely related to browser hijacking. I cannot recall the exact sites I visited but it was nothing different than my everyday routine at work. I'll post the reports later today. Thanks! vu_loki

#22 vu_loki

vu_loki

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 30 April 2007 - 10:39 AM

Here is the first scan:


GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-04-30 10:38:05
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT E1AF2F30 ZwConnectPort
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\System32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetDeviceCaps 77F15A7A 5 Bytes JMP 003293CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SelectObject 77F15B80 5 Bytes JMP 003262CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetTextColor 77F15D87 5 Bytes JMP 0032654C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetBkColor 77F15E39 5 Bytes JMP 003264CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetBkMode 77F15EEB 5 Bytes JMP 003268CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CreateCompatibleDC 77F15FF0 5 Bytes JMP 00327B4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PolyPatBlt 77F162C1 5 Bytes JMP 0032C84C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!IntersectClipRect 77F16A66 5 Bytes JMP 0032A84C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetClipBox 77F16AB1 5 Bytes JMP 0032904C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetClipRgn 77F16AE6 5 Bytes JMP 003271CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextExtentPointW 77F16B1D 5 Bytes JMP 0032A5CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 003260CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CreateCompatibleBitmap 77F1701A 5 Bytes JMP 00327ACC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ExtSelectClipRgn 77F17884 5 Bytes JMP 0032C2CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SelectClipRgn 77F17AB0 5 Bytes JMP 0032724C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!OffsetWindowOrgEx 77F17ACB 5 Bytes JMP 0032AC4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetViewportOrgEx 77F17B5C 5 Bytes JMP 00326A4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetViewportOrgEx 77F17C11 5 Bytes JMP 00326ECC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetWindowExtEx 77F17C89 5 Bytes JMP 00326F4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetViewportExtEx 77F17D01 5 Bytes JMP 00326E4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextMetricsW 77F17DC9 5 Bytes JMP 0032A7CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!TextOutW 77F17EBC 5 Bytes JMP 0032BF4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextExtentPoint32W 77F17FAD 5 Bytes JMP 0032A4CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ExtTextOutW 77F18036 5 Bytes JMP 003285CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!RectVisible 77F181CB 5 Bytes JMP 0032AECC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCurrentObject 77F182ED 5 Bytes JMP 003272CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SelectPalette 77F1832A 5 Bytes JMP 0032B2CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextCharsetInfo 77F18444 5 Bytes JMP 0032A2CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PatBlt 77F18593 5 Bytes JMP 0032C44C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetBrushOrgEx 77F186E4 5 Bytes JMP 0032714C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!RestoreDC 77F18A11 5 Bytes JMP 003273CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SaveDC 77F18AD7 5 Bytes JMP 0032734C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetTextAlign 77F18B74 5 Bytes JMP 0032BBCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetWindowOrgEx 77F18CFD 5 Bytes JMP 00326B4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetMapMode 77F18DD5 5 Bytes JMP 00326CCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetDIBitsToDevice 77F1900C 5 Bytes JMP 0032C0CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CreateDIBSection 77F19219 5 Bytes JMP 00327BCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetBkColor 77F193A5 5 Bytes JMP 003266CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextColor 77F193F9 5 Bytes JMP 0032674C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ExcludeClipRect 77F19536 5 Bytes JMP 0032844C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetStretchBltMode 77F19581 5 Bytes JMP 0032BACC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetMapMode 77F199EA 5 Bytes JMP 0032684C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextFaceW 77F19A97 5 Bytes JMP 0032A6CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextCharset 77F1A089 5 Bytes JMP 0032A24C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetNearestColor 77F1A176 5 Bytes JMP 00329C4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetBrushOrgEx 77F1A29D 5 Bytes JMP 003270CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetDIBits 77F1A779 5 Bytes JMP 0032CCCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CreateDIBitmap 77F1A905 5 Bytes JMP 00327C4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetDIBits 77F1AABB 5 Bytes JMP 0032934C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetDIBColorTable 77F1AC3D 5 Bytes JMP 003292CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!MaskBlt 77F1AC6A 5 Bytes JMP 0032614C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!MoveToEx 77F1ADC3 5 Bytes JMP 0032AACC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!StretchDIBits 77F1B03F 5 Bytes JMP 0032624C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CreateHalftonePalette 77F1B2DD 5 Bytes JMP 00327D4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetSystemPaletteEntries 77F1B2F1 5 Bytes JMP 0032A04C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetPixel 77F1B441 5 Bytes JMP 00329E4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetPixel 77F1B4C7 5 Bytes JMP 0032B8CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetPixelV 77F1B590 5 Bytes JMP 0032B9CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ModifyWorldTransform 77F1B7F6 5 Bytes JMP 0032AA4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetGraphicsMode 77F1B88B 5 Bytes JMP 003267CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetWorldTransform 77F1B956 5 Bytes JMP 00326BCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetWorldTransform 77F1B971 5 Bytes JMP 0032704C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!StretchBlt 77F1BAC2 5 Bytes JMP 003261CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!TextOutA 77F1BBDC 5 Bytes JMP 0032BECC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EnumFontFamiliesExW 77F1BC22 5 Bytes JMP 0032814C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!FrameRgn 77F1BFB0 5 Bytes JMP 0032884C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!OffsetViewportOrgEx 77F1C03F 5 Bytes JMP 0032ABCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetDCBrushColor 77F1C22B 5 Bytes JMP 003263CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ExtEscape 77F1C3F5 5 Bytes JMP 0032C24C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetBoundsRect 77F1D27A 5 Bytes JMP 003289CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetBoundsRect 77F1D29C 5 Bytes JMP 0032B3CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ExtTextOutA 77F1D422 5 Bytes JMP 0032854C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextAlign 77F1D44F 5 Bytes JMP 0032A14C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!LPtoDP 77F1D4EF 5 Bytes JMP 0032A94C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetROP2 77F1D8F8 5 Bytes JMP 0032694C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!LineTo 77F1D9BF 5 Bytes JMP 0032A9CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetDCOrgEx 77F1DA17 5 Bytes JMP 0032924C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetWindowOrgEx 77F1DA46 5 Bytes JMP 00326FCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!InvertRgn 77F1DB47 5 Bytes JMP 0032A8CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextMetricsA 77F1DC1F 5 Bytes JMP 0032A74C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!FillRgn 77F1DCF5 5 Bytes JMP 0032C34C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!Polyline 77F1DD5D 5 Bytes JMP 0032CB4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharABCWidthsW 77F1DD99 5 Bytes JMP 00328BCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextExtentPointA 77F1DF7A 5 Bytes JMP 0032A54C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetOutlineTextMetricsW 77F1E42B 5 Bytes JMP 00329D4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetSystemPaletteUse 77F1E4D2 5 Bytes JMP 0032A0CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetICMMode 77F1E4F3 5 Bytes JMP 0032B5CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!Rectangle 77F1E649 5 Bytes JMP 0032AF4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!RealizePalette 77F1E6E6 5 Bytes JMP 0032AE4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!Polygon 77F1E714 5 Bytes JMP 0032CACC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetROP2 77F1E929 5 Bytes JMP 00326DCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!DPtoLP 77F1EA9E 5 Bytes JMP 00327DCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetTextCharacterExtra 77F1EB2A 5 Bytes JMP 0032BC4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharWidthA 77F1EDC8 5 Bytes JMP 00328D4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetFontData 77F1F258 5 Bytes JMP 003294CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextFaceA 77F1F2A9 5 Bytes JMP 0032A64C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetOutlineTextMetricsA 77F1F385 5 Bytes JMP 00329CCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharWidthW 77F1F7A9 5 Bytes JMP 00328ECC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!DeleteEnhMetaFile 77F1FE86 5 Bytes JMP 00325ECC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetEnhMetaFileHeader 77F20325 5 Bytes JMP 0032604C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetTextJustification 77F204B0 5 Bytes JMP 0032BCCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetMetaRgn 77F2053F 5 Bytes JMP 0032B7CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetPolyFillMode 77F20B04 5 Bytes JMP 0032BA4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetArcDirection 77F2116A 5 Bytes JMP 0032B34C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetMiterLimit 77F2118B 5 Bytes JMP 0032B84C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PlayEnhMetaFileRecord 77F21223 5 Bytes JMP 0032C4CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetPixelFormat 77F22901 5 Bytes JMP 00329ECC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CreateEnhMetaFileW 77F22C2D 5 Bytes JMP 00325CCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CloseEnhMetaFile 77F2319C 5 Bytes JMP 00325D4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetBkMode 77F23849 5 Bytes JMP 00326D4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetArcDirection 77F2389C 5 Bytes JMP 003288CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetPolyFillMode 77F238B6 5 Bytes JMP 00329F4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetMiterLimit 77F23A58 5 Bytes JMP 00329BCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetWindowExtEx 77F23B03 5 Bytes JMP 00326ACC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetViewportExtEx 77F23BAC 5 Bytes JMP 003269CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetGraphicsMode 77F23FA7 5 Bytes JMP 00326C4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CreateEnhMetaFileA 77F24692 5 Bytes JMP 00325C4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PlayMetaFileRecord 77F248B2 5 Bytes JMP 0032C5CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!Escape 77F273B4 5 Bytes JMP 0032C1CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EnumObjects 77F2766B 5 Bytes JMP 003283CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CloseMetaFile 77F27E59 5 Bytes JMP 0032794C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EnumFontFamiliesA 77F29B90 5 Bytes JMP 00327FCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ResetDCW 77F2C209 5 Bytes JMP 0032B04C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextExtentPoint32A 77F2C2A7 5 Bytes JMP 0032A44C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetDIBColorTable 77F2C36D 5 Bytes JMP 0032CC4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextCharacterExtra 77F2C3BE 5 Bytes JMP 0032A1CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!Ellipse 77F2C48F 5 Bytes JMP 00327F4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetColorSpace 77F2CCE0 5 Bytes JMP 0032B4CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SelectClipPath 77F2CE71 5 Bytes JMP 0032B24C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!OffsetClipRgn 77F2CFB3 5 Bytes JMP 0032AB4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!BeginPath 77F2D682 5 Bytes JMP 0032764C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EndPath 77F2D702 5 Bytes JMP 0032C14C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CancelDC 77F2E17C 5 Bytes JMP 003276CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PolyBezierTo 77F2E83F 5 Bytes JMP 0032C74C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PolylineTo 77F2E8EC 5 Bytes JMP 0032CBCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CloseFigure 77F2E988 5 Bytes JMP 003278CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!StrokeAndFillPath 77F2EA08 5 Bytes JMP 0032BD4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCurrentPositionEx 77F2EAE3 5 Bytes JMP 003291CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharWidth32W 77F2EC6B 5 Bytes JMP 00328CCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PlayMetaFile 77F34BA9 5 Bytes JMP 0032C54C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetEnhMetaFileW 77F38FE2 5 Bytes JMP 00325E4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GdiComment 77F394C5 5 Bytes JMP 0032634C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PlayEnhMetaFile 77F39777 5 Bytes JMP 00325F4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EnumEnhMetaFile 77F397A3 5 Bytes JMP 00325FCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!FixBrushOrgEx 77F3A8B5 5 Bytes JMP 003286CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharWidth32A 77F3B975 5 Bytes JMP 00328C4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EnumFontsA 77F3BDAB 5 Bytes JMP 003281CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!RoundRect 77F3BDCE 5 Bytes JMP 0032B0CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PaintRgn 77F3BE99 5 Bytes JMP 0032C3CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!Pie 77F3C81E 5 Bytes JMP 0032AD4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EnumFontFamiliesW 77F3CA71 5 Bytes JMP 0032804C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ScaleViewportExtEx 77F3CCD7 5 Bytes JMP 0032B14C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ScaleWindowExtEx 77F3CDB8 5 Bytes JMP 0032B1CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetMapperFlags 77F3D1FE 5 Bytes JMP 0032B74C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetSystemPaletteUse 77F3D288 5 Bytes JMP 0032BB4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetColorAdjustment 77F3D298 5 Bytes JMP 0032B44C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetAspectRatioFilterEx 77F3D2F8 5 Bytes JMP 0032894C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharacterPlacementA 77F3D313 5 Bytes JMP 00328F4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharWidthFloatA 77F3D640 5 Bytes JMP 00328DCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharWidthFloatW 77F3D664 5 Bytes JMP 00328E4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetGlyphIndicesA 77F3D6F3 5 Bytes JMP 0032964C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextExtentExPointA 77F3D888 5 Bytes JMP 0032A34C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetTextExtentExPointW 77F3DB43 5 Bytes JMP 0032A3CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharABCWidthsA 77F3DD2F 5 Bytes JMP 00328A4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharABCWidthsFloatA 77F3DD50 5 Bytes JMP 00328ACC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharABCWidthsFloatW 77F3DD71 5 Bytes JMP 00328B4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetGlyphOutlineW 77F3DDE1 5 Bytes JMP 0032984C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetGlyphOutline 77F3DECB 5 Bytes JMP 003297CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetKerningPairsW 77F3DF1F 5 Bytes JMP 00329ACC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetKerningPairs 77F3DF48 1 Byte [ E9 ]
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetKerningPairs + 2 77F3DF4A 3 Bytes [ BA, 3E, 88 ]
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetColorAdjustment 77F3E162 5 Bytes JMP 003290CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetCharacterPlacementW 77F3E2FC 5 Bytes JMP 00328FCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EnumFontsW 77F3F4E6 5 Bytes JMP 0032824C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EnumFontFamiliesExA 77F3F50B 5 Bytes JMP 003280CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetColorSpace 77F3FBD4 5 Bytes JMP 0032914C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CheckColorsInGamut 77F3FCB6 5 Bytes JMP 0032774C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetDeviceGammaRamp 77F3FE3C 5 Bytes JMP 0032944C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetDeviceGammaRamp 77F3FE6B 5 Bytes JMP 0032B54C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ColorCorrectPalette 77F408DB 5 Bytes JMP 003279CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EnumICMProfilesA 77F40C25 5 Bytes JMP 003282CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!EnumICMProfilesW 77F40CA2 5 Bytes JMP 0032834C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetICMProfileW 77F41F18 5 Bytes JMP 0032994C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetICMProfileA 77F42022 5 Bytes JMP 0032B64C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetICMProfileW 77F4203F 5 Bytes JMP 0032B6CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetICMProfileA 77F4253C 5 Bytes JMP 003298CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ColorMatchToTarget 77F42D69 5 Bytes JMP 00327A4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetDCBrushColor 77F42E72 5 Bytes JMP 003265CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetDCPenColor 77F42ED1 5 Bytes JMP 0032644C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetDCPenColor 77F43020 5 Bytes JMP 0032664C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetFontLanguageInfo 77F4307F 5 Bytes JMP 0032954C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetStretchBltMode 77F430D6 5 Bytes JMP 00329FCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetMetaRgn 77F43D39 5 Bytes JMP 00329B4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ResetDCA 77F43E16 5 Bytes JMP 0032AFCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!CreateDiscardableBitmap 77F43E87 5 Bytes JMP 00327CCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!UpdateColors 77F43E97 5 Bytes JMP 0032BFCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!DrawEscape 77F441BA 5 Bytes JMP 00327ECC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!AngleArc 77F44256 5 Bytes JMP 003274CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!Arc 77F44308 5 Bytes JMP 0032754C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ArcTo 77F443F4 5 Bytes JMP 003275CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!Chord 77F444B4 5 Bytes JMP 0032784C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PlgBlt 77F445A0 5 Bytes JMP 0032C64C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ExtFloodFill 77F4469A 5 Bytes JMP 003284CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!FloodFill 77F447D0 5 Bytes JMP 003287CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PolyTextOutW 77F447F1 5 Bytes JMP 0032CA4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PolyTextOutA 77F448CE 5 Bytes JMP 0032C9CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!AbortPath 77F451F9 5 Bytes JMP 0032744C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!FlattenPath 77F45250 5 Bytes JMP 0032874C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!StrokePath 77F452A7 5 Bytes JMP 0032BDCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!FillPath 77F45334 5 Bytes JMP 0032864C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!WidenPath 77F453C1 5 Bytes JMP 0032C04C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PathToRegion 77F45418 5 Bytes JMP 0032ACCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetPath 77F4548C 5 Bytes JMP 00329DCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!ChoosePixelFormat 77F454E3 5 Bytes JMP 003277CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!DescribePixelFormat 77F45528 5 Bytes JMP 00327E4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SetPixelFormat 77F45573 5 Bytes JMP 0032B94C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!SwapBuffers 77F4560E 5 Bytes JMP 0032BE4C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PolyPolygon 77F45680 5 Bytes JMP 0032C8CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PolyPolyline 77F45725 5 Bytes JMP 0032C94C
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PolyBezier 77F457B9 5 Bytes JMP 0032C6CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PolyDraw 77F4586B 5 Bytes JMP 0032C7CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!PtVisible 77F459F7 5 Bytes JMP 0032ADCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetEnhMetaFileA 77F4A016 5 Bytes JMP 00325DCC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetGlyphIndicesW 77F5150E 5 Bytes JMP 003296CC
.text C:\Program Files\ArcGIS\Bin\ArcMap.exe[3436] GDI32.dll!GetFontUnicodeRanges 77F51660 5 Bytes JMP 003295CC
---- Processes - GMER 1.0.12 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\explorer.exe [2712] 0x62390000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\explorer.exe [2712] 0x60470000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\explorer.exe [2712] 0x61EF0000
Library C:\PROGRA~1\WIFD1F~1\MpShHook.dll (*** hidden *** ) @ C:\PROGRA~1\SYMANT~1\VPTray.exe [2992] 0x5F800000
Library C:\PROGRA~1\WIFD1F~1\MpShHook.dll (*** hidden *** ) @ C:\Program Files\OpenOffice.org 2.2\program\soffice.bin [3260] 0x5F800000
Library C:\PROGRA~1\WIFD1F~1\MpShHook.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3476] 0x5F800000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3476] 0x62390000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3476] 0x60470000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\explorer.exe [3476] 0x61EF0000

---- EOF - GMER 1.0.12 ----

Here is the autostart scan:

GMER 1.0.12.12244 - http://www.gmer.net
Autostart scan 2007-04-30 10:39:35
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
NavLogon@DLLName = C:\WINDOWS\system32\NavLogon.dll
WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
ASANYm_coyotEYEPro /*MobiLink Synchronization - coyotEYEPro*/@ = C:\Program Files\Sybase\SQL Anywhere 9\win32\dbmlsrv9.exe -hvASANYm_coyotEYEPro /*file not found*/
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
ccEvtMgr /*Symantec Event Manager*/@ = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
ccSetMgr /*Symantec Settings Manager*/@ = "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
DefWatch /*Symantec AntiVirus Definition Watcher*/@ = "C:\Program Files\Symantec AntiVirus\DefWatch.exe"
LightScribeService /*LightScribeService Direct Disc Labeling Service*/@ = "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"
NVSvc /*NVIDIA Display Driver Service*/@ = %SystemRoot%\system32\nvsvc32.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
sshd /*CYGWIN sshd*/@ = C:\cygwin\bin\cygrunsrv.exe
Symantec AntiVirus /*Symantec AntiVirus*/@ = "C:\Program Files\Symantec AntiVirus\Rtvscan.exe"
WMPNetworkSvc /*Windows Media Player Network Sharing Service*/@ = "C:\Program Files\Windows Media Player\WMPNetwk.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Ptipbmfrundll32.exe ptipbmf.dll,SetWriteCacheMode = rundll32.exe ptipbmf.dll,SetWriteCacheMode
@SoundMAXPnPC:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe = C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
@SoundMAX"C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
@ASUS ProbeC:\Program Files\ASUS\Probe\AsusProb.exe /*file not found*/ = C:\Program Files\ASUS\Probe\AsusProb.exe /*file not found*/
@ccApp"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
@vptrayC:\PROGRA~1\SYMANT~1\VPTray.exe = C:\PROGRA~1\SYMANT~1\VPTray.exe
@ISUSPM StartupC:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup /*file not found*/ = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup /*file not found*/
@ISUSScheduler"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start /*file not found*/ = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start /*file not found*/
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
@nwiznwiz.exe /install = nwiz.exe /install
@NvMediaCenterRunDLL32.exe NvMCTray.dll,NvTaskbarInit = RunDLL32.exe NvMCTray.dll,NvTaskbarInit
@WatchDogC:\Program Files\mobile PhoneTools\WatchDog.exe /*file not found*/ = C:\Program Files\mobile PhoneTools\WatchDog.exe /*file not found*/
@!AVG Anti-Spyware"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
@SunJavaUpdateSched"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Handy Backup 4.1C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon /*file not found*/ = C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon /*file not found*/
@AltDeskC:\Program Files\AltDesk\AltDesk.exe = C:\Program Files\AltDesk\AltDesk.exe
@WMPNSCFGC:\Program Files\Windows Media Player\WMPNSCFG.exe = C:\Program Files\Windows Media Player\WMPNSCFG.exe
@BitTorrent"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized /*file not found*/ = "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized /*file not found*/
@Yahoo! Pager"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet = "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{182B90A3-F372-438A-800C-6814B4DE417B}(null) =
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{68DD2975-D9B9-4530-846E-EFA41B7470ED} /*Handy Backup*/(null) =
@{2AA59FC0-31E8-42DA-9D3C-E9A52953853B} /*CopyToCD shell extension*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\WINDOWS\system32\nvcpl.dll = C:\WINDOWS\system32\nvcpl.dll
@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{1E9B04FB-F9E5-4718-997B-B8DA88302A48} /*nView Desktop Context Menu*/C:\WINDOWS\system32\nvshell.dll = C:\WINDOWS\system32\nvshell.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL
@{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} /*OpenOffice.org Column Handler*/"C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"
@{087B3AE3-E237-4467-B8DB-5A38AB959AC9} /*OpenOffice.org Infotip Handler*/"C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"
@{63542C48-9552-494A-84F7-73AA6A7C99C1} /*OpenOffice.org Property Sheet Handler*/"C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"
@{3B092F0C-7696-40E3-A80F-68D74DA84210} /*OpenOffice.org Thumbnail Viewer*/"C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll" = "C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
VIDEOTRANS@{548773BA-874E-4C02-9DC7-B7A096772C7D} = C:\Program Files\MP3 Player Utilities 3.57\AMVTools\SrcCount.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\System32\scrnsave.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.yahoo.com/ = http://www.yahoo.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = wru.umt.edu

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{94AD5894-E43C-46C8-9A51-8B9982915D10} /*Local Area Connection*/ >>>
@IPAddress10.8.19.34 = 10.8.19.34
@NameServer10.10.7.6,10.10.11.2 = 10.10.7.6,10.10.11.2
@DefaultGateway10.8.19.254 = 10.8.19.254
@Domain =

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Acrobat Assistant.lnk = Acrobat Assistant.lnk
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
Adobe Reader Synchronizer.lnk = Adobe Reader Synchronizer.lnk
Acrobat Assistant.lnk = Acrobat Assistant.lnk
Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk
Adobe Reader Synchronizer.lnk = Adobe Reader Synchronizer.lnk

---- EOF - GMER 1.0.12 ----

Thanks Again!

#23 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 30 April 2007 - 12:55 PM

At this time I have no idea at all what you have wrong with the PC. I don't see anything I recognize as malicious, although I could just be missing it. Run through the following and if that shows nothing, i'll have to go and bother some people to take a look and see if they can identify the cause:

1) Download F-Secure's BlackLight from here and save it to your Desktop.

2) Log off from the internet and disconnect your modem cable.

3) Go to Start > Run, copy and paste the following into the text box and hit OK:
"%userprofile%\desktop\fsbl.exe" /expert

The F-Secure Blacklight Beta window should open.
  • Accept the agreement and click Next >.
  • Click the Scan button to begin.
  • Leave the PC idle while the scan takes place.
  • When it has completed, click the Close button.
  • A text file, fsbl-date/time, will be saved onto your Desktop - copy and paste this into your next reply.

Death to the salad eaters!

#24 vu_loki

vu_loki

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 01 May 2007 - 08:10 AM

I forgot to mention that when I came in yesterday my Symantic weekly scan had had found and quarantined two Trojan files. I will post the symantic log after the blacklight log. here are the results of the blacklight scan: 04/30/07 14:28:20 [Info]: BlackLight Engine 1.0.61 initialized 04/30/07 14:28:20 [Info]: OS: 5.1 build 2600 (Service Pack 2) 04/30/07 14:28:20 [Note]: 7019 4 04/30/07 14:28:20 [Note]: 7005 0 04/30/07 14:28:27 [Note]: 7006 0 04/30/07 14:28:27 [Note]: 7022 0 04/30/07 14:28:27 [Note]: 7011 2712 04/30/07 14:28:28 [Note]: 7026 0 04/30/07 14:28:28 [Note]: 7026 0 04/30/07 14:28:33 [Note]: FSRAW library version 1.7.1021 04/30/07 14:42:52 [Note]: 2000 1012 04/30/07 14:42:52 [Note]: 2000 1012 05/01/07 08:07:01 [Note]: 7007 0 here is the symnantic log: Date,Filename,Threat,Threat Type,Action Taken,Computer,User,Original Location,Status,Current Location,Primary Action,Secondary Action,Scan Type,Action Description 4/29/2007 12:58:54 AM,A0008630.dll,Trojan Horse,File,Deleted,PUMA,SYSTEM,C:\System Volume Information\_restore{718D792A-E333-41C5-B2D5-C052EAA6BD91}\RP37\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/28/2007 11:58:55 PM,A0008629.dll,Trojan Horse,File,Deleted,PUMA,SYSTEM,C:\System Volume Information\_restore{718D792A-E333-41C5-B2D5-C052EAA6BD91}\RP37\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/28/2007 6:26:14 PM,ukcgjwqf.dll,Trojan Horse,File,Quarantined,PUMA,will,C:\WINDOWS\system32\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/28/2007 6:24:05 PM,cllyqmsn.dll,Trojan Horse,File,Quarantined,PUMA,will,C:\WINDOWS\system32\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/21/2007 9:58:54 PM,A0008053.dll,Trojan.Adclicker,File,Deleted,PUMA,SYSTEM,C:\System Volume Information\_restore{718D792A-E333-41C5-B2D5-C052EAA6BD91}\RP28\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/21/2007 8:58:54 PM,A0008052.dll,Trojan.Adclicker,File,Deleted,PUMA,SYSTEM,C:\System Volume Information\_restore{718D792A-E333-41C5-B2D5-C052EAA6BD91}\RP28\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/21/2007 7:58:54 PM,A0008051.dll,Trojan.Adclicker,File,Deleted,PUMA,SYSTEM,C:\System Volume Information\_restore{718D792A-E333-41C5-B2D5-C052EAA6BD91}\RP28\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/21/2007 6:58:54 PM,A0008050.dll,Trojan.Adclicker,File,Deleted,PUMA,SYSTEM,C:\System Volume Information\_restore{718D792A-E333-41C5-B2D5-C052EAA6BD91}\RP28\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/21/2007 5:58:55 PM,A0008049.dll,Trojan.Adclicker,File,Deleted,PUMA,SYSTEM,C:\System Volume Information\_restore{718D792A-E333-41C5-B2D5-C052EAA6BD91}\RP28\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/20/2007 8:55:31 PM,wyjfrkmh.dll,Trojan.Adclicker,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/20/2007 8:55:11 PM,wbqxbjya.dll,Trojan.Adclicker,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/20/2007 8:51:50 PM,gepfpgei.dll,Trojan.Adclicker,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/20/2007 8:49:31 PM,cdrgmcme.dll,Trojan.Adclicker,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/20/2007 8:41:51 PM,backup-20070404-165426-713.dll,Trojan.Adclicker,File,Quarantined,PUMA,will,C:\Program Files\Hijackthis\backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:46 PM,yrgedwtg.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:45 PM,yhtllcps.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:45 PM,wddofjpm.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:45 PM,qvajyfgt.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:45 PM,qlhsniyi.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:45 PM,oyksqecm.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:44 PM,oehsphvs.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:40 PM,mdyadqmc.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:40 PM,klppfinp.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:40 PM,jjqcoyeh.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:40 PM,isuhwbnv.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:40 PM,hpdfavvj.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:35 PM,chkgeiqj.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/7/2007 6:15:35 PM,bpqngvhj.dll.bad,Trojan.Metajuan,File,Quarantined,PUMA,will,C:\VundoFix Backups\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Scheduled scan,The file was quarantined successfully. 4/3/2007 1:42:06 PM,ngeqfpmj.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/3/2007 1:17:39 PM,ssctevaj.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/3/2007 12:40:33 PM,htykuwwi.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/2/2007 6:24:56 PM,ecqhygop.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/2/2007 1:18:58 PM,wmbsvpqb.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Delete infected file,Auto-Protect scan,The file was deleted successfully. 4/2/2007 10:11:46 AM,afcweanj.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 4/2/2007 9:08:08 AM,frglnysh.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/31/2007 9:07:40 AM,vcatorfj.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/29/2007 9:07:21 AM,mxmnqvwl.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/28/2007 7:07:24 PM,ajmjbjll.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/27/2007 2:34:36 PM,knprlypg.exe,Trojan.Vundo,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/26/2007 2:34:45 PM,hsotjvcs.exe,Trojan.Vundo,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/26/2007 2:34:35 PM,mgqbavqy.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/26/2007 10:39:36 AM,lqtrwnex.dll,Trojan.Vundo,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/26/2007 10:39:35 AM,aiqrdnpt.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/26/2007 10:39:29 AM,buirwdwl.exe,Trojan.Vundo,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 2:27:26 PM,nmynoebg.dll,Trojan.Vundo,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 2:27:23 PM,ubmmmkkm.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 2:27:21 PM,qnjrdkoy.exe,Trojan.Vundo,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 2:23:31 PM,egdrjbrd.dll,Trojan.Vundo,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 2:23:27 PM,wlkxodkx.exe,Trojan.Vundo,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 2:23:25 PM,nusvepfv.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 1:10:16 PM,unsvchosts.exe,Adware.MaxSearch,File; Adware,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Delete infected file,Leave alone (log only),Manual scan,The file was deleted successfully. 3/23/2007 12:59:20 PM,Dc23.exe,Adware.MaxSearch,File; Adware,Deleted,PUMA,will,C:\RECYCLER\S-1-5-21-343818398-764733703-725345543-1003\,Deleted,Deleted,Delete infected file,Leave alone (log only),Manual scan,The file was deleted successfully. 3/23/2007 12:36:14 PM,UnInstall.exe,Adware.MaxSearch,File; Adware,Deleted,PUMA,will,C:\Program Files\Common Files\{305C6EE4-0DBF-1033-0223-040530030001}\,Deleted,Deleted,Delete infected file,Leave alone (log only),Manual scan,The file was deleted successfully. 3/23/2007 12:03:31 PM,xddojrli.dll,Infostealer,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 12:03:26 PM,dhhqexlv.exe,Trojan.Vundo,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 12:03:23 PM,nfjkrgyy.dll,Trojan.Vundo,File,Deleted,PUMA,will,C:\windows\temp\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 11:50:18 AM,svchosts.exe,Trojan Horse,File,Quarantined,PUMA,will,C:\WINDOWS\system32\,Infected,Quarantine,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was quarantined successfully. 3/23/2007 11:01:06 AM,msdtc_32.exe,Downloader,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 10:59:47 AM,user_32.dll,Downloader,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 10:55:29 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:55:29 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:55:25 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:53:51 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:53:49 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:53:38 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:46:57 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:41:59 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:41:57 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:41:56 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:41:37 AM,svhost.exe,Trojan.Adclicker,File,Deleted,PUMA,will,C:\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 10:40:59 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:40:25 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:38:46 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:38:45 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:38:45 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:38:43 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:37:02 AM,cdromdrv32.dll,Downloader,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 10:36:58 AM,cdromdrv32.dll,Downloader,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 10:36:56 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:36:55 AM,cdromdrv32.dll,Downloader,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 10:36:52 AM,user_32.dll,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:36:51 AM,cdromdrv32.dll,Downloader,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 10:36:51 AM,lcass.exe,Downloader,File,Deleted,PUMA,will,C:\windows\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 10:36:50 AM,msdtc_32.exe,Downloader,File,Left alone,PUMA,will,C:\WINDOWS\system32\,Infected,C:\WINDOWS\system32\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged. 3/23/2007 10:36:50 AM,cdromdrv32.dll,Downloader,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 10:34:24 AM,ldcore.dll,Trojan.Adclicker,File,Deleted,PUMA,will,C:\WINDOWS\system32\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully. 3/23/2007 10:34:18 AM,Update.exe,Trojan.Adclicker,File,Deleted,PUMA,will,C:\Program Files\Common Files\{705C6EE4-0DBF-1033-0223-040530030001}\,Deleted,Deleted,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was deleted successfully.

#25 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 02 May 2007 - 02:23 PM

Download Combofix by sUBs from here and save it to your Desktop.
  • Double click combo.exe to run it and follow the prompts.
  • When the tool has finished, it will produce a log C:\ComboFix.txt - copy and paste it into your next reply.
  • Post a fresh HJT log as well.
  • Let me know how the PC is behaving.
Please Note:
  • Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.
  • Disable Script Blocking if you have NAV installed as it will interfere with the normal working of this tool.
  • Trojan Hunter has been reported to detect this tool as Worm.Qiv.100 - please ignore this, it's a false-positive.

Death to the salad eaters!

    Advertisements

Register to Remove


#26 vu_loki

vu_loki

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 03 May 2007 - 09:39 AM

I cannot get combofix to run. it tells me I have an incompatible OS. I am running XP professional.

#27 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 03 May 2007 - 01:26 PM

Will you try a fresh download - it's running OK on my system as I type, and i'm running Pro as well. If it still won't run, i'll give sUBs a nudge and see if there's a solution forthcoming.
Death to the salad eaters!

#28 vu_loki

vu_loki

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 03 May 2007 - 01:49 PM

Still get incompatible os as the first line and then it exits with any keystroke.

#29 Noviciate

Noviciate

    Retired WTT Teacher

  • Visiting Fellow
  • PipPipPipPipPip
  • 2,907 posts

Posted 03 May 2007 - 03:04 PM

Download catchme by Gmer from here and save it to your Desktop.
Double click it to run it and it will create a text file, catchme.log, on your Desktop.
Once it has finished scanning, copy and paste it into your next reply.
Death to the salad eaters!

#30 vu_loki

vu_loki

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 03 May 2007 - 03:26 PM

Here is the catchme log:

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Here is the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:26:42 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\cygwin\usr\sbin\sshd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AltDesk\AltDesk.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\Bin\NTx86\imagine.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\eml.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\viewer.exe
C:\WINDOWS\system32\cmd.exe
C:\cygwin\bin\bash.exe
C:\cygwin\bin\bash.exe
c:\ArcGIS\arcexe9x\bin\arc.exe
C:\Program Files\ArcGIS\bin\AppLockMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\cmd.exe
C:\cygwin\bin\bash.exe
C:\cygwin\bin\bash.exe
c:\ArcGIS\arcexe9x\bin\arc.exe
C:\WINDOWS\system32\cmd.exe
C:\cygwin\bin\bash.exe
C:\cygwin\bin\bash.exe
c:\ArcGIS\arcexe9x\bin\arc.exe
C:\WINDOWS\system32\winhlp32.exe
C:\WINDOWS\winhlp32.exe
C:\Program Files\ArcGIS\Bin\ArcMap.exe
C:\Program Files\ArcGIS\Bin\AppROT.exe
C:\Program Files\ArcGIS\Bin\ArcCatalog.exe
C:\Program Files\Leica Geosystems\Geospatial Imaging 9.1\bin\NTx86\mosaictoolpro.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Handy Backup 4.1] C:\Program Files\Novosoft\Handy Backup\hbagent.exe -logon
O4 - HKCU\..\Run: [AltDesk] C:\Program Files\AltDesk\AltDesk.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1137446630656
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wru.umt.edu
O17 - HKLM\Software\..\Telephony: DomainName = wru.umt.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{94AD5894-E43C-46C8-9A51-8B9982915D10}: NameServer = 10.10.7.6,10.10.11.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wru.umt.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wru.umt.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wru.umt.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wru.umt.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wru.umt.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: MobiLink Synchronization - coyotEYEPro (ASANYm_coyotEYEPro) - Unknown owner - C:\Program Files\Sybase\SQL Anywhere 9\win32\dbmlsrv9.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


You know I haven't had any issues in the last several days. Everything seems fine. I'll let you know if I have any further problems or, if you see anything here, let me know what you think.

Thanks,
Will

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users