HiJackThis Startup and normal log

eujing

Newbie

Posts: 9

HiJackThis Startup and normal log

« on: August 17, 2009, 08:39:50 PM »

OK my comp just recovered from the vundo virus and the comp occasionally crashes so just to be sure could anyone analyze my startup and processes log?

Startuplist:
StartupList report, 8/16/2009, 7:47:02 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\User\Desktop\Hijackthis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v8.00 (8.00.6001.18702)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\WINDOWS\system32\wscntfy.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\User\Start Menu\Programs\Startup]
hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
GammaTray.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

RTHDCPL = RTHDCPL.EXE
StartCCC = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
NeroFilterCheck = C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
VMSnap3 = C:\WINDOWS\VMSnap3.EXE
Domino = C:\WINDOWS\Domino.EXE
Adobe Reader Speed Launcher = "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched = "C:\Program Files\Java\jre6\bin\jusched.exe"
itype = "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
IMJPMIG8.1 = "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
MSPY2002 = C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
PHIME2002ASync = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
avgnt = "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
AppleSyncNotifier = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
uTorrent = "C:\Documents and Settings\User\Desktop\Origami Instructions or stuff\3GP_Converter034\uTorrent.exe"

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job
GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job
User_Feed_Synchronization-{08AA1953-B7A1-4E77-A8C6-345104A039E7}.job
{7B02EF0B-A410-4938-8480-9BA26420A627}.job
{BB65B0FB-5712-401b-B616-E69AC55E2757}.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

[System Requirements Lab Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\sysreqlab_srl.dll
CODEBASE = http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
OSD = C:\WINDOWS\Downloaded Program Files\sysreqlab.osd

[{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}]
CODEBASE = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab

[DLM Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\DOWNLO~1.OCX
CODEBASE = http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.1.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

[get_atlcom Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\gp.ocx
CODEBASE = http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #5: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\TEMP\hjgruipghxdskrac.tmp

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll
UPnPMonitor: C:\WINDOWS\system32\upnpui.dll
SSODL: *Registry key not found*

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

exec = C:\WINDOWS\system32\mshrxtte.exe

--------------------------------------------------

End of report, 8,772 bytes
Report generated in 0.046 seconds

Logfile of HijackThis v1.99.1
Scan saved at 7:45:11 PM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MagicTune Premium\GammaTray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MagicTune Premium\MagicTune.exe
C:\WINDOWS\system32\wscntfy.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\User\Desktop\Origami Instructions or stuff\3GP_Converter034\uTorrent.exe"
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: GammaTray.lnk = ?
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - G:\avg\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - G:\avg\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Darkness - Unknown owner - C:\WINDOWS\system\svchost.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


	Logged

Guest

Guest

My HijackThis log

« Reply #1 on: August 17, 2009, 08:43:47 PM »

Hello, visitor!

The Hijack This log analyzer has analyzed your log. Please take a closer look on the results.

Your log does not indicate any spyware or virus infection. However, there are some entries that you might want to fix. Please follow the steps below.

The following entries are not malicious, but some of them are not used anymore. You may use HijackThis to fix a few of them. However, please keep in mind that some of the entries marked as Questionable or Not Needed are fully legitimate and might be required by installed software to work properly, while some others might be related to certain parasites. It is up to you to decide whether you need any of them, or not.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O4 - Global Startup: GammaTray.lnk = ?
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - G:\avg\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - G:\avg\avgwdsvc.exe (file missing)
O23 - Service: Darkness - Unknown owner - C:\WINDOWS\system\svchost.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

The following files and Windows registry entries are marked as "unknown". Currently, the HijackThis Log Analyzer cannot provide required information on these items. The files and entries in the list below can be both malicious and fully legitimate. Because of this, please do not take any action! Wait for the forum responders or other forum users to provide you with necessary details and further instructions.
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [VMSnap3] C:\WINDOWS\VMSnap3.EXE
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\User\Desktop\Origami Instructions or stuff\3GP_Converter034\uTorrent.exe"
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: MagicTuneEngine - Unknown owner - C:\Program Files\MagicTune Premium\MagicTuneEngine.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

If you want to see more detailed analysis of your log, click here.

Thank you for using the 2-Spyware.com HijackThis log analyzer beta 2!


	Logged

rodi

Administrator
Newbie

Posts: 245

HiJackThis Startup and normal log

« Reply #2 on: August 17, 2009, 11:45:40 PM »

Hi,

There are still some serious problems that must be fixed:

R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.1.cab

O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - G:\avg\avgwdsvc.exe (file missing)

O23 - Service: Darkness - Unknown owner - C:\WINDOWS\system\svchost.exe (file missing)

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe

I suggest you to download Spyware Doctor and scan your PC, because manual removal can damage Windows.

http://www.2-spyware.com/review-spyware-doctor.html

Remove found infections. If Spyware Doctor won't run, then rename the installer an run it again.

Alternatively, you may use MalwareBytes anti-malware.
http://www.2-spyware.com/review-malwarebytes-anti-malware.html

After that, download CCleaner from http://www.ccleaner.com
This tool will fix all found problems and errors.

Good luck


	Logged

eujing

Newbie

Posts: 9

HiJackThis Startup and normal log

« Reply #3 on: August 18, 2009, 01:06:01 AM »

What is wrong with de AVG watch dog and Windows update thing?


	Logged

rodi

Administrator
Newbie

Posts: 245

HiJackThis Startup and normal log

« Reply #4 on: August 18, 2009, 04:14:35 AM »

O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - G:\avg\avgwdsvc.exe (file missing)

First of all, the owner of this service is unknown. Secondly, O23 entries with (file missing) don't guarantee that file is really missing. It can be that HJT doesn't see the file. HJT "fixing" doesn't remove the malware, you have to remove it manually. But as I said before, you should scan your PC with Spyware Doctor and see if it detects this file as infection.

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe

mssrv32.exe file is added by Troj/Agent-GCE Trojan. It's not related with Microsoft.


	Logged

eujing

Newbie

Posts: 9

HiJackThis Startup and normal log

« Reply #5 on: August 18, 2009, 05:37:30 AM »

ok i skipped the doctor thing and used MBAM (cause i heard it from somewhere before) and it found 6 infections. It has deleted 6 files including the darkness thingy and fake microsoft thingy but 2 of the things cannot be deleted. Its one of those trojan files where the names are randomly generated and it can be deleted but keeps coming back. i Will post the logs from MBAM
Initial Log:
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/18/2009 7:29:18 PM
mbam-log-2009-08-18 (19-29-18).txt

Scan type: Full Scan (C:\|F:\|G:\|L:\|)
Objects scanned: 439498
Time elapsed: 1 hour(s), 14 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 17
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{38101905-d80f-4788-96f6-986a8186178a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7d7db869-3021-4cd2-af0a-b3cad75ece31} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msncache (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msupdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msupdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msupdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Darkness (Trojan.Backdoor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pcmstub (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{38101905-d80f-4788-96f6-986a8186178a} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SSODL (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\.bat\(default) (Hijacked.BatFile) -> Bad: (csfile) Good: (batfile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.com\(default) (Hijacked.ComFile) -> Bad: (csfile) Good: (comfile) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssrv32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\a99k.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Current Log:
Malwarebytes' Anti-Malware 1.40
Database version: 2647
Windows 5.1.2600 Service Pack 3

8/18/2009 8:06:27 PM
mbam-log-2009-08-18 (20-06-27).txt

Scan type: Quick Scan
Objects scanned: 4758
Time elapsed: 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

This file hjgruixeyqfuwk.dll seems to be able to be generated. I wonder if you could help me find the soure (AppInit maybe?). Or is it a harmless file that i should leave alone?


	Logged

rodi

Administrator
Newbie

Posts: 245

HiJackThis Startup and normal log

« Reply #6 on: August 18, 2009, 06:33:35 AM »

You shouldn't rely only on MalwareBytes anti-malware. I strongly recommend you to scan your PC with Spyware Doctor. You don't have to buy it. Just scan the system to make sure that MalwareBytes has detected and removed all infections.

As for \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (Trojan.TDSS)

It's quite dangerous threat. It may download additional malware. Likely there is a rookit. Use GMER to remove it. http://www.gmer.net


	Logged

eujing

Newbie

Posts: 9

Help!!!!!!!!!!!!!!!

« Reply #7 on: August 19, 2009, 02:31:50 AM »

Help me!!!!!!!!!!! After the GMER scan, the file i was talking about has infected like almost all my processes. I will paste the log here. PLease find a way to help.OK its a little long i will upload on megaupload.
GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-19 19:29:47
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code 89F8A3A8 ZwEnumerateKey
Code 89F7E3D0 ZwFlushInstructionCache
Code \SystemRoot\System32\Drivers\sptd.sys IoCreateFile
Code 89F8EC96 IofCallDriver
Code 89FBBC96 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 89F8EC9B
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 89FBBC9B
.text ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel + 862 8054131A 4 Bytes CALL A4E9E19A 00005340
PAGE ntkrnlpa.exe!IoCreateFile 8057691C 5 Bytes JMP B52995FB \SystemRoot\System32\Drivers\sptd.sys
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 89F7E3D4
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF0 5 Bytes JMP 89F8A3AC
? 00005340 The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\synsenddrv.sys The system cannot find the file specified. !
.text ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003B000A

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[180] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0151000A
.text C:\WINDOWS\system32\svchost.exe[348] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[392] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0137000A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[428] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 014C000A
.text ...
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1328] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe[1448] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 016D000A
.text C:\WINDOWS\system32\Ati2evxx.exe[1512] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003B000A
.text C:\WINDOWS\RTHDCPL.EXE[1944] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003F000A
.text C:\WINDOWS\VMSnap3.EXE[1968] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\WINDOWS\Domino.EXE[1976] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text ...
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2780] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\MagicTune Premium\MagicTuneEngine.exe[3008] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9521 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCB69 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED3AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2543F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E3C10 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E3B42 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E3BAD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3A13 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E3C73 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E3AD7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED408 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3200] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E3F78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\system32\svchost.exe[3368] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0066000A
.text C:\WINDOWS\system32\wscntfy.exe[3900] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0086000A
.text C:\Documents and Settings\User\Desktop\gmer.exe[4012] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003B000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[1328] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3200] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\bugkdpzgr \Device\{9DD6AFA1-8646-4720-836B-EDCB1085864A} 00005340

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:1276] SSDT 0x8A015748 != 0x80504460

SSDT 00005340 System [4.1276] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 System [4.1276] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 System [4.1276] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 System [4.1276] ZwOpenKey [0xA4E9D19C]
SSDT 00005340 System [4.1276] ZwOpenProcess [0xA4E9CF06]
SSDT 00005340 System [4.1276] ZwOpenThread [0xA4E9CF8E]
SSDT 00005340 System [4.1276] ZwProtectVirtualMemory [0xA4E9D768]
SSDT 00005340 System [4.1276] ZwQuerySystemInformation [0xA4E9CE00]
SSDT 00005340 System [4.1276] ZwReadVirtualMemory [0xA4E9D69C]
SSDT 00005340 System [4.1276] ZwSetContextThread [0xA4E9D139]
SSDT 00005340 System [4.1276] ZwSetValueKey [0xA4E9D4A0]
SSDT 00005340 System [4.1276] ZwSuspendThread [0xA4E9D0D6]
SSDT 00005340 System [4.1276] ZwTerminateThread [0xA4E9D073]
SSDT 00005340 System [4.1276] ZwWriteVirtualMemory [0xA4E9D702]

---- Threads - GMER 1.0.15 ----

Thread System [4:2624] SSDT 0x8A015748 != 0x80504460

SSDT 00005340 System [4.2624] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 System [4.2624] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 System [4.2624] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 System [4.2624] ZwOpenKey [0xA4E9D19C]
SSDT 00005340 System [4.2624] ZwOpenProcess [0xA4E9CF06]
SSDT 00005340 System [4.2624] ZwOpenThread [0xA4E9CF8E]
SSDT 00005340 System [4.2624] ZwProtectVirtualMemory [0xA4E9D768]
SSDT 00005340 System [4.2624] ZwQuerySystemInformation [0xA4E9CE00]
SSDT 00005340 System [4.2624] ZwReadVirtualMemory [0xA4E9D69C]
SSDT 00005340 System [4.2624] ZwSetContextThread [0xA4E9D139]
SSDT 00005340 System [4.2624] ZwSetValueKey [0xA4E9D4A0]
SSDT 00005340 System [4.2624] ZwSuspendThread [0xA4E9D0D6]
SSDT 00005340 System [4.2624] ZwTerminateThread [0xA4E9D073]
SSDT 00005340 System [4.2624] ZwWriteVirtualMemory [0xA4E9D702]

---- Threads - GMER 1.0.15 ----

Thread System [4:1776] SSDT 0x8A015748 != 0x80504460

SSDT 00005340 System [4.1776] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 System [4.1776] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 System [4.1776] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 System [4.1776] ZwOpenKey [0xA4E9D19C]
SSDT 00005340 System [4.1776] ZwOpenProcess [0xA4E9CF06]
SSDT 00005340 System [4.1776] ZwOpenThread [0xA4E9CF8E]
SSDT 00005340 System [4.1776] ZwProtectVirtualMemory [0xA4E9D768]
SSDT 00005340 System [4.1776] ZwQuerySystemInformation [0xA4E9CE00]
SSDT 00005340 System [4.1776] ZwReadVirtualMemory [0xA4E9D69C]
SSDT 00005340 System [4.1776] ZwSetContextThread [0xA4E9D139]
SSDT 00005340 System [4.1776] ZwSetValueKey [0xA4E9D4A0]
SSDT 00005340 System [4.1776] ZwSuspendThread [0xA4E9D0D6]
SSDT 00005340 System [4.1776] ZwTerminateThread [0xA4E9D073]
SSDT 00005340 System [4.1776] ZwWriteVirtualMemory [0xA4E9D702]
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [148] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Program Files\Microsoft IntelliPoint\ipoint.exe [180] 0x003F0000

---- Threads - GMER 1.0.15 ----

Thread ipoint.exe [180:1924] SSDT 0x8A015748 != 0x80504460

SSDT 00005340 ipoint.exe [180.1924] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 ipoint.exe [180.1924] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 ipoint.exe [180.1924] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 ipoint.exe [180.1924] ZwOpenKey [0xA4E9D19C]
SSDT 00005340 ipoint.exe [180.1924] ZwOpenProcess [0xA4E9CF06]
SSDT 00005340 ipoint.exe [180.1924] ZwOpenThread [0xA4E9CF8E]
SSDT 00005340 ipoint.exe [180.1924] ZwProtectVirtualMemory [0xA4E9D768]
SSDT 00005340 ipoint.exe [180.1924] ZwQuerySystemInformation [0xA4E9CE00]
SSDT 00005340 ipoint.exe [180.1924] ZwReadVirtualMemory [0xA4E9D69C]
SSDT 00005340 ipoint.exe [180.1924] ZwSetContextThread [0xA4E9D139]
SSDT 00005340 ipoint.exe [180.1924] ZwSetValueKey [0xA4E9D4A0]
SSDT 00005340 ipoint.exe [180.1924] ZwSuspendThread [0xA4E9D0D6]
SSDT 00005340 ipoint.exe [180.1924] ZwTerminateThread [0xA4E9D073]
SSDT 00005340 ipoint.exe [180.1924] ZwWriteVirtualMemory [0xA4E9D702]
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Program Files\Avira\AntiVir Desktop\sched.exe [204] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [348] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe [392] 0x10000000

---- Threads - GMER 1.0.15 ----

Thread CCC.exe [392:2108] SSDT 0x88AC4B90 != 0x80504460

SSDT 00005340 CCC.exe [392.2108] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 CCC.exe [392.2108] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 CCC.exe [392.2108] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 CCC.exe [392.2108] ZwOpenKey [0xA4E9D19C]
SSDT 00005340 CCC.exe [392.2108] ZwOpenProcess [0xA4E9CF06]
SSDT 00005340 CCC.exe [392.2108] ZwOpenThread [0xA4E9CF8E]
SSDT 00005340 CCC.exe [392.2108] ZwProtectVirtualMemory [0xA4E9D768]
SSDT 00005340 CCC.exe [392.2108] ZwQuerySystemInformation [0xA4E9CE00]
SSDT 00005340 CCC.exe [392.2108] ZwReadVirtualMemory [0xA4E9D69C]
SSDT 00005340 CCC.exe [392.2108] ZwSetContextThread [0xA4E9D139]
SSDT 00005340 CCC.exe [392.2108] ZwSetValueKey [0xA4E9D4A0]
SSDT 00005340 CCC.exe [392.2108] ZwSuspendThread [0xA4E9D0D6]
SSDT 00005340 CCC.exe [392.2108] ZwTerminateThread [0xA4E9D073]
SSDT 00005340 CCC.exe [392.2108] ZwWriteVirtualMemory [0xA4E9D702]
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [428] 0x00AA0000
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [452] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Program Files\Windows Live\Messenger\msnmsgr.exe [460] 0x10000000

---- Threads - GMER 1.0.15 ----

Thread msnmsgr.exe [460:1536] SSDT 0x88AC4B90 != 0x80504460

SSDT 00005340 msnmsgr.exe [460.1536] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 msnmsgr.exe [460.1536] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 msnmsgr.exe [460.1536] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 msnmsgr.exe [460.1536] ZwOpenKey [0xA4E9D19C]
SSDT 00005340 msnmsgr.exe [460.1536] ZwOpenProcess [0xA4E9CF06]
SSDT 00005340 msnmsgr.exe [460.1536] ZwOpenThread [0xA4E9CF8E]
SSDT 00005340 msnmsgr.exe [460.1536] ZwProtectVirtualMemory [0xA4E9D768]
SSDT 00005340 msnmsgr.exe [460.1536] ZwQuerySystemInformation [0xA4E9CE00]
SSDT 00005340 msnmsgr.exe [460.1536] ZwReadVirtualMemory [0xA4E9D69C]
SSDT 00005340 msnmsgr.exe [460.1536] ZwSetContextThread [0xA4E9D139]
SSDT 00005340 msnmsgr.exe [460.1536] ZwSetValueKey [0xA4E9D4A0]
SSDT 00005340 msnmsgr.exe [460.1536] ZwSuspendThread [0xA4E9D0D6]
SSDT 00005340 msnmsgr.exe [460.1536] ZwTerminateThread [0xA4E9D073]
SSDT 00005340 msnmsgr.exe [460.1536] ZwWriteVirtualMemory [0xA4E9D702]
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [472] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [480] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Documents and Settings\User\Desktop\Origami Instructions or stuff\3GP_Converter034\uTorrent.exe [492] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Program Files\MagicTune Premium\GammaTray.exe [692] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [708] 0x10000000
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\Program Files\MagicTune Premium\MagicTune.exe [736] 0x011A0000

---- Threads - GMER 1.0.15 ----

Thread csrss.exe [880:3584] SSDT 0x88AC4B90 != 0x80504460

SSDT 00005340 csrss.exe [880.3584] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 csrss.exe [880.3584] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 csrss.exe [880.3584] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 csrss.exe [880.3584] ZwOpenKey [0xA4E9D19C]
SSDT 00005340 csrss.exe [880.3584] ZwOpenProcess [0xA4E9CF06]
SSDT 00005340 csrss.exe [880.3584] ZwOpenThread [0xA4E9CF8E]
SSDT 00005340 csrss.exe [880.3584] ZwProtectVirtualMemory [0xA4E9D768]
SSDT 00005340 csrss.exe [880.3584] ZwQuerySystemInformation [0xA4E9CE00]
SSDT 00005340 csrss.exe [880.3584] ZwReadVirtualMemory [0xA4E9D69C]
SSDT 00005340 csrss.exe [880.3584] ZwSetContextThread [0xA4E9D139]
SSDT 00005340 csrss.exe [880.3584] ZwSetValueKey [0xA4E9D4A0]
SSDT 00005340 csrss.exe [880.3584] ZwSuspendThread [0xA4E9D0D6]
SSDT 00005340 csrss.exe [880.3584] ZwTerminateThread [0xA4E9D073]
SSDT 00005340 csrss.exe [880.3584] ZwWriteVirtualMemory [0xA4E9D702]
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [912] 0x10000000

---- Threads - GMER 1.0.15 ----

Thread winlogon.exe [912:2816] SSDT 0x8A015748 != 0x80504460

SSDT 00005340 winlogon.exe [912.2816] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 winlogon.exe [912.2816] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 winlogon.exe [912.2816] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 winlogon.exe [912.2816] ZwOpenKey [0xA4E9D19C]
SSDT 00005340 winlogon.exe [912.2816] ZwOpenProcess [0xA4E9CF06]
SSDT 00005340 winlogon.exe [912.2816] ZwOpenThread [0xA4E9CF8E]
SSDT 00005340 winlogon.exe [912.2816] ZwProtectVirtualMemory [0xA4E9D768]
SSDT 00005340 winlogon.exe [912.2816] ZwQuerySystemInformation [0xA4E9CE00]
SSDT 00005340 winlogon.exe [912.2816] ZwReadVirtualMemory [0xA4E9D69C]
SSDT 00005340 winlogon.exe [912.2816] ZwSetContextThread [0xA4E9D139]
SSDT 00005340 winlogon.exe [912.2816] ZwSetValueKey [0xA4E9D4A0]
SSDT 00005340 winlogon.exe [912.2816] ZwSuspendThread [0xA4E9D0D6]
SSDT 00005340 winlogon.exe [912.2816] ZwTerminateThread [0xA4E9D073]
SSDT 00005340 winlogon.exe [912.2816] ZwWriteVirtualMemory [0xA4E9D702]

---- Threads - GMER 1.0.15 ----

Thread winlogon.exe [912:1912] SSDT 0x8A015748 != 0x80504460

SSDT 00005340 winlogon.exe [912.1912] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 winlogon.exe [912.1912] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 winlogon.exe [912.1912] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 winlogon.exe [912.1912] ZwOpenKey [0xA4E9D19C]
SSDT 00005340 winlogon.exe [912.1912] ZwOpenProcess [0xA4E9CF06]
SSDT 00005340 winlogon.exe [912.1912] ZwOpenThread [0xA4E9CF8E]
SSDT 00005340 winlogon.exe [912.1912] ZwProtectVirtualMemory [0xA4E9D768]
SSDT 00005340 winlogon.exe [912.1912] ZwQuerySystemInformation [0xA4E9CE00]
SSDT 00005340 winlogon.exe [912.1912] ZwReadVirtualMemory [0xA4E9D69C]
SSDT 00005340 winlogon.exe [912.1912] ZwSetContextThread [0xA4E9D139]
SSDT 00005340 winlogon.exe [912.1912] ZwSetValueKey [0xA4E9D4A0]
SSDT 00005340 winlogon.exe [912.1912] ZwSuspendThread [0xA4E9D0D6]
SSDT 00005340 winlogon.exe [912.1912] ZwTerminateThread [0xA4E9D073]
SSDT 00005340 winlogon.exe [912.1912] ZwWriteVirtualMemory [0xA4E9D702]
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [960] 0x10000000

---- Threads - GMER 1.0.15 ----

Thread services.exe [960:1364] SSDT 0x8A015748 != 0x80504460

SSDT 00005340 services.exe [960.1364] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 services.exe [960.1364] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 services.exe [960.1364] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 services.exe [960.1364] ZwOpenKey [0xA4E9D19C]
SSDT 00005340 services.exe [960.1364] ZwOpenProcess [0xA4E9CF06]
SSDT 00005340 services.exe [960.1364] ZwOpenThread [0xA4E9CF8E]
SSDT 00005340 services.exe [960.1364] ZwProtectVirtualMemory [0xA4E9D768]
SSDT 00005340 services.exe [960.1364] ZwQuerySystemInformation [0xA4E9CE00]
SSDT 00005340 services.exe [960.1364] ZwReadVirtualMemory [0xA4E9D69C]
SSDT 00005340 services.exe [960.1364] ZwSetContextThread [0xA4E9D139]
SSDT 00005340 services.exe [960.1364] ZwSetValueKey [0xA4E9D4A0]
SSDT 00005340 services.exe [960.1364] ZwSuspendThread [0xA4E9D0D6]
SSDT 00005340 services.exe [960.1364] ZwTerminateThread [0xA4E9D073]
SSDT 00005340 services.exe [960.1364] ZwWriteVirtualMemory [0xA4E9D702]
Library \\?\globalroot\systemroot\system32\hjgruixeyqfuwk.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [972] 0x10000000

---- Threads - GMER 1.0.15 ----

Thread lsass.exe [972:3360] SSDT 0x8A015748 != 0x80504460

SSDT 00005340 lsass.exe [972.3360] ZwDeleteValueKey [0xA4E9D5A4]
SSDT 00005340 lsass.exe [972.3360] ZwEnumerateKey [0xA4E9D254]
SSDT 00005340 lsass.exe [972.3360] ZwEnumerateValueKey [0xA4E9D360]
SSDT 00005340 lsass.exe [972.3360] ZwOpenKey [0xA4E9D19C]
SSDT 00005340


	Logged

eujing

Newbie

Posts: 9

HiJackThis Startup and normal log

« Reply #8 on: August 19, 2009, 02:33:51 AM »

OK heres the link http://www.megaupload.com/?d=LBOHO3NI
The file is named GMER.txt


	Logged

eujing

Newbie

Posts: 9

HiJackThis Startup and normal log

« Reply #9 on: August 19, 2009, 02:42:11 AM »

I am thinking if this is too out of hand, a reinstalling of windows is required. I also suspect that GMER has been tampered as i deleted it and downloaded again and results were diff. It seems to only recognize the processes i am running as infected so i am suspicious. i think running this in safemode is better? Is there a manual way to remove this threat? I am starting to worry...................


	Logged

eujing

Newbie

Posts: 9

HiJackThis Startup and normal log

« Reply #10 on: August 19, 2009, 02:59:18 AM »

erm btw i tried spywaredoctor and it installs fine but after a scan the bsod occurs. This happened with GMER too the first time it ran. And do u have like msn so i dont need to wait for u to reply? or is it unsafe or nvm just a bit worried.......


	Logged

eujing

Newbie

Posts: 9

HiJackThis Startup and normal log

« Reply #11 on: August 20, 2009, 01:08:41 AM »

Erm my msn has a problem but thats ok. Erm i am using root analyzer now and heres a log.( It scares me........)

Quote

:: RootAlyzer Results
File:"Hidden file","C:\WINDOWS\system32\hjgruidpbitevp.dll"
File:"Hidden file","C:\WINDOWS\system32\hjgruiimeogmrr.dat"
File:"Hidden file","C:\WINDOWS\system32\hjgruipjxvjdqb.dat"
File:"Hidden file","C:\WINDOWS\system32\hjgruixeyqfuwk.dll"
File:"Invisible to Win32","C:\WINDOWS\Temp\hjgruispuiqatqik.tmp"
File:"Invisible to Win32","C:\WINDOWS\system32\hjgruidpbitevp.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\hjgruiimeogmrr.dat"
File:"Invisible to Win32","C:\WINDOWS\system32\hjgruipjxvjdqb.dat"
File:"Invisible to Win32","C:\WINDOWS\system32\hjgruixeyqfuwk.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\drivers\hjgruibirrxyqj.sys"
Directory:"No admin in ACL","C:\Program Files\NOS"
Directory:"No admin in ACL","C:\Program Files\NOS\bin"
Directory:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\NOS"
How do i remove these files? GMER tries to delete them but cant and deletes on startup and i found this file in my C:/WINDOWS wininit.ini it contains these:

Quote

[rename]
c:\tempjunk7870.tmp=C:\WINDOWS\system32\nunoloje.dll_old
nul=c:\tempjunk2637.tmp
c:\tempjunk6857.tmp=C:\WINDOWS\system32\kovejago.dll_old
c:\tempjunk5799.tmp=C:\WINDOWS\system32\nnnoMFWm.dll
c:\tempjunk4189.tmp=C:\WINDOWS\system32\ssqNFWNf.dll_old
c:\tempjunk2364.tmp=C:\WINDOWS\system32\habanuvo.dll_old
c:\tempjunk3342.tmp=C:\WINDOWS\system32\nnnoMFWm.dll_old
c:\tempjunk3884.tmp=C:\WINDOWS\system32\efcCvSLe.dll_old
c:\tempjunk8763.tmp=C:\WINDOWS\system32\eLSvCcfe.ini2
c:\tempjunk710.tmp=C:\WINDOWS\system32\eLSvCcfe.ini
c:\tempjunk2384.tmp=C:\WINDOWS\system32\adebapuy.ini
c:\tempjunk6351.tmp=C:\WINDOWS\system32\silugihi.dll_old
c:\tempjunk2277.tmp=C:\WINDOWS\system32\efcCvSLe.dll_old
c:\tempjunk5486.tmp=C:\WINDOWS\system32\comsa32.sys
c:\tempjunk8051.tmp=C:\WINDOWS\system32\silugihi.dll
c:\tempjunk9876.tmp=C:\WINDOWS\system32\wininet.exe
c:\tempjunk1342.tmp=C:\WINDOWS\system32\svshost.dll_old
c:\tempjunk3623.tmp=C:\WINDOWS\system32\msmgs.exe
c:\tempjunk121.tmp=C:\WINDOWS\system32\drivers\hjgruibirrxyqj.sys
c:\tempjunk5946.tmp=C:\WINDOWS\system32\hjgruidpbitevp.dll
c:\tempjunk3264.tmp=C:\WINDOWS\system32\hjgruixeyqfuwk.dll
c:\tempjunk6174.tmp=C:\WINDOWS\temp\hjgruiktthbirpvr.tmp
c:\tempjunk3620.tmp=C:\WINDOWS\temp\hjgruiqoijpwivrc.tmp
c:\tempjunk7329.tmp=C:\WINDOWS\system32\hjgruiimeogmrr.dat
c:\tempjunk9612.tmp=C:\WINDOWS\system32\hjgruipjxvjdqb.dat
c:\tempjunk4532.tmp=C:\WINDOWS\system32\drivers\hjgruibirrxyqj.sys
c:\tempjunk5299.tmp=C:\WINDOWS\system32\hjgruidpbitevp.dll
c:\tempjunk3522.tmp=C:\WINDOWS\system32\hjgruixeyqfuwk.dll
c:\tempjunk7455.tmp=C:\WINDOWS\system32\hjgruiimeogmrr.dat
c:\tempjunk4420.tmp=C:\WINDOWS\system32\hjgruipjxvjdqb.dat
c:\tempjunk7132.tmp=C:\WINDOWS\system32\drivers\hjgruibirrxyqj.sys
c:\tempjunk5475.tmp=C:\WINDOWS\system32\hjgruidpbitevp.dll
c:\tempjunk8713.tmp=C:\WINDOWS\system32\hjgruixeyqfuwk.dll
c:\tempjunk1239.tmp=C:\WINDOWS\system32\hjgruiimeogmrr.dat
c:\tempjunk2637.tmp=C:\WINDOWS\system32\hjgruipjxvjdqb.dat

Is there a way i can delete these files manually?


	Logged

Pages: [1]

« previous next »

HiJackThis Startup and normal log

Spreading the knowledge: