Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Rootkit Infection


  • This topic is locked This topic is locked
17 replies to this topic

#1 rmbeatty

rmbeatty

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 28 December 2009 - 09:35 PM

I began seeing pop-ups for Spyware and Virus removal tools saying I was infected with Worm.Win32.Netsky. I realized that I was not in fact infected with netsky as no netsky removal tool could find it. It was instead what appears to be a rootkit infection. I had run Malwarebytes Anti-Malware and that deleted many infected files and computer appeared to be working properly. Then it began to become infected again. In addition to the spyware pop-ups, I also get Google redirects which became so bad that I could not actually get to any website I tried. It was always re-directed. Malwarebytes keeps finding a file in C:\Windows\System32\drivers called kavjam.sys that it says is infected with Rootkit.Agent. It says it removes it and to re-boot, but a subsequent Malware scan finds it again. I ran combofix which said it found that file to be infected (among others) and I instructed combofix to clean it. A subsequent Malware scan still found it infected. Whats next? Thanks in advance for your help.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:34 AM

Posted 28 December 2009 - 10:01 PM

Can you post the Malwarebytes log?

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and unheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 rmbeatty

rmbeatty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 29 December 2009 - 08:50 AM

Thanks.

Here is Malware and Dr.Web logs. Appreciate the help. FYI, this log is from Malware after I ran the Dr Web and you can see the rootkit infection is still present.

Malwarebytes' Anti-Malware 1.42
Database version: 3432
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18865

12/29/2009 8:49:22 AM
mbam-log-2009-12-29 (08-49-16).txt

Scan type: Quick Scan
Objects scanned: 102620
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\kajvam.sys (Rootkit.Agent) -> No action taken.


Process in memory: C:\Windows\system32\svchost.exe:656;;BackDoor.Tdss.565;Eradicated.;
Process.exe;C:\Windows\system32;Tool.Prockill;Incurable.Moved.;
ctfmon.dll;C:\Windows\system32\CTF;Trojan.KeyLogger;Deleted.;
ctfmon.exe;C:\Windows\system32\CTF;Trojan.KeyLogger;Deleted.;
ctfs.dll;C:\Windows\system32\CTF;Program.InspectorSpy;Incurable.Moved.;
atapi.sys;C:\Windows\system32\drivers;BackDoor.Tdss.1365;Cured.;
Process.exe;C:\Windows\system32\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Windows\system32\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
haypsixd.exe;C:\;Trojan.MulDrop.origin;Incurable.Moved.;
atapi.sys;c:\windows\system32\drivers;BackDoor.Tdss.1365;Cured.;
haypsixd.exe;C:\Documents and Settings\Richard\DoctorWeb\Quarantine;Trojan.MulDrop.origin;Incurable.Moved.;
LTRM2_WWEFG_win.exe\___\db.exe;C:\Documents and Settings\Richard\Downloads\Programs\Adobe Photoshop Lightroom 2 ENG\LTRM2_WWEFG_win.exe;Trojan.Fakealert.5734;;
LTRM2_WWEFG_win.exe\___\IC.exe;C:\Documents and Settings\Richard\Downloads\Programs\Adobe Photoshop Lightroom 2 ENG\LTRM2_WWEFG_win.exe;Trojan.DownLoad.59026;;
LTRM2_WWEFG_win.exe;C:\Documents and Settings\Richard\Downloads\Programs\Adobe Photoshop Lightroom 2 ENG;Archive contains infected objects;Moved.;
Process.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Program Files\Mozilla Firefox\SmitfraudFix;Tool.ShutDown.14;Incurable.Moved.;
p30_sve.chm\S_h_r_g_r_du_f_r_att_l_gga_till_ett_nytt_team.htm;C:\Program Files\Polar\Polar Precision Performance\p30_sve.chm;Modification of Trojan.DownLoad1.22701;;
p30_sve.chm;C:\Program Files\Polar\Polar Precision Performance;Container contains infected objects;Moved.;
imageshackert.exe;C:\Program Files\Utilities;Trojan.StartPage.21584;Deleted.;
Process.exe;C:\Windows\System32;Tool.Prockill;Invalid path to file ;
ctfs.dll;C:\Windows\System32\CTF;Program.InspectorSpy;Invalid path to file ;
atapi.sys;C:\Windows\System32\drivers;BackDoor.Tdss.1365;Cured.;
Process.exe;C:\Windows\System32\SmitfraudFix;Tool.Prockill;Invalid path to file ;
restart.exe;C:\Windows\System32\SmitfraudFix;Tool.ShutDown.14;Invalid path to file ;

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:34 AM

Posted 29 December 2009 - 05:16 PM

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 rmbeatty

rmbeatty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 31 December 2009 - 11:57 AM

Rigel,
Thanks for the help thus far. I tried to run Rootrepeal twice so far and both times it gets pretty far into the scan and then a message pops up. Here is the weird thing, the message box has a border, but the center of the box is transparent so I cant actually see what the message says. I clicked around on the box and it clearly recognizes a click because then the box and Rootrepeal close. Any ideas? Should I run ion Safe Mode? Thanks again for the help.

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:34 AM

Posted 31 December 2009 - 04:17 PM

Let's try another scanner....

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 rmbeatty

rmbeatty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 03 January 2010 - 07:18 PM

Here you go...let me know whats next. Thanks a lot!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-03 18:40:42
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Richard\AppData\Local\Temp\uxtdipow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwOpenProcess [0x8FE00C90] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwOpenThread [0x8FE00D7E] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwTerminateProcess [0x8FE00BF4] <-- ROOTKIT !!!
SSDT \??\C:\Program Files\BitDefender\BitDefender 2009\bdselfpr.sys ZwTerminateThread [0x8FE00EC4] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 624 820FCBE8 4 Bytes [90, 0C, E0, 8F]
.text ntkrnlpa.exe!KeSetTimerEx + 640 820FCC04 4 Bytes [7E, 0D, E0, 8F] {JLE 0xf; LOOPNZ 0xffffffffffffff93}
.text ntkrnlpa.exe!KeSetTimerEx + 854 820FCE18 8 Bytes [F4, 0B, E0, 8F, C4, 0E, E0, ...] {HLT ; OR ESP, EAX; POP ESP; PUSH CS; LOOPNZ 0xffffffffffffff97}
? System32\Drivers\kajvam.sys A device attached to the system is not functioning. !
.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x827BC024]
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8EE02000, 0x241AC8, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[884] ole32.dll!CoCreateInstance 7703E188 5 Bytes JMP 008D000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [01021AB4] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExW] [0102303E] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegCreateKeyExW] [01022E8B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegOpenKeyExA] [01022F53] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHELL32.dll [ADVAPI32.dll!RegCloseKey] [01022D0B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [01021AB4] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [01021AB4] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegOpenKeyExW] [0102303E] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegCreateKeyExW] [01022E8B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegCloseKey] [01022D0B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [01021AB4] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\RPCRT4.dll [ADVAPI32.dll!RegCreateKeyExA] [01022D91] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExA] [01022F53] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\RPCRT4.dll [ADVAPI32.dll!RegCloseKey] [01022D0B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\RPCRT4.dll [ADVAPI32.dll!RegOpenKeyExW] [0102303E] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [01021AB4] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCloseKey] [01022D0B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExA] [01022D91] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExA] [01022F53] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExW] [01022E8B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExW] [0102303E] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [01021AB4] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegOpenUserClassesRoot] [01022708] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegCloseKey] [01022D0B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExW] [0102303E] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] [01022E8B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\ole32.dll [ADVAPI32.dll!RegOpenKeyExA] [01022F53] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!RegCreateKeyExW] [01022E8B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!RegOpenKeyExW] [0102303E] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!RegCreateKeyExA] [01022D91] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!RegOpenKeyExA] [01022F53] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\WININET.dll [ADVAPI32.dll!RegCloseKey] [01022D0B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [01021AB4] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\NETAPI32.dll [ADVAPI32.dll!RegOpenKeyExA] [01022F53] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\NETAPI32.dll [ADVAPI32.dll!RegCreateKeyExW] [01022E8B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\NETAPI32.dll [ADVAPI32.dll!RegOpenKeyExW] [0102303E] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\NETAPI32.dll [ADVAPI32.dll!RegCloseKey] [01022D0B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\USERENV.dll [ADVAPI32.dll!RegCreateKeyExW] [01022E8B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\USERENV.dll [ADVAPI32.dll!RegOpenKeyExW] [0102303E] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\USERENV.dll [ADVAPI32.dll!RegCloseKey] [01022D0B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [01021BFA] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [01021BE0] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\Secur32.dll [ADVAPI32.dll!RegCreateKeyExW] [01022E8B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\Secur32.dll [ADVAPI32.dll!RegOpenKeyExW] [0102303E] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe[1800] @ C:\Windows\system32\Secur32.dll [ADVAPI32.dll!RegCloseKey] [01022D0B] C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe (incdsrv/Nero AG)
IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01BD2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [01BD2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01BD2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[2960] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01BD2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Richard\Desktop\gmer.exe[3076] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Richard\Desktop\gmer.exe[3076] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [003C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Richard\Desktop\gmer.exe[3076] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Richard\Desktop\gmer.exe[3076] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ASUS\AI Direct Link\AsShare.exe[3152] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00962F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ASUS\AI Direct Link\AsShare.exe[3152] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00962D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ASUS\AI Direct Link\AsShare.exe[3152] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00962CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\ASUS\AI Direct Link\AsShare.exe[3152] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00962CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[3336] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00602F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[3336] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00602D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[3336] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00602CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[3336] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00602CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\ehome\ehmsas.exe[4824] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00B02F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\ehome\ehmsas.exe[4824] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00B02D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\ehome\ehmsas.exe[4824] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00B02CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\ehome\ehmsas.exe[4824] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00B02CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\System32\mobsync.exe[4904] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00262F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\System32\mobsync.exe[4904] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00262D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\System32\mobsync.exe[4904] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00262CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\System32\mobsync.exe[4904] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00262CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[5052] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00612F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[5052] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00612D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[5052] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00612CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[5052] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00612CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C42F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00C42D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C42CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C42CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[5420] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86E4C9C0

AttachedDevice \Driver\tdx \Device\Tcp bdftdif.sys
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp bdftdif.sys

Device -> \Driver\atapi \Device\Harddisk0\DR0 85BE2618

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] kajvam <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kajvam@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kajvam@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kajvam@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kajvam@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xE0 0xC8 0xCA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB9 0xF4 0x75 0xCC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD4 0xFE 0x51 0x6B ...
Reg HKLM\SYSTEM\ControlSet002\Services\kajvam@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\kajvam@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\kajvam@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\kajvam@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0xE0 0xC8 0xCA ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB9 0xF4 0x75 0xCC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD4 0xFE 0x51 0x6B ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:34 AM

Posted 03 January 2010 - 10:36 PM

We need to do two things...

Temporarily disable Bit Defender and run a defogger program

:trumpet:
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

:flowers: Re run GMER and post the new log.

:thumbsup: To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Please enable Bit Defender.

Edited by rigel, 03 January 2010 - 10:37 PM.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 rmbeatty

rmbeatty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 04 January 2010 - 08:48 AM

ran defogger and didnt exactly get an error, but after saying Finished, it did not ask to re-boot the machine. I arn it again and same thing happened. Here is the log. BTW the line that says Unable to read kavjam.sys, seems odd, as kavjam.sys is the file that Malwarebytes was detecting as infected. Thanks for your help.


defogger_disable by jpshortstuff (28.11.09.2)
Log created at 08:46 on 04/01/2010 (Richard)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read kajvam.sys
SPTD -> Already disabled


-=E.O.F=-

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:34 AM

Posted 05 January 2010 - 08:22 AM

Go ahead and run GMER now... and post the new log. Be sure to re-enable the drivers after your run.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 rmbeatty

rmbeatty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 05 January 2010 - 11:57 AM

Have tried multiple times to run GMER since defogger and it hangs up at a different point each time. I believe one time it actually finished and when i went to save the log it hung up. Any suggestions? Thanks.

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:34 AM

Posted 05 January 2010 - 12:08 PM

Let's try an alternate

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 rmbeatty

rmbeatty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 06 January 2010 - 08:36 AM

Sophos found a bunch of items, but none were recommended for removal, including the file kavjam.sys which seems to be the infected one. I did not re-scan or do the ARK scan as noted above since i have not removed anything from the computer. Log is below. Whats next? Thanks.

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 12/28/2009 at 19:46:35
User "Richard" on computer "THEAXIS"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_USERS\S-1-5-18\Keyboard Layout\Substitutes
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\HiddenDummyLayouts
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\SortOrder
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\TIP
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\530HO4M8\lwb93u8.Q%2FA%3D5758436%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad.php%3Fp%3D409641%26ver%3D9.0.0[1].2124%26ts%3D1261856657230,;ord=1261856634
Hidden: file C:\Windows\System32\DriverStore\FileRepository\cl_64791.inf_51084e4f\B_64997\atioglxx.dll
Hidden: file C:\Program Files\MediaMonkey\MediaMonkey.exe
Hidden: file C:\Windows\System32\DriverStore\FileRepository\cl_74233.inf_7c06431a\B_74640\atioglxx.dll
Hidden: file C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ZY55Z18\w[1].bin
Hidden: file C:\Program Files\MediaMonkey\MediaMonkey (non-skinned).exe
Hidden: file C:\Windows\System32\drivers\sptd.sys
Hidden: file C:\Windows\System32\drivers\kajvam.sys
Hidden: file C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9A0AURBH\w[1].bin
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8LW1VB92\oIHR4UwJa4.g%2FA%3D5758436%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad.php%3Fp%3D409640%26fmt%3D2.0%26intl%3Dus%26os%3Dwin%26ver%3D9.0.0[1].htm
Hidden: file C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9A0AURBH\w[2].bin
Hidden: file C:\Windows\System32\config\systemprofile\AppData\Roaming\Your PC Protector\Your PC Protector.exe
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8LW1VB92\MSC3C2JGS7YK2VBF0MM5F3XG7AU3O&meta=&alias=nexplore.com&language=en-us&page=_search[1].html&pagetitle=NeXplore%20-%20Search&referer=&screen=800x600&localtime=0%3A35
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SB0NTWWH\5758436%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad.php%3Fp%3D409640%26fmt%3D2.0%26intl%3Dus%26os%3Dwin%26ver%3D9.0.0[1].2124,;ord=1261851716
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5N181646\3Debay%2526pd_x%253D00%2526p%253Deb%2526l%253DSKY%2526kw%253Dvintage+metal+church+1989%2526rand%253D1261548632%2526c%253Dsh%2526sig%253Dx.UJuVbISJ4xAZM[1].w14Z_Q--
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SB0NTWWH\ecGDiXfyJM54rPzJLymdshuvjBmvVy3Puqh24fNS15WYnANDeS02LthKUoS3EQH64JfXYSuAMvd-f0IPkjVfHXU6XosIrkxNwLGPrt1DEDsxWYrfXoBg1ZsxsFdjZoxCVxmU2LACE4deXn38mkmvXpABa1jE[1].htm
Stopped logging on 12/28/2009 at 20:56:08


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 1/6/2010 at 0:53:28
User "Richard" on computer "THEAXIS"
Windows version 6.0 SP 1.0 Service Pack 1 build 6001 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_USERS\S-1-5-18\Keyboard Layout\Substitutes
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\HiddenDummyLayouts
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\SortOrder
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\CTF\TIP
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\530HO4M8\f=http%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[1].adp%253Fmagic%253D93245511%2526width%253D120%2526height%253D90%2526sn%253Dsnwboardr31
Hidden: file C:\Windows\System32\DriverStore\FileRepository\cl_64791.inf_51084e4f\B_64997\atioglxx.dll
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8LW1VB92\5758436%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad.php%3Fp%3D409640%26fmt%3D2.0%26intl%3Dus%26os%3Dwin%26ver%3D9.0.0[1].2124,;ord=1262096338
Hidden: file C:\Windows\System32\DriverStore\FileRepository\cl_74233.inf_7c06431a\B_74640\atioglxx.dll
Hidden: file C:\Windows\System32\atioglxx.dll
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\530HO4M8\dfghfghgfj[2].dll
Hidden: file C:\Program Files\Common Files\Intuit\QuickBooks\ZRush_ShipRush3_QB.ocx
Hidden: file C:\Program Files\MediaMonkey\MediaMonkey (non-skinned).exe
Hidden: file C:\Windows\System32\drivers\kajvam.sys
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\530HO4M8\n%3D93245511%3Bkr581%3D3830%3Bkvag%3Dam3%3Aua38%3Bkvug%3D1%3Bkvtid%3D15je4an0e1tjba%3Bkvseg%3D99999%3A50280%3Bkp%3D36816%3Bnodecode%3Dyes%3Blink%3D;ord=99519563[1]
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SB0NTWWH\SetupIS2010[1].exe
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\530HO4M8\dfghfghgfj[1].dll
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5N181646\5758436%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad.php%3Fp%3D409640%26fmt%3D2.0%26intl%3Dus%26os%3Dwin%26ver%3D9.0.0[1].2124,;ord=1262059350
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\530HO4M8\f=http%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[2].adp%253Fmagic%253D93245511%2526width%253D120%2526height%253D90%2526sn%253Dsnwboardr31
Hidden: file C:\Users\Richard\DoctorWeb\Quarantine\haypsix0.exe
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SB0NTWWH\j5YTxvpWQ%2FA%3D5758436%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad.php%3Fp%3D409641%26ver%3D9.0.0[1].2124%26ts%3D1262203394495,;ord=1262203361
Hidden: file C:\Users\Richard\LAPTOP\All Users\My Documents\MP10Setup.exe
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SB0NTWWH\%3D93245511%3Bkr581%3D3830%3Bkvag%3Dam3%3Aua38%3Bkvug%3D1%3Bkvtid%3D15je4an0e1tjba%3Bkvseg%3D99999%3A50280%3Bkp%3D36816%3Bnodecode%3Dyes%3Blink%3D;ord=103222636[1]
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5N181646\f=http%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[3].adp%253Fmagic%253D93245511%2526width%253D120%2526height%253D90%2526sn%253Dsnwboardr31
Hidden: file C:\Users\Richard\LAPTOP\All Users\My Documents\My Programs\Nero 6.6\nero6601.exe
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\530HO4M8\wRDdNJocg%2FA%3D5758436%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad.php%3Fp%3D409641%26ver%3D9.0.0[1].2124%26ts%3D1262096724092,;ord=1262096694
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5N181646\f=http%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[4].adp%253Fmagic%253D93245511%2526width%253D120%2526height%253D90%2526sn%253Dsnwboardr31
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5N181646\f=http%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[2].adp%253Fmagic%253D93245511%2526width%253D120%2526height%253D90%2526sn%253Dsnwboardr31
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5N181646\f=http%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[1].adp%253Fmagic%253D93245511%2526width%253D120%2526height%253D90%2526sn%253Dsnwboardr31
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\530HO4M8\CqCsQNjpQ%2FA%3D5758436%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad.php%3Fp%3D409641%26ver%3D9.0.0[1].2124%26ts%3D1262099608322,;ord=1262099578
Hidden: file C:\Users\Richard\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\530HO4M8\f=http%253A%252F%252Fwww.aim.com%252Fredirects%252Finclient%252FAIM_UAC_v2[3].adp%253Fmagic%253D93245511%2526width%253D120%2526height%253D90%2526sn%253Dsnwboardr31
Hidden: file C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXS1WCHP\%3D2-2-92669833AA9F5C41DE4E4C78983C264EB31A3D3236702467648728566D3F475A-A316AAFCD08D6AAFD8EE3C3152787DF2D3AB2484CFB9830964C72D076354C075[1]
Hidden: file C:\Windows\Temp\IXP000.TMP\WINZIP~1.EXE
Stopped logging on 1/6/2010 at 2:02:20

#14 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:34 AM

Posted 06 January 2010 - 08:34 PM

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\Windows\System32\drivers\kajvam.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#15 rmbeatty

rmbeatty
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 06 January 2010 - 10:48 PM

Can't get it to work. When I select the file in either of the links you posted and click open, I get a message that says "A Device Attached to the System is not Functioning." I can select and scan any other file except that one. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users