Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus freezes my computer


  • This topic is locked This topic is locked
22 replies to this topic

#1 inuanimefreak

inuanimefreak

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 23 November 2009 - 12:46 AM

Ok so I think I have a virus or some other form of malware that is messing with my computer. It is effecting my mozilla, in that it either wont open, or when it does i feezes up and crashes. The virus will not let me complete any virus scans and freezes in the middle of any scan while making a steady long beep sound. I have spybot, avira, avast, malwarebytes, etc. Then when I try to boot in in safe mode it restarts my system and will not let me operate in safemode. It also freezes when preparing to hybernate,and will not put my computer in hybernation at all. I also tried a system restore to last week when i didn't have the problem and that didn't work either. PLEASE HELP. I am posting a hijackthis report as well. If anyone has any info or can help please assist!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:12 AM, on 11/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiTogglet.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [Biomenu] "C:\Program Files\Protector Suite QL\menusw.exe"
O4 - HKLM\..\Run: [VAIOCameraUtility] "C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe"
O4 - HKLM\..\Run: [WCULauncher] C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe
O4 - HKLM\..\Run: [PartSeal] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0 (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\The Scruffs\Images\stg_drm.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1252525281161
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\The Scruffs\Images\armhelper.ocx
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SmartWiService - Sony Electronics, Inc - C:\Program Files\Sony\SmartWi Connection Utility\SmartWiService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 13572 bytes

Edited by rigel, 23 November 2009 - 08:06 AM.
Transferred to HJT from XP ~ rigel


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Instructor
  • 14,488 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 29 November 2009 - 08:13 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

unite_teal.png
Unified Network of Instructors and Trusted Eliminators
 


#3 inuanimefreak

inuanimefreak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 29 November 2009 - 08:23 PM

Ok so my computer freezes within the hour of booting it. It wont let me operate in safemode. I did a number of virus scana and removals including kaspersky, malwarebytes and combo fix as per the instructions in another forum. It makes my mozilla lag to open or not open at all. When it freezes i have to force shut it down and restart it. When it freezes it also does a sound loop either of a clicker or of an obnoxious beep loop. After running the scans and installing the sofware instructed by the other forum, it is still giving me problems. Please help. Here is the requested log


DDS (Ver_09-11-29.01) - NTFSx86
Run by Antoinette at 20:16:29.45 on Sun 11/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.263 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiService.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Protector Suite QL\menusw.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\SmartWi Connection Utility\SmartWiTogglet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\SpywareGuard\sgmain.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\SpywareGuard\sgbhp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Antoinette\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\spywareguard\dlprotect.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [Biomenu] "c:\program files\protector suite ql\menusw.exe"
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [WCULauncher] c:\program files\sony\smartwi connection utility\WCULauncher.exe
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\antoin~1\startm~1\programs\startup\spywar~1.lnk - c:\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\the scruffs\images\stg_drm.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252525281161
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\the scruffs\images\armhelper.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: psfus - fusstub.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\spywareguard\spywareguard.dll
LSA: Notification Packages = scecli fusstub

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\antoin~1\applic~1\mozilla\firefox\profiles\o4wngamw.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.live.com/default.aspx?wa=wsignin1.0|http://mail.google.com/mail/?hl=en&tab=wm#inbox|http://www.facebook.com/home.php
FF - component: c:\program files\mozilla firefox\extensions\[email protected]\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\antoinette\application data\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2006-3-22 9216]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-30 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-30 55656]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-22 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-22 33024]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-3-22 29184]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2006-3-22 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-3-22 226304]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-11-22 206608]
S3 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-30 185089]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-3-22 36352]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-11-22 206608]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S4 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-8-12 234888]

=============== Created Last 30 ================

2009-11-29 23:53:34 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-29 23:48:07 0 d-----w- C:\SpywareGuard
2009-11-29 23:44:13 0 d-----w- c:\program files\SpywareBlaster
2009-11-24 05:35:19 57856 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe
2009-11-24 05:35:19 57856 ------w- c:\windows\system32\spoolsv.exe
2009-11-23 18:06:15 77312 ----a-w- c:\windows\MBR.exe
2009-11-23 04:13:07 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2009-11-23 03:46:14 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-21 03:26:30 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-15 02:27:04 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2009-11-15 02:27:04 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2009-11-15 02:26:58 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-11-15 02:26:58 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys

==================== Find3M ====================

2009-11-29 23:53:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-14 06:47:57 260608 ----a-w- c:\windows\PEV.exe
2009-10-29 03:34:52 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-09-24 03:05:56 63668 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll

============= FINISH: 20:18:20.79 ===============

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,418 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:06 PM

Posted 30 November 2009 - 12:30 AM

Hello, inuanimefreak
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.






Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 inuanimefreak

inuanimefreak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 01 December 2009 - 02:52 PM

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-01 14:49:35
Windows 5.1.2600 Service Pack 3
Running: gh14cxu2.exe; Driver: C:\DOCUME~1\ANTOIN~1\LOCALS~1\Temp\fxtdapoc.sys


---- System - GMER 1.0.15 ----

SSDT F7C3D756 ZwCreateKey
SSDT F7C3D74C ZwCreateThread
SSDT F7C3D75B ZwDeleteKey
SSDT F7C3D765 ZwDeleteValueKey
SSDT F7C3D76A ZwLoadKey
SSDT F7C3D738 ZwOpenProcess
SSDT F7C3D73D ZwOpenThread
SSDT F7C3D774 ZwReplaceKey
SSDT F7C3D76F ZwRestoreKey
SSDT F7C3D760 ZwSetValueKey
SSDT F7C3D747 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73BF7A4]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe[204] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01C328E0
.text C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe[204] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01C32890
.text C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe[204] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01C32854
.text C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe[204] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01C32839
.text C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe[204] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01C326C5
.text C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe[204] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01C327B7
.text C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe[204] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01C326FD
.text C:\Program Files\Sony\SmartWi Connection Utility\WCULauncher.exe[204] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01C32735
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[428] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 018A28E0
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[428] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 018A2890
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[428] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 018A2854
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[428] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 018A2839
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[428] WS2_32.dll!send 71AB4C27 5 Bytes JMP 018A26C5
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[428] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 018A27B7
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[428] WS2_32.dll!recv 71AB676F 5 Bytes JMP 018A26FD
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[428] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 018A2735
.text C:\Program Files\Bonjour\mDNSResponder.exe[540] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C92839
.text C:\Program Files\Bonjour\mDNSResponder.exe[540] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C926C5
.text C:\Program Files\Bonjour\mDNSResponder.exe[540] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C927B7
.text C:\Program Files\Bonjour\mDNSResponder.exe[540] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C926FD
.text C:\Program Files\Bonjour\mDNSResponder.exe[540] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C92735
.text C:\Program Files\Bonjour\mDNSResponder.exe[540] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00C928E0
.text C:\Program Files\Bonjour\mDNSResponder.exe[540] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00C92890
.text C:\Program Files\Bonjour\mDNSResponder.exe[540] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00C92854
.text C:\Program Files\Java\jre6\bin\jqs.exe[608] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02272839
.text C:\Program Files\Java\jre6\bin\jqs.exe[608] WS2_32.dll!send 71AB4C27 5 Bytes JMP 022726C5
.text C:\Program Files\Java\jre6\bin\jqs.exe[608] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 022727B7
.text C:\Program Files\Java\jre6\bin\jqs.exe[608] WS2_32.dll!recv 71AB676F 5 Bytes JMP 022726FD
.text C:\Program Files\Java\jre6\bin\jqs.exe[608] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02272735
.text C:\Program Files\Java\jre6\bin\jqs.exe[608] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 022728E0
.text C:\Program Files\Java\jre6\bin\jqs.exe[608] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02272890
.text C:\Program Files\Java\jre6\bin\jqs.exe[608] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02272854
.text C:\Program Files\Sony\VAIO Event Service\VESMgr.exe[872] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 027128E0
.text C:\Program Files\Sony\VAIO Event Service\VESMgr.exe[872] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02712890
.text C:\Program Files\Sony\VAIO Event Service\VESMgr.exe[872] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02712854
.text C:\Program Files\Sony\VAIO Event Service\VESMgr.exe[872] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02712839
.text C:\Program Files\Sony\VAIO Event Service\VESMgr.exe[872] WS2_32.dll!send 71AB4C27 5 Bytes JMP 027126C5
.text C:\Program Files\Sony\VAIO Event Service\VESMgr.exe[872] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 027127B7
.text C:\Program Files\Sony\VAIO Event Service\VESMgr.exe[872] WS2_32.dll!recv 71AB676F 5 Bytes JMP 027126FD
.text C:\Program Files\Sony\VAIO Event Service\VESMgr.exe[872] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02712735
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe[936] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01F128E0
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe[936] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01F12890
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe[936] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01F12854
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe[936] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01F12839
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe[936] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01F126C5
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe[936] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01F127B7
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe[936] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01F126FD
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe[936] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01F12735
.text C:\Program Files\Skype\Phone\Skype.exe[1036] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 026428E0
.text C:\Program Files\Skype\Phone\Skype.exe[1036] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02642890
.text C:\Program Files\Skype\Phone\Skype.exe[1036] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02642854
.text C:\Program Files\Skype\Phone\Skype.exe[1036] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02642839
.text C:\Program Files\Skype\Phone\Skype.exe[1036] WS2_32.dll!send 71AB4C27 5 Bytes JMP 026426C5
.text C:\Program Files\Skype\Phone\Skype.exe[1036] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 026427B7
.text C:\Program Files\Skype\Phone\Skype.exe[1036] WS2_32.dll!recv 71AB676F 5 Bytes JMP 026426FD
.text C:\Program Files\Skype\Phone\Skype.exe[1036] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02642735
.text C:\Program Files\Java\jre6\bin\jusched.exe[1052] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00CD28E0
.text C:\Program Files\Java\jre6\bin\jusched.exe[1052] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00CD2890
.text C:\Program Files\Java\jre6\bin\jusched.exe[1052] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00CD2854
.text C:\Program Files\Java\jre6\bin\jusched.exe[1052] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CD2839
.text C:\Program Files\Java\jre6\bin\jusched.exe[1052] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CD26C5
.text C:\Program Files\Java\jre6\bin\jusched.exe[1052] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CD27B7
.text C:\Program Files\Java\jre6\bin\jusched.exe[1052] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CD26FD
.text C:\Program Files\Java\jre6\bin\jusched.exe[1052] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CD2735
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe[1192] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01A628E0
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe[1192] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01A62890
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe[1192] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01A62854
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe[1192] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01A62839
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe[1192] ws2_32.dll!send 71AB4C27 5 Bytes JMP 01A626C5
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe[1192] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01A627B7
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe[1192] ws2_32.dll!recv 71AB676F 5 Bytes JMP 01A626FD
.text C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe[1192] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01A62735
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1648] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 065E28E0
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1648] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 065E2890
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1648] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 065E2854
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1648] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 065E2839
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1648] WS2_32.dll!send 71AB4C27 5 Bytes JMP 065E26C5
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1648] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 065E27B7
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1648] WS2_32.dll!recv 71AB676F 5 Bytes JMP 065E26FD
.text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1648] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 065E2735
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1696] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 015028E0
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1696] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01502890
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1696] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01502854
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1696] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01502839
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015026C5
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1696] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 015027B7
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1696] WS2_32.dll!recv 71AB676F 5 Bytes JMP 015026FD
.text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1696] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01502735
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2044] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00F428E0
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2044] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00F42890
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2044] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00F42854
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2044] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F42839
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2044] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F426C5
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2044] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F427B7
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2044] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F426FD
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[2044] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F42735
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[2092] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01952839
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[2092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019526C5
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[2092] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019527B7
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[2092] WS2_32.dll!recv 71AB676F 5 Bytes JMP 019526FD
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[2092] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01952735
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[2092] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 019528E0
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[2092] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01952890
.text C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe[2092] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01952854
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[2140] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 011A28E0
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[2140] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 011A2890
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[2140] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 011A2854
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[2140] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011A2839
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[2140] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011A26C5
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[2140] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011A27B7
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[2140] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011A26FD
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[2140] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011A2735
.text C:\WINDOWS\Explorer.EXE[2280] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 019A28E0
.text C:\WINDOWS\Explorer.EXE[2280] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 019A2890
.text C:\WINDOWS\Explorer.EXE[2280] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 019A2854
.text C:\WINDOWS\Explorer.EXE[2280] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 019A2839
.text C:\WINDOWS\Explorer.EXE[2280] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019A26C5
.text C:\WINDOWS\Explorer.EXE[2280] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 019A27B7
.text C:\WINDOWS\Explorer.EXE[2280] WS2_32.dll!recv 71AB676F 5 Bytes JMP 019A26FD
.text C:\WINDOWS\Explorer.EXE[2280] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 019A2735
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[2332] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 014628E0
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[2332] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01462890
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[2332] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01462854
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[2332] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01462839
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[2332] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014626C5
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[2332] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 014627B7
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[2332] WS2_32.dll!recv 71AB676F 5 Bytes JMP 014626FD
.text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[2332] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01462735
.text C:\Program Files\iTunes\iTunesHelper.exe[2972] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 011228E0
.text C:\Program Files\iTunes\iTunesHelper.exe[2972] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01122890
.text C:\Program Files\iTunes\iTunesHelper.exe[2972] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01122854
.text C:\Program Files\iTunes\iTunesHelper.exe[2972] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01122839
.text C:\Program Files\iTunes\iTunesHelper.exe[2972] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011226C5
.text C:\Program Files\iTunes\iTunesHelper.exe[2972] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011227B7
.text C:\Program Files\iTunes\iTunesHelper.exe[2972] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011226FD
.text C:\Program Files\iTunes\iTunesHelper.exe[2972] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01122735
.text C:\WINDOWS\System32\alg.exe[3288] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00BB28E0
.text C:\WINDOWS\System32\alg.exe[3288] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00BB2890
.text C:\WINDOWS\System32\alg.exe[3288] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00BB2854
.text C:\WINDOWS\System32\alg.exe[3288] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BB2839
.text C:\WINDOWS\System32\alg.exe[3288] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BB26C5
.text C:\WINDOWS\System32\alg.exe[3288] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BB27B7
.text C:\WINDOWS\System32\alg.exe[3288] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BB26FD
.text C:\WINDOWS\System32\alg.exe[3288] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BB2735
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3696] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00E628E0
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3696] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00E62890
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3696] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00E62854
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3696] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E62839
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E626C5
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3696] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E627B7
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3696] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E626FD
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3696] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E62735
.text C:\Program Files\Apoint\Apoint.exe[3792] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00DF28E0
.text C:\Program Files\Apoint\Apoint.exe[3792] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00DF2890
.text C:\Program Files\Apoint\Apoint.exe[3792] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00DF2854
.text C:\Program Files\Apoint\Apoint.exe[3792] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DF2839
.text C:\Program Files\Apoint\Apoint.exe[3792] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DF26C5
.text C:\Program Files\Apoint\Apoint.exe[3792] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DF27B7
.text C:\Program Files\Apoint\Apoint.exe[3792] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DF26FD
.text C:\Program Files\Apoint\Apoint.exe[3792] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DF2735
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3920] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01CB28E0
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3920] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01CB2890
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3920] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01CB2854
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3920] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01CB2839
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3920] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01CB26C5
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3920] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01CB27B7
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3920] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01CB26FD
.text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[3920] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01CB2735
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3980] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 027A28E0
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3980] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 027A2890
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3980] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 027A2854
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3980] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 027A2839
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3980] WS2_32.dll!send 71AB4C27 5 Bytes JMP 027A26C5
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3980] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 027A27B7
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3980] WS2_32.dll!recv 71AB676F 5 Bytes JMP 027A26FD
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[3980] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 027A2735
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3988] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00D128E0
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3988] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00D12890
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3988] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00D12854
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3988] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D12839
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3988] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D126C5
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3988] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D127B7
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3988] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D126FD
.text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3988] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D12735
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[3996] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 012228E0
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[3996] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01222890
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[3996] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01222854
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[3996] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01222839
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[3996] WS2_32.dll!send 71AB4C27 5 Bytes JMP 012226C5
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[3996] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 012227B7
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[3996] WS2_32.dll!recv 71AB676F 5 Bytes JMP 012226FD
.text C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe[3996] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01222735
.text C:\Program Files\Protector Suite QL\menusw.exe[4080] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01BA28E0
.text C:\Program Files\Protector Suite QL\menusw.exe[4080] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01BA2890
.text C:\Program Files\Protector Suite QL\menusw.exe[4080] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01BA2854
.text C:\Program Files\Protector Suite QL\menusw.exe[4080] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01BA2839
.text C:\Program Files\Protector Suite QL\menusw.exe[4080] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01BA26C5
.text C:\Program Files\Protector Suite QL\menusw.exe[4080] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01BA27B7
.text C:\Program Files\Protector Suite QL\menusw.exe[4080] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01BA26FD
.text C:\Program Files\Protector Suite QL\menusw.exe[4080] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01BA2735

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs FdRedir.sys (File Disk Redirector/UPEK Inc.)

Device \Driver\ACPI \Device\0000009d 85B96F30
Device \Driver\ACPI \Device\00000051 85B96F30
Device \Driver\ACPI \Device\00000052 85B96F30
Device \Driver\ACPI \Device\00000061 85B96F30
Device \Driver\ACPI \Device\00000062 85B96F30
Device \Driver\ACPI \Device\00000070 85B96F30
Device \Driver\ACPI \Device\00000063 85B96F30
Device \Driver\ACPI \Device\00000057 85B96F30
Device \Driver\ACPI \Device\00000071 85B96F30
Device \Driver\ACPI \Device\00000064 85B96F30
Device \Driver\ACPI \Device\00000058 85B96F30
Device \Driver\ACPI \Device\00000072 85B96F30
Device \Driver\ACPI \Device\00000065 85B96F30
Device \Driver\ACPI \Device\00000059 85B96F30
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86F268B0
Device \Driver\atapi \Device\Ide\IdePort0 86F268B0
Device \Driver\atapi \Device\Ide\IdePort1 86F268B0
Device \Driver\atapi \Device\Ide\IdePort2 86F268B0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 86F268B0
Device \Driver\ACPI \Device\00000074 85B96F30
Device \Driver\ACPI \Device\00000067 85B96F30
Device \Driver\ACPI \Device\00000075 85B96F30
Device \Driver\ACPI \Device\00000076 85B96F30
Device \Driver\ACPI \Device\0000004a 85B96F30
Device \Driver\ACPI \Device\0000004b 85B96F30
Device \Driver\ACPI \Device\0000004c 85B96F30
Device \Driver\ACPI \Device\0000005a 85B96F30
Device \Driver\ACPI \Device\0000004d 85B96F30
Device \Driver\ACPI \Device\00000087 85B96F30
Device \Driver\ACPI \Device\0000005b 85B96F30
Device \Driver\ACPI \Device\0000004e 85B96F30
Device \Driver\ACPI \Device\00000088 85B96F30
Device \Driver\ACPI \Device\00000089 85B96F30
Device \Driver\ACPI \Device\0000005d 85B96F30
Device \Driver\ACPI \Device\0000006d 85B96F30
Device \Driver\ACPI \Device\0000006f 85B96F30
Device \Driver\ACPI \Device\0000008a 85B96F30

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DBB02BC-5FCF-A3FE-FD1B-D3BFC6011524}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DBB02BC-5FCF-A3FE-FD1B-D3BFC6011524}@oacnpgnklogpnhpifbhkobfgpkildp 0x64 0x61 0x63 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DBB02BC-5FCF-A3FE-FD1B-D3BFC6011524}@oagkaggledcbnhhoikdeljjkedmahe 0x6A 0x61 0x63 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DBB02BC-5FCF-A3FE-FD1B-D3BFC6011524}@namkcaildemamfgfkemiippdgibc 0x6A 0x61 0x63 0x64 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,418 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:06 PM

Posted 02 December 2009 - 12:32 PM

Hi,



One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 inuanimefreak

inuanimefreak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 02 December 2009 - 09:05 PM

wont let me run combofix. a "bad image" notification keeps on popping up.

PV.cfxxe-Bad image
c:\windows\system32\vdmdbg.DLL

not a valid windows image

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,418 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:06 PM

Posted 03 December 2009 - 01:44 PM

Please delete your copy of Combofix and download a fresh one, rename it and try again please.

Edited by schrauber, 03 December 2009 - 01:45 PM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 inuanimefreak

inuanimefreak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 04 December 2009 - 01:23 PM

ComboFix 09-12-03.06 - Antoinette 12/04/2009 12:27.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.642 [GMT -5:00]
Running from: c:\documents and settings\Antoinette\Desktop\schrauber.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-04 03:01 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-12-04 03:01 . 2001-08-18 03:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-12-04 03:01 . 2008-04-14 01:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-12-04 03:01 . 2001-08-18 03:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-12-04 03:00 . 2001-08-18 03:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-12-04 03:00 . 2001-08-18 03:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-12-04 03:00 . 2001-08-17 17:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-12-04 03:00 . 2004-08-04 03:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-12-04 03:00 . 2004-08-04 03:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-12-04 03:00 . 2008-04-14 01:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2009-12-04 03:00 . 2008-04-13 19:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2009-12-04 03:00 . 2004-08-04 03:31 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2009-12-04 03:00 . 2001-08-17 17:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2009-12-04 03:00 . 2001-08-17 18:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2009-12-04 03:00 . 2001-08-18 03:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2009-12-04 02:58 . 2001-08-17 18:49 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys
2009-12-04 02:57 . 2001-08-18 03:36 28160 -c--a-w- c:\windows\system32\dllcache\umaxu40.dll
2009-12-04 02:57 . 2001-08-18 03:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2009-12-04 02:57 . 2001-08-18 03:36 69632 -c--a-w- c:\windows\system32\dllcache\umaxu12.dll
2009-12-04 02:57 . 2001-08-18 03:36 50688 -c--a-w- c:\windows\system32\dllcache\umaxscan.dll
2009-12-04 02:57 . 2001-08-17 18:58 22912 -c--a-w- c:\windows\system32\dllcache\umaxpcls.sys
2009-12-04 02:57 . 2001-08-18 03:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2009-12-04 02:57 . 2001-08-18 03:36 47616 -c--a-w- c:\windows\system32\dllcache\umaxcam.dll
2009-12-04 02:57 . 2001-08-18 03:36 211968 -c--a-w- c:\windows\system32\dllcache\um54scan.dll
2009-12-04 02:57 . 2001-08-18 03:36 216064 -c--a-w- c:\windows\system32\dllcache\um34scan.dll
2009-12-04 02:57 . 2001-08-17 18:52 36736 -c--a-w- c:\windows\system32\dllcache\ultra.sys
2009-12-04 02:57 . 2001-08-17 18:48 11520 -c--a-w- c:\windows\system32\dllcache\twotrack.sys
2009-12-04 02:57 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe
2009-12-04 02:57 . 2001-08-17 17:51 166784 -c--a-w- c:\windows\system32\dllcache\tridxpm.sys
2009-12-04 02:55 . 2001-08-17 17:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2009-12-04 02:54 . 2001-08-18 03:36 94293 -c--a-w- c:\windows\system32\dllcache\sxports.dll
2009-12-04 02:54 . 2001-08-17 18:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
2009-12-04 02:54 . 2001-08-17 19:02 3968 -c--a-w- c:\windows\system32\dllcache\swusbflt.sys
2009-12-04 02:54 . 2001-08-18 03:36 10240 -c--a-w- c:\windows\system32\dllcache\swpidflt.dll
2009-12-04 02:54 . 2001-08-18 03:36 10240 -c--a-w- c:\windows\system32\dllcache\swpdflt2.dll
2009-12-04 02:54 . 2001-08-18 03:36 53760 -c--a-w- c:\windows\system32\dllcache\sw_wheel.dll
2009-12-04 02:54 . 2001-08-18 03:36 41472 -c--a-w- c:\windows\system32\dllcache\sw_effct.dll
2009-12-04 02:54 . 2001-08-18 03:36 155648 -c--a-w- c:\windows\system32\dllcache\stlnprop.dll
2009-12-04 02:54 . 2001-08-18 03:36 53248 -c--a-w- c:\windows\system32\dllcache\stlncoin.dll
2009-12-04 02:54 . 2001-08-17 17:18 285760 -c--a-w- c:\windows\system32\dllcache\stlnata.sys
2009-12-04 02:54 . 2001-08-17 18:51 16896 -c--a-w- c:\windows\system32\dllcache\stcusb.sys
2009-12-04 02:54 . 2001-08-17 17:11 48736 -c--a-w- c:\windows\system32\dllcache\srwlnd5.sys
2009-12-04 02:54 . 2001-08-18 03:36 99328 -c--a-w- c:\windows\system32\dllcache\srusd.dll
2009-12-04 02:52 . 2001-08-17 18:57 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2009-12-04 02:51 . 2001-08-17 19:56 252032 -c--a-w- c:\windows\system32\dllcache\sis300iv.dll
2009-12-04 02:50 . 2001-08-17 18:51 23936 -c--a-w- c:\windows\system32\dllcache\sccmn50m.sys
2009-12-04 02:49 . 2001-08-18 03:36 82432 -c--a-w- c:\windows\system32\dllcache\rwia450.dll
2009-12-04 02:48 . 2001-08-17 18:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2009-12-04 02:47 . 2001-08-18 03:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2009-12-04 02:46 . 2001-08-17 17:12 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys
2009-12-04 02:46 . 2001-08-18 03:36 41984 -c--a-w- c:\windows\system32\dllcache\ovui2rc.dll
2009-12-04 02:46 . 2001-08-18 03:36 44544 -c--a-w- c:\windows\system32\dllcache\ovui2.dll
2009-12-04 02:46 . 2001-08-17 19:05 25216 -c--a-w- c:\windows\system32\dllcache\ovsound2.sys
2009-12-04 02:46 . 2001-08-18 03:36 39424 -c--a-w- c:\windows\system32\dllcache\ovcoms.exe
2009-12-04 02:46 . 2001-08-18 03:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2009-12-04 02:46 . 2001-08-17 19:05 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
2009-12-04 02:46 . 2001-08-18 03:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2009-12-04 02:46 . 2001-08-17 19:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2009-12-04 02:05 . 2001-08-17 17:50 103296 -c--a-w- c:\windows\system32\dllcache\mtxvideo.sys
2009-12-04 02:05 . 2008-04-13 19:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2009-12-04 02:05 . 2001-08-17 18:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2009-12-04 02:04 . 2001-08-17 19:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2009-12-04 02:04 . 2008-04-13 19:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2009-12-04 02:03 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-12-04 02:02 . 2001-08-17 18:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2009-12-04 02:02 . 2008-04-13 19:46 51200 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2009-12-04 02:02 . 2001-08-17 18:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-12-04 02:02 . 2008-04-13 19:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-12-04 02:00 . 2001-08-17 17:19 48768 -c--a-w- c:\windows\system32\dllcache\maestro.sys
2009-12-04 01:59 . 2008-04-13 19:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-12-04 01:58 . 2001-08-17 17:12 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys
2009-12-04 01:58 . 2001-08-18 03:36 90200 -c--a-w- c:\windows\system32\dllcache\io8ports.dll
2009-12-04 01:58 . 2001-08-17 18:50 38784 -c--a-w- c:\windows\system32\dllcache\io8.sys
2009-12-04 01:58 . 2008-04-13 19:40 5504 -c--a-w- c:\windows\system32\dllcache\intelide.sys
2009-12-04 01:58 . 2001-08-17 18:47 13056 -c--a-w- c:\windows\system32\dllcache\inport.sys
2009-12-04 01:58 . 2001-08-17 18:52 16000 -c--a-w- c:\windows\system32\dllcache\ini910u.sys
2009-12-04 01:57 . 2001-08-18 03:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2009-12-04 01:57 . 2001-08-17 19:06 100992 -c--a-w- c:\windows\system32\dllcache\icam5usb.sys
2009-12-04 01:57 . 2001-08-18 03:36 20480 -c--a-w- c:\windows\system32\dllcache\icam5ext.dll
2009-12-04 01:57 . 2001-08-18 03:36 45056 -c--a-w- c:\windows\system32\dllcache\icam5com.dll
2009-12-04 01:57 . 2001-08-17 19:06 154496 -c--a-w- c:\windows\system32\dllcache\icam4usb.sys
2009-12-04 01:56 . 2001-08-18 03:36 61952 -c--a-w- c:\windows\system32\dllcache\icam4ext.dll
2009-12-04 01:56 . 2001-08-18 03:36 91136 -c--a-w- c:\windows\system32\dllcache\icam4com.dll
2009-12-04 01:56 . 2001-08-18 03:36 26624 -c--a-w- c:\windows\system32\dllcache\icam3ext.dll
2009-12-04 01:56 . 2001-08-17 19:05 141056 -c--a-w- c:\windows\system32\dllcache\icam3.sys
2009-12-04 01:56 . 2001-08-17 19:06 38528 -c--a-w- c:\windows\system32\dllcache\ibmvcap.sys
2009-12-04 01:56 . 2001-08-17 17:12 109085 -c--a-w- c:\windows\system32\dllcache\ibmtrp.sys
2009-12-04 01:56 . 2001-08-17 17:12 100936 -c--a-w- c:\windows\system32\dllcache\ibmtok.sys
2009-12-04 01:56 . 2001-08-18 03:34 9216 -c--a-w- c:\windows\system32\dllcache\ibmsgnet.dll
2009-12-04 01:56 . 2001-08-17 17:11 28700 -c--a-w- c:\windows\system32\dllcache\ibmexmp.sys
2009-12-04 01:56 . 2004-08-04 03:29 161020 -c--a-w- c:\windows\system32\dllcache\i81xnt5.sys
2009-12-04 01:56 . 2008-04-14 01:11 702845 -c--a-w- c:\windows\system32\dllcache\i81xdnt5.dll
2009-12-04 01:56 . 2001-08-17 17:49 58592 -c--a-w- c:\windows\system32\dllcache\i740nt5.sys
2009-12-04 01:55 . 2008-04-13 19:41 18560 -c--a-w- c:\windows\system32\dllcache\i2omp.sys
2009-12-04 01:55 . 2001-08-17 19:56 353184 -c--a-w- c:\windows\system32\dllcache\i740dnt5.dll
2009-12-04 01:55 . 2008-04-13 19:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2009-12-04 01:52 . 2001-08-18 03:36 68608 -c--a-w- c:\windows\system32\dllcache\hpgt53tk.dll
2009-12-04 01:51 . 2001-08-17 17:49 322432 -c--a-w- c:\windows\system32\dllcache\g400m.sys
2009-12-04 01:50 . 2001-08-17 17:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2009-12-04 01:49 . 2001-08-17 17:12 18503 -c--a-w- c:\windows\system32\dllcache\epro4.sys
2009-12-04 01:48 . 2001-08-17 19:07 20192 -c--a-w- c:\windows\system32\dllcache\dpti2o.sys
2009-12-04 01:47 . 2001-08-18 03:36 65622 -c--a-w- c:\windows\system32\dllcache\digiasyn.dll
2009-12-04 01:46 . 2001-08-17 17:19 3072 -c--a-w- c:\windows\system32\dllcache\cwbase.sys
2009-12-04 01:45 . 2004-08-04 12:00 14336 -c--a-w- c:\windows\system32\dllcache\chgusr.exe
2009-12-04 01:44 . 2001-08-17 18:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-12-04 01:43 . 2001-08-17 17:11 66557 -c--a-w- c:\windows\system32\dllcache\bcm42u.sys
2009-12-04 01:42 . 2001-08-17 17:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2009-12-04 01:40 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-11-29 23:48 . 2009-11-30 01:49 -------- d-----w- C:\SpywareGuard
2009-11-29 23:44 . 2009-11-29 23:44 -------- d-----w- c:\program files\SpywareBlaster
2009-11-29 05:02 . 2009-11-29 05:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-29 04:57 . 2009-11-29 04:58 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-29 04:57 . 2009-11-29 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-29 04:57 . 2009-11-29 04:57 -------- d-----w- c:\program files\NOS
2009-11-24 13:45 . 2009-07-30 19:48 17727 ----a-w- c:\documents and settings\HelpAssistant.LAPPY\Application Data\esexiqoja.pif
2009-11-24 05:51 . 2009-07-30 19:48 14441 ----a-w- c:\documents and settings\HelpAssistant.LAPPY\Application Data\zeveq.scr
2009-11-24 05:35 . 2008-04-14 00:12 57856 -c--a-w- c:\windows\system32\dllcache\spoolsv.exe
2009-11-24 05:35 . 2008-04-14 00:12 57856 ------w- c:\windows\system32\spoolsv.exe
2009-11-23 04:53 . 2009-11-23 04:53 -------- d-----w- c:\documents and settings\HelpAssistant.LAPPY\Application Data\InstallShield
2009-11-23 04:13 . 2008-03-02 08:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2009-11-23 04:10 . 2009-11-23 04:10 -------- d-----w- c:\documents and settings\Antoinette\Application Data\InstallShield
2009-11-23 03:46 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-11-22 19:22 . 2009-11-22 19:22 -------- d-----w- c:\program files\Alwil Software
2009-11-22 00:21 . 2009-11-22 00:21 -------- d-----w- c:\documents and settings\HelpAssistant.LAPPY\UserData
2009-11-22 00:21 . 2009-11-22 00:21 -------- d-----w- c:\documents and settings\HelpAssistant.LAPPY\PrivacIE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 17:24 . 2009-05-22 09:12 -------- d-----w- c:\documents and settings\Antoinette\Application Data\Skype
2009-11-30 01:40 . 2009-05-08 16:58 -------- d-----w- c:\documents and settings\Antoinette\Application Data\Move Networks
2009-11-30 01:40 . 2006-03-23 00:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-30 01:39 . 2009-06-18 09:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-30 01:39 . 2009-06-18 09:02 -------- d-----w- c:\program files\Yahoo!
2009-11-29 23:55 . 2006-03-23 01:22 -------- d-----w- c:\program files\Java
2009-11-29 23:53 . 2009-07-30 19:58 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-29 18:44 . 2009-05-06 06:56 78096 ----a-w- c:\documents and settings\Antoinette\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-29 05:13 . 2006-03-23 01:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-28 06:27 . 2009-08-12 15:05 -------- d-----w- c:\documents and settings\Antoinette\Application Data\uTorrent
2009-11-25 20:45 . 2009-05-11 12:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-23 04:12 . 2009-05-06 05:57 -------- d-----w- c:\program files\Trend Micro
2009-11-22 04:20 . 2009-09-07 18:34 -------- d-----w- c:\program files\Trillian
2009-11-22 04:12 . 2009-10-19 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-22 03:38 . 2009-05-06 03:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 03:31 . 2009-11-21 03:31 -------- d-----w- c:\documents and settings\HelpAssistant.LAPPY\Application Data\Blitware
2009-11-21 03:31 . 2009-11-21 03:31 -------- d-----w- c:\documents and settings\HelpAssistant.LAPPY\Application Data\BitZipper
2009-11-21 03:31 . 2009-11-21 03:31 -------- d-----w- c:\documents and settings\HelpAssistant.LAPPY\Application Data\AVS4YOU
2009-11-21 03:31 . 2009-11-21 03:31 -------- d-----w- c:\documents and settings\HelpAssistant.LAPPY\Application Data\Audacity
2009-11-21 03:31 . 2009-11-21 03:31 -------- d-----w- c:\documents and settings\HelpAssistant.LAPPY\Application Data\Apple Computer
2009-11-21 03:31 . 2009-11-21 03:31 -------- d-----w- c:\documents and settings\HelpAssistant.LAPPY\Application Data\AdobeUM
2009-11-21 03:31 . 2009-11-21 03:31 -------- d-----w- c:\documents and settings\HelpAssistant.LAPPY\Application Data\Acoustica
2009-11-21 03:25 . 2009-10-05 03:31 -------- d-----w- c:\documents and settings\Antoinette\Application Data\vlc
2009-11-12 08:13 . 2009-05-06 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-29 03:34 . 2009-10-29 03:34 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-28 17:59 . 2009-05-21 12:26 -------- d-----w- c:\documents and settings\Antoinette\Application Data\dvdcss
2009-10-24 17:19 . 2009-10-24 16:36 -------- d-----w- c:\documents and settings\Antoinette\Application Data\Audacity
2009-10-24 17:10 . 2009-10-24 17:10 -------- d-----w- c:\program files\Lame for Audacity
2009-10-24 16:33 . 2009-10-24 16:33 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2009-10-23 16:17 . 2009-10-23 16:17 -------- d-----w- c:\documents and settings\Antoinette\Application Data\Acoustica
2009-10-23 16:12 . 2009-10-23 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Acoustica
2009-10-22 02:30 . 2009-09-23 21:20 -------- d-----w- c:\program files\MP3MyMP3 3.0
2009-10-20 20:51 . 2009-10-20 20:32 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-20 20:48 . 2009-06-01 13:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-17 07:28 . 2009-10-17 06:06 -------- d-----w- c:\program files\ategry
2009-10-17 07:03 . 2009-05-06 05:59 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 22:19 . 2009-10-12 22:17 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-10-09 11:42 . 2009-07-30 19:51 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-24 03:05 . 2009-09-19 15:00 63668 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-15 02:31 . 2009-09-15 02:31 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-12 16:57 . 2006-03-22 22:39 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-09-11 14:18 . 2006-03-22 21:23 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-05-11 12:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-05-11 12:51 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24267560]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-17 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-17 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-17 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-08 7557120]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-02-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-02-28 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-02-28 569413]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-01-26 212992]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2006-02-23 1354240]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"WCULauncher"="c:\program files\Sony\SmartWi Connection Utility\WCULauncher.exe" [2006-02-08 73728]
"PartSeal"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-29 149280]

c:\documents and settings\Antoinette\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\spywareguard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2006-2-22 1765376]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-02-23 01:11 39936 ----a-w- c:\windows\system32\fusstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apoint\\Apoint.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [3/22/2006 4:24 PM 9216]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/30/2009 3:04 PM 108289]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2/22/2006 8:13 PM 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2/22/2006 8:13 PM 33024]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/27/2009 10:05 AM 92008]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [3/22/2006 4:24 PM 29184]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [3/22/2006 4:24 PM 71961]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [3/22/2006 4:24 PM 226304]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [11/22/2009 11:13 PM 206608]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/22/2006 4:24 PM 36352]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [11/22/2009 11:13 PM 206608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2009-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.live.com/default.aspx?wa=wsignin1.0
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Antoinette\Application Data\Mozilla\Firefox\Profiles\o4wngamw.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.live.com/default.aspx?wa=wsignin1.0|http://mail.google.com/mail/?hl=en&tab=wm#inbox|http://www.facebook.com/home.php
FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\KavLinkFilter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 12:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x85DA4F30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75a2f28
\Driver\ACPI -> 0x85da4f30
\Driver\atapi -> atapi.sys @ 0xf73af852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1510293010-3474397385-2165308107-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0DBB02BC-5FCF-A3FE-FD1B-D3BFC6011524}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oacnpgnklogpnhpifbhkobfgpkildp"=hex:64,61,63,64,70,61,66,6f,00,80
"oagkaggledcbnhhoikdeljjkedmahe"=hex:6a,61,63,64,63,66,70,69,6e,6c,6c,69,65,6a,
64,6f,6c,6f,68,63,00,fd
"namkcaildemamfgfkemiippdgibc"=hex:6a,61,63,64,63,66,70,69,6e,6c,6c,69,65,6a,
64,6f,6c,6f,68,63,00,fd
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1672)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\passport.dll
c:\program files\Protector Suite QL\BhTcAll.dll
c:\program files\Protector Suite QL\BhDevTfm.dll
c:\program files\Protector Suite QL\AlgVer.dll
c:\program files\Protector Suite QL\TCBioLib.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'lsass.exe'(1728)
c:\windows\system32\fusstub.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus.dll
.
Completion time: 2009-12-04 13:12
ComboFix-quarantined-files.txt 2009-12-04 18:12

Pre-Run: 4,466,327,552 bytes free
Post-Run: 4,706,582,528 bytes free

- - End Of File - - FC3189472E945C18ECC082D277B53E05

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,418 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:06 PM

Posted 04 December 2009 - 03:15 PM

Hi,
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
  • Go to Start => Run and copy/paste the following line and click OK.

    cmd /c mbr.exe -t >log.txt&start log.txt

    A log file opens. Please post the content to your reply.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 inuanimefreak

inuanimefreak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 04 December 2009 - 04:12 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85B44F30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x85b44f30
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,418 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:06 PM

Posted 05 December 2009 - 04:17 AM

Hi,
  • Go to Start => Run and copy/paste the following line and click OK.

    cmd /c mbr.exe -f

    cmd /c mbr.exe -t >log.txt&start log.txt


    A log file opens. Please post the content to your reply.

Edited by schrauber, 05 December 2009 - 04:17 AM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 inuanimefreak

inuanimefreak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 05 December 2009 - 10:27 AM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85B30F30]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x85b30f30
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF937C1
malicious code @ sector 0x0DF937C4 !
PE file found in sector at 0x0DF937DA !
Use "Recovery Console" command "fixmbr" to clear infection !

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Instructor
  • 23,418 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:06 PM

Posted 05 December 2009 - 10:54 AM

Please reboot your system, then you have the choice to boot into windows or Recovery Console. Please choose Recovery Console and hit enter.

Now choose 1 for your windows installation and type in your admin passwort, if you had set one. Now you will see a command prompt, type in the following and hit enter:

fixmbr

Now type exit and reboot your system into windows.

Go to Start => Run and copy/paste the following line and click OK.

cmd /c mbr.exe -t >log.txt&start log.txt

A log file opens. Please post the content to your reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 inuanimefreak

inuanimefreak
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 06 December 2009 - 09:27 PM

Ok i treid multiple times and it will nto allow me to access the recovery console....this is really annoying and i need to work with it without it freezing on me so much.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users