Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer keeps freezing


  • This topic is locked This topic is locked
47 replies to this topic

#1 saltydogs

saltydogs

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 30 December 2009 - 01:53 PM

Recent thread,notes and scans here;
http://www.bleepingcomputer.com/forums/top...ml#entry1558646

Have a random hang problem, cannot narrow it down to any particular event. Perhaps a malware picked from some "less than honorable" website. No error messages appear. I tried having the task manager open to processess, but nothing noted there when the PC freezes. All I can do is unplug and reboot.

DDS and RootRepeal files inserted.
Note: I had a problem with RootRepeal. When the option to "save" RootRepeal to the desktop, I get the error message; "RootRepeal already exists. Do you want to replace it?" When I click "Yes", I get the error message; "Cannot copy RootRepeal! Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use". I have a RootRepeal icon on my desktop which I cannot get rid of. So, I choose "Run" on the RootRepeal menu and then get the error message: "invalid PE image found". I click OK and then run the scan as instructed.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Robert Hoagland at 12:48:33.57 on Wed 12/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.1981 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ACI32\Applications\Report32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Robert Hoagland\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL =
uDefault_Page_URL =
mStart Page = hxxp://www.google.com
uSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: rexplorer.net
Trusted Zone: rexplorer.net\cmls
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://support.rexplorer.net/iftw_install//iftwclix.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-6 130936]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-4-15 24064]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-23 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-23 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-23 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-23 56816]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-4-15 176640]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctssvc.exe --> c:\program files\spyware doctor\pctsSvc.exe [?]

=============== Created Last 30 ================

2009-12-28 19:07:52 0 d-----w- c:\program files\ESET
2009-12-28 03:03:35 0 d-----w- c:\documents and settings\robert hoagland\DoctorWeb
2009-12-28 02:57:46 0 d-----w- c:\program files\DrWeb
2009-12-28 02:57:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Doctor Web
2009-12-01 04:19:15 15 ----a-w- c:\windows\Powerplayer.ini

==================== Find3M ====================

2009-12-08 03:46:31 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-22 20:17:26 206144 ----a-w- c:\windows\system32\ftd2xx.dll
2009-10-22 20:17:10 120136 ----a-w- c:\windows\system32\ftbusui.dll
2009-10-22 20:16:56 197952 ----a-w- c:\windows\system32\FTLang.dll
2009-10-22 20:08:46 52552 ----a-w- c:\windows\system32\ftserui2.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-04-29 18:28:24 2172080 -c--a-w- c:\program files\ptreplicator-setup.exe
2009-09-15 01:50:22 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-09-13 20:25:16 16384 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 12:48:45.81 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 4/23/2009 2:33:22 PM
System Uptime: 12/30/2009 9:42:17 AM (3 hours ago)

Motherboard: Dell Inc. | | 0T656F
Processor: Intel® Core™2 Duo CPU E7300 @ 2.66GHz | CPU | 2659/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 278.591 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is FIXED (FAT32) - 112 GiB total, 50.464 GiB free.
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 12/27/2009 5:02:01 PM - System Checkpoint
RP2: 12/27/2009 5:02:38 PM - 12/25/09
RP3: 12/27/2009 9:57:44 PM - Installed Dr.Web anti-virus for Windows 5.0 (x86).
RP4: 12/27/2009 10:15:57 PM - Removed Dr.Web anti-virus for Windows 5.0 (x86).
RP5: 12/28/2009 11:03:43 PM - System Checkpoint
RP6: 12/30/2009 9:44:32 AM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
7500_7600_7700_Help
ACI Collection 32
ACI Desktop Additional Components
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 3.0
Adobe Reader 9.1
Alarm Clock v1.0
AT&T Self Support Tool
AT&T Toolbar
Avira AntiVir Personal - Free Antivirus
BPD_HPSU
BPD_Scan
BPDfax
BPDSoftware
BPDSoftware_Ini
Broadcom Management Programs
BufferChm
Choice Guard
CleanUp!
Computer Alarm Clock
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CueTour
CustomerResearchQFolder
Dell Resource CD
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
ESET Online Scanner v3
eSupportQFolder
FullDPAppQFolder
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954434)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB958347)
Hotfix for Windows XP (KB959252)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Officejet Pro All-In-One Series
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Product Assistant
HP Solution Center 7.0
HP Update
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
Intel® Graphics Media Accelerator Driver
Java™ 6 Update 16
Karen's Replicator
L7500
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Small Business
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Move Media Player
MPM
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB927977)
OCR Software by I.R.I.S 7.0
PanoStandAlone
PhotoGallery
PowerDVD
PPMate Network TV 2.3.1.74
ProductContext
RandMap
REXplorer Component Upgrade
Scan
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SkinsHP1
SlideShow
SolutionCenter
Sonic CinePlayer Decoder Pack
Sonic_PrimoSDK
SopCast 3.2.4
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Spyware Doctor 6.1
SpywareBlaster 4.2
Status
SUPERAntiSpyware Free Edition
Toolbox
TrayApp
TVUPlayer 2.3.4.1
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB898461)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Veetle TV 0.9.15
VLC media player 1.0.3
WebFldrs XP
WebReg
WinCleaner AntiSpyware 5.4
Windows Genuine Advantage Notifications (KB905474)
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
WinRAR archiver
WordBiz version 1.8
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

12/30/2009 8:36:56 AM, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library Myson CS8819A3-116 0 USB Device.
12/30/2009 8:26:10 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
12/29/2009 6:49:59 PM, error: Service Control Manager [7001] - The Fax service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/29/2009 6:49:58 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
12/29/2009 12:08:35 AM, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 0023AE84BA0C has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
12/28/2009 3:14:55 PM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

==== End Of File ===========================
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/30 12:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA5262000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA62A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xA47FE000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\robert hoagland\local settings\temp\~dfb43a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\robert hoagland\local settings\temp\~dfeacd.tmp
Status: Allocation size mismatch (API: 327680, Raw: 16384)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9ece514

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ebd282

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xb9ebd474

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0xba69e1ec

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9eced00

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecefb8

#: 098 Function Name: NtLoadKey
Status: Hooked by "" at address 0xba69e20a

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecd3fa

#: 122 Function Name: NtOpenProcess
Status: Hooked by "" at address 0xba69e1d8

#: 128 Function Name: NtOpenThread
Status: Hooked by "" at address 0xba69e1dd

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecf422

#: 193 Function Name: NtReplaceKey
Status: Hooked by "" at address 0xba69e214

#: 204 Function Name: NtRestoreKey
Status: Hooked by "" at address 0xba69e20f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ece7d8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ebcf32

Stealth Objects
-------------------
Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a6df838 Size: 565

==EOF==

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:44 PM

Posted 09 January 2010 - 11:15 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 January 2010 - 05:29 PM

Thanks for responding to my post.
In the last few days my PC has decided to freeze at various times for no particular reason. At random times every day the PC will freeze in the middle of playing games, surfing, writing or reading email. I have to unplug and do a power shutdown, then reboot. Numerous malware/virus/spy scans have produced nothing of concern. I even did an interior clean-out, thinking overheating might be the problem. I hadn't installed any new hardware or software proceeding this problem.
I am using WinXP Professional SP 3

There is one event that will consistently cause the computer to freeze. Whenever I need to pay for something with a credit card, no matter which online vendor, a window with the heading "Advanced Card Verification" pops-up. This page asks me for all of my personal bank info, SSN, mothers maiden name, etc. When I try to click off the page, a message comes up stating; "The webpage you are viewing is trying to close the window!" And at that moment my PC will freeze.


OTL Extras logfile created on: 1/10/2010 5:04:14 PM - Run 1
OTL by OldTimer - Version 3.1.23.0 Folder = C:\Documents and Settings\Robert Hoagland\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.05 Gb Total Space | 278.59 Gb Free Space | 93.47% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 999.63 Mb Total Space | 957.64 Mb Free Space | 95.80% Space Free | Partition Type: FAT
Drive F: | 111.76 Gb Total Space | 50.46 Gb Free Space | 45.15% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NEWMAIN
Current User Name: Robert Hoagland
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"9581:TCP" = 9581:TCP:*:Enabled:Services
"7471:TCP" = 7471:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"9581:TCP" = 9581:TCP:*:Enabled:Services
"7471:TCP" = 7471:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Development Company, L.P.)
"C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" = C:\Program Files\Avira\AntiVir Desktop\avgnt.exe:*:Enabled:avgnt -- (Avira GmbH)
"C:\Program Files\ATT-HSI\McciBrowser.exe" = C:\Program Files\ATT-HSI\McciBrowser.exe:*:Enabled:motivebrowser.exe -- (Motive Communications, Inc.)
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)
"C:\Program Files\TVUPlayer\TVUPlayer.exe" = C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Enabled:TVUPlayer Component -- File not found
"C:\Program Files\Internet Explorer\iexplore.exe" = C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer -- (Microsoft Corporation)
"C:\Program Files\PPMate\ppmate.exe" = C:\Program Files\PPMate\ppmate.exe:*:Enabled:PPMate -- File not found
"C:\Program Files\PPMate\ppamnet.exe" = C:\Program Files\PPMate\ppamnet.exe:*:Enabled:PPMate -- File not found
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- File not found
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- File not found
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Small Business
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{0A55CDBB-0566-4AA2-A15B-24C7F27C6FF4}" = BPD_Scan
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{138BD312-3557-40F8-BC5E-6DFF00A6880D}" = BPDSoftware_Ini
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{17E81C48-407E-499f-A105-1B49ACDB9BA4}" = ProductContext
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 16
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{42929F0F-CE14-47AF-9FC7-FF297A603021}" = Dell Resource CD
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{4AE80E7B-6633-4046-9C15-D3B281C4F73D}" = BPDSoftware
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{5BFE01FF-189F-4b75-8FA8-9B7CD7F9C529}" = L7500
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6DE9751D-3FFE-400E-8761-26A92DB734DE}" = BPD_HPSU
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7729A02E-D1AD-4830-8FC5-11853500D90D}" = HP Officejet Pro All-In-One Series
"{7BB045C3-D5E4-4620-B536-DC11AACD5942}" = Broadcom Management Programs
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{851C67EF-068A-4060-9EF5-2E3DDCD68382}" = Adobe Photoshop Elements 3.0
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8C045626-4496-4238-B3B8-394CC6D46427}" = 7500_7600_7700_Help
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99C6CCD9-0445-4FE5-8D6F-0D654DA7DEFC}" = ACI Desktop Additional Components
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A639BD63-8CE6-11D5-B4CC-00105A07274A}" = REXplorer Component Upgrade
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1067095-24AB-4BCD-B64B-BE83A9186DCE}" = ACI Collection 32
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = BPDfax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D48AD533-BAD5-469B-A9AA-272C6D80E70B}" = MPM
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Alarm Clock_is1" = Alarm Clock v1.0
"ATT-SST" = AT&T Self Support Tool
"ATTToolbar" = AT&T Toolbar
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CleanUp!" = CleanUp!
"Computer Alarm Clock" = Computer Alarm Clock
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Document Viewer" = HP Document Viewer 7.0
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPExtendedCapabilities" = HP Customer Participation Program 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"ie8" = Windows Internet Explorer 8
"Internet Scrabble Club_is1" = WordBiz version 1.8
"Karen's Replicator" = Karen's Replicator
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Spyware Doctor" = Spyware Doctor 6.1
"SpywareBlaster_is1" = SpywareBlaster 4.2
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/27/2009 12:14:18 PM | Computer Name = NEWMAIN | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00036f63.

Error - 12/27/2009 12:14:22 PM | Computer Name = NEWMAIN | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 12/27/2009 10:50:04 PM | Computer Name = NEWMAIN | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{560BD060-9C97-4A3C-AFC5-1D2EFABBA9DD}\drweb-500-win.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 12/27/2009 10:52:36 PM | Computer Name = NEWMAIN | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{1DD27436-FC7F-4949-914F-3F6C490763A4}\drweb-500-win.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 12/27/2009 10:54:32 PM | Computer Name = NEWMAIN | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{FC38DF88-44A5-48F0-90D0-61E75610F79F}\drweb-500-win.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 12/27/2009 11:32:55 PM | Computer Name = NEWMAIN | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/30/2009 9:18:27 AM | Computer Name = NEWMAIN | Source = Application Hang | ID = 1002
Description = Hanging application nmw4n1h3.exe, version 1.0.15.15281, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/4/2010 12:37:12 PM | Computer Name = NEWMAIN | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/4/2010 4:31:15 PM | Computer Name = NEWMAIN | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ole32.dll, version 5.1.2600.5512, fault address 0x0004d9ca.

Error - 1/4/2010 6:11:36 PM | Computer Name = NEWMAIN | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ Application Events ]
Error - 12/27/2009 12:14:18 PM | Computer Name = NEWMAIN | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x00036f63.

Error - 12/27/2009 12:14:22 PM | Computer Name = NEWMAIN | Source = Application Error | ID = 1000
Description = Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module
dbghelp.dll, version 5.1.2600.5512, fault address 0x0001295d.

Error - 12/27/2009 10:50:04 PM | Computer Name = NEWMAIN | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{560BD060-9C97-4A3C-AFC5-1D2EFABBA9DD}\drweb-500-win.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 12/27/2009 10:52:36 PM | Computer Name = NEWMAIN | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{1DD27436-FC7F-4949-914F-3F6C490763A4}\drweb-500-win.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 12/27/2009 10:54:32 PM | Computer Name = NEWMAIN | Source = MsiInstaller | ID = 1008
Description = The installation of C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{FC38DF88-44A5-48F0-90D0-61E75610F79F}\drweb-500-win.msi
is not permitted due to an error in software restriction policy processing. The
object cannot be trusted.

Error - 12/27/2009 11:32:55 PM | Computer Name = NEWMAIN | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/30/2009 9:18:27 AM | Computer Name = NEWMAIN | Source = Application Hang | ID = 1002
Description = Hanging application nmw4n1h3.exe, version 1.0.15.15281, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/4/2010 12:37:12 PM | Computer Name = NEWMAIN | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 1/4/2010 4:31:15 PM | Computer Name = NEWMAIN | Source = Application Error | ID = 1000
Description = Faulting application explorer.exe, version 6.0.2900.5512, faulting
module ole32.dll, version 5.1.2600.5512, fault address 0x0004d9ca.

Error - 1/4/2010 6:11:36 PM | Computer Name = NEWMAIN | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 1/7/2010 2:10:00 AM | Computer Name = NEWMAIN | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 1/7/2010 2:10:00 AM | Computer Name = NEWMAIN | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 1/7/2010 2:10:00 AM | Computer Name = NEWMAIN | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 1/7/2010 2:10:00 AM | Computer Name = NEWMAIN | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 1/7/2010 2:10:00 AM | Computer Name = NEWMAIN | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 1/7/2010 2:10:00 AM | Computer Name = NEWMAIN | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 1/7/2010 2:10:00 AM | Computer Name = NEWMAIN | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 1/7/2010 2:10:00 AM | Computer Name = NEWMAIN | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 1/7/2010 2:10:00 AM | Computer Name = NEWMAIN | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 1/7/2010 2:10:00 AM | Computer Name = NEWMAIN | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058


< End of report >

1OTL logfile created on: 1/10/2010 5:04:14 PM - Run 1
OTL by OldTimer - Version 3.1.23.0 Folder = C:\Documents and Settings\Robert Hoagland\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.05 Gb Total Space | 278.59 Gb Free Space | 93.47% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 999.63 Mb Total Space | 957.64 Mb Free Space | 95.80% Space Free | Partition Type: FAT
Drive F: | 111.76 Gb Total Space | 50.46 Gb Free Space | 45.15% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NEWMAIN
Current User Name: Robert Hoagland
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/10 17:03:28 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robert Hoagland\Desktop\OTL.exe
PRC - [2009/09/15 22:26:57 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/08/05 21:22:42 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/06/09 14:22:51 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/03/02 11:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/09/23 09:45:29 | 00,303,104 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Common Files\Motive\McciCMService.exe
PRC - [2008/04/14 07:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 07:00:00 | 00,138,752 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sndvol32.exe
PRC - [2004/10/04 03:47:04 | 00,098,304 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
PRC - [2004/10/04 02:40:50 | 00,118,784 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe


========== Modules (SafeList) ==========

MOD - [2010/01/10 17:03:28 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robert Hoagland\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (sdCoreService)
SRV - File not found [On_Demand | Stopped] -- -- (sdAuxService)
SRV - [2009/09/15 22:26:57 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/08/05 21:22:42 | 00,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/06/09 14:22:51 | 00,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/09/23 09:45:29 | 00,303,104 | ---- | M] (Motive Communications, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Motive\McciCMService.exe -- (McciCMService)
SRV - [2008/07/18 12:13:20 | 00,053,760 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2008/07/18 12:13:20 | 00,044,032 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2008/04/25 16:26:27 | 00,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\termsrv32.dll -- (TermService)
SRV - [2005/11/14 00:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/10/04 03:47:04 | 00,098,304 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor)
SRV - [2004/10/04 02:40:50 | 00,118,784 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe -- (PhotoshopElementsDeviceConnect)


========== Driver Services (SafeList) ==========

DRV - [2009/12/07 22:46:31 | 00,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/10/22 15:11:14 | 00,057,800 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - [2009/10/22 15:09:34 | 00,072,520 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K)
DRV - [2009/09/17 18:54:53 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/06/09 14:22:51 | 00,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/04/27 17:15:35 | 00,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/04/03 09:18:26 | 00,130,936 | ---- | M] (PC Tools) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/03/23 13:07:28 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/03/23 13:07:26 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/02/13 10:35:05 | 00,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/01/18 23:11:36 | 06,021,184 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/09/23 09:45:32 | 00,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/09/23 09:45:31 | 00,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2008/07/15 23:03:18 | 00,176,640 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\k57xp32.sys -- (k57w2k) Broadcom NetLink ™
DRV - [2008/07/15 22:40:58 | 00,338,944 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2008/07/15 22:40:58 | 00,024,064 | ---- | M] (Sonic Focus, Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sfaudio.sys -- (SFAUDIO)
DRV - [2008/04/14 07:06:40 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 07:06:40 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/14 07:00:00 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 07:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2007/08/15 06:27:18 | 00,009,600 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\n558.sys -- (n558)
DRV - [2007/07/26 03:00:00 | 00,043,872 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/03/19 19:48:37 | 00,021,568 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2006/03/19 19:48:36 | 00,049,920 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2006/03/19 19:48:36 | 00,016,496 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2001/08/17 21:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 21:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 21:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 21:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 21:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 20:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 20:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 20:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 20:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 20:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 20:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 20:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 20:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 20:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 20:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://g.msn.com/USREL/1


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
IE - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com [binary data]
IE - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\S-1-5-21-88662054-1569768389-1154089107-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: (949678 bytes) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 fr.a2dfp.net
O1 - Hosts: 127.0.0.1 m.fr.a2dfp.net
O1 - Hosts: 127.0.0.1 ad.a8.net
O1 - Hosts: 127.0.0.1 asy.a8ww.net
O1 - Hosts: 127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
O1 - Hosts: 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
O1 - Hosts: 127.0.0.1 phpadsnew.abac.com
O1 - Hosts: 127.0.0.1 a.abnad.net
O1 - Hosts: 127.0.0.1 b.abnad.net
O1 - Hosts: 127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
O1 - Hosts: 127.0.0.1 d.abnad.net
O1 - Hosts: 127.0.0.1 e.abnad.net
O1 - Hosts: 127.0.0.1 t.abnad.net
O1 - Hosts: 127.0.0.1 z.abnad.net
O1 - Hosts: 127.0.0.1 banners.absolpublisher.com
O1 - Hosts: 127.0.0.1 tracking.absolstats.com
O1 - Hosts: 127.0.0.1 adv.abv.bg
O1 - Hosts: 127.0.0.1 bimg.abv.bg
O1 - Hosts: 127.0.0.1 www2.a-counter.kiev.ua
O1 - Hosts: 127.0.0.1 track.acclaimnetwork.com
O1 - Hosts: 127.0.0.1 accuserveadsystem.com
O1 - Hosts: 127.0.0.1 www.accuserveadsystem.com
O1 - Hosts: 127.0.0.1 gtb5.acecounter.com
O1 - Hosts: 127.0.0.1 gtb19.acecounter.com
O1 - Hosts: 27989 more lines...
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL File not found
O3 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\..\Toolbar\WebBrowser: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O7 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Toolbars present
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe File not found
O15 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\..Trusted Domains: rexplorer.net ([]* in Trusted sites)
O15 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\..Trusted Domains: rexplorer.net ([cmls] * in Trusted sites)
O15 - HKU\S-1-5-21-88662054-1569768389-1154089107-1005\..Trusted Domains: 25 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} http://support.rexplorer.net/iftw_install//iftwclix.cab (InstallFromTheWeb ActiveX Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/25 16:29:32 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2002/10/17 09:56:50 | 00,000,036 | RH-- | M] () - F:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2002/10/28 13:03:12 | 00,000,000 | RH-D | M] - F:\autorun -- [ FAT32 ]
O32 - AutoRun File - [2008/04/25 17:29:34 | 00,000,000 | ---- | M] () - F:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/10 17:03:26 | 00,543,744 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Robert Hoagland\Desktop\OTL.exe
[2009/12/27 22:03:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Robert Hoagland\DoctorWeb
[2009/12/27 21:57:46 | 00,000,000 | ---D | C] -- C:\Program Files\DrWeb
[2009/12/27 21:57:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Doctor Web
[2009/12/15 17:32:03 | 00,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2009/11/15 13:01:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Softland
[2009/10/25 10:39:50 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/10/25 10:39:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/10/18 12:44:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/10/18 12:39:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/04/29 13:26:27 | 02,172,080 | ---- | C] (Karen Kenworthy) -- C:\Program Files\ptreplicator-setup.exe
[2008/04/25 16:32:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/04/25 16:29:24 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/02/19 02:28:56 | 00,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/10 17:03:28 | 00,543,744 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Robert Hoagland\Desktop\OTL.exe
[2010/01/08 08:45:07 | 00,527,996 | ---- | M] () -- C:\Documents and Settings\Robert Hoagland\Desktop\The Savvy Networker.mht
[2010/01/07 19:06:09 | 00,000,029 | ---- | M] () -- C:\WINDOWS\System32\package.lst
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/07 15:21:24 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/07 15:21:07 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/07 15:21:04 | 32,096,54272 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/07 15:21:04 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/07 14:49:38 | 00,001,202 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/01/07 14:49:38 | 00,000,097 | ---- | M] () -- C:\WINDOWS\System32\PDFWRITR.INI
[2010/01/07 14:49:38 | 00,000,097 | ---- | M] () -- C:\WINDOWS\System32\__PDF.INI
[2010/01/07 01:17:32 | 07,864,320 | ---- | M] () -- C:\Documents and Settings\Robert Hoagland\ntuser.dat
[2010/01/07 01:17:10 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Robert Hoagland\ntuser.ini
[2010/01/06 00:21:04 | 05,320,182 | -H-- | M] () -- C:\Documents and Settings\Robert Hoagland\Local Settings\Application Data\IconCache.db
[2009/12/31 10:27:20 | 01,440,054 | ---- | M] () -- C:\Documents and Settings\Robert Hoagland\Desktop\VagCom Scan.BMP
[2009/12/29 15:17:01 | 00,000,822 | ---- | M] () -- C:\Documents and Settings\Robert Hoagland\Desktop\Windows Media Player.lnk
[2009/12/29 00:16:22 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Robert Hoagland\Desktop\settings.dat
[2009/12/27 09:27:06 | 00,000,327 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/27 09:27:06 | 00,000,281 | -HS- | M] () -- C:\boot.ini
[2009/12/27 00:12:11 | 00,000,011 | ---- | M] () -- C:\WINDOWS\System32\uninstall.mybho
[2009/12/23 15:04:27 | 00,113,544 | ---- | M] () -- C:\Documents and Settings\Robert Hoagland\Desktop\Paragon Login.mht
[2009/12/23 14:25:16 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2009/12/23 14:25:16 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\WindowsShell.Manifest
[2009/12/23 14:25:16 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2009/12/23 14:25:16 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2009/12/23 14:25:16 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2009/12/23 14:25:16 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2009/12/23 14:25:13 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/12/23 14:25:13 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/12/23 14:24:25 | 00,001,551 | ---- | M] () -- C:\Documents and Settings\Robert Hoagland\Desktop\Primary Paragon Login (cmls.fnismls.com).lnk
[2009/12/23 13:20:15 | 00,004,350 | ---- | M] () -- C:\WINDOWS\Apexwin.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/08 08:45:04 | 00,527,996 | ---- | C] () -- C:\Documents and Settings\Robert Hoagland\Desktop\The Savvy Networker.mht
[2009/12/31 10:27:19 | 01,440,054 | ---- | C] () -- C:\Documents and Settings\Robert Hoagland\Desktop\VagCom Scan.BMP
[2009/12/29 00:16:22 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Robert Hoagland\Desktop\settings.dat
[2009/12/27 22:38:50 | 32,096,54272 | -HS- | C] () -- C:\hiberfil.sys
[2009/12/23 15:04:27 | 00,113,544 | ---- | C] () -- C:\Documents and Settings\Robert Hoagland\Desktop\Paragon Login.mht
[2009/12/23 14:24:25 | 00,001,551 | ---- | C] () -- C:\Documents and Settings\Robert Hoagland\Desktop\Primary Paragon Login (cmls.fnismls.com).lnk
[2009/11/30 23:19:15 | 00,000,015 | ---- | C] () -- C:\WINDOWS\Powerplayer.ini
[2009/11/14 23:24:14 | 00,000,547 | ---- | C] () -- C:\WINDOWS\psnetwork.ini
[2009/10/18 20:21:59 | 00,000,085 | ---- | C] () -- C:\WINDOWS\D2HNAV16.INI
[2009/09/06 00:13:37 | 00,019,175 | ---- | C] () -- C:\Documents and Settings\Robert Hoagland\Application Data\dymi.db
[2009/05/21 20:10:26 | 00,003,584 | ---- | C] () -- C:\Documents and Settings\Robert Hoagland\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/21 07:05:01 | 00,000,552 | ---- | C] () -- C:\WINDOWS\PCAWin.ini
[2009/05/05 07:25:49 | 00,100,864 | ---- | C] () -- C:\WINDOWS\System32\Dc50ip32.dll
[2009/05/05 07:25:49 | 00,065,864 | ---- | C] () -- C:\WINDOWS\System32\Digita.sys
[2009/05/05 07:25:49 | 00,007,808 | ---- | C] () -- C:\WINDOWS\System32\dc240u.sys
[2009/05/05 07:25:49 | 00,006,144 | ---- | C] () -- C:\WINDOWS\System32\ImgLibLead.dll
[2009/05/05 07:25:44 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2009/05/02 14:09:53 | 00,000,097 | ---- | C] () -- C:\WINDOWS\System32\PDFWRITR.INI
[2009/05/02 14:09:53 | 00,000,097 | ---- | C] () -- C:\WINDOWS\System32\__PDF.INI
[2009/05/02 07:40:02 | 00,000,138 | ---- | C] () -- C:\Documents and Settings\Robert Hoagland\Local Settings\Application Data\fusioncache.dat
[2009/04/24 18:20:04 | 00,004,350 | ---- | C] () -- C:\WINDOWS\Apexwin.ini
[2009/04/24 18:13:46 | 00,343,040 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2009/04/24 18:13:46 | 00,116,736 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2009/04/24 18:13:45 | 00,017,920 | ---- | C] () -- C:\WINDOWS\System32\Implode.dll
[2009/04/24 18:13:42 | 00,495,616 | ---- | C] () -- C:\WINDOWS\System32\Tx32.dll
[2009/04/24 18:13:42 | 00,000,260 | ---- | C] () -- C:\WINDOWS\System32\ic32.ini
[2009/04/24 18:13:38 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\Cp5.dll
[2009/04/24 18:13:38 | 00,000,086 | ---- | C] () -- C:\WINDOWS\LHOUSE.INI
[2009/04/24 18:13:36 | 00,514,832 | ---- | C] () -- C:\WINDOWS\System32\LEAD45.DLL
[2009/04/24 18:13:36 | 00,467,348 | ---- | C] () -- C:\WINDOWS\System32\TGDRAW16.DLL
[2009/04/24 18:13:36 | 00,201,065 | ---- | C] () -- C:\WINDOWS\System32\TGDXF16.DLL
[2009/04/24 18:13:36 | 00,193,842 | ---- | C] () -- C:\WINDOWS\System32\TGENT16.DLL
[2009/04/24 18:13:36 | 00,152,384 | ---- | C] () -- C:\WINDOWS\System32\TGCURV16.DLL
[2009/04/24 18:13:36 | 00,136,200 | ---- | C] () -- C:\WINDOWS\System32\TGSOLD16.DLL
[2009/04/24 18:13:36 | 00,127,656 | ---- | C] () -- C:\WINDOWS\System32\TG2D16.DLL
[2009/04/24 18:13:36 | 00,083,240 | ---- | C] () -- C:\WINDOWS\System32\TGCIRC16.DLL
[2009/04/24 18:13:36 | 00,081,770 | ---- | C] () -- C:\WINDOWS\System32\TGCLIP16.DLL
[2009/04/24 18:13:36 | 00,070,784 | ---- | C] () -- C:\WINDOWS\System32\TG3D16.DLL
[2009/04/24 18:13:36 | 00,070,632 | ---- | C] () -- C:\WINDOWS\System32\TGPOLY16.DLL
[2009/04/24 18:13:36 | 00,062,976 | ---- | C] () -- C:\WINDOWS\System32\TGSURF16.DLL
[2009/04/24 18:13:36 | 00,062,464 | ---- | C] () -- C:\WINDOWS\System32\TGKERN16.DLL
[2009/04/24 18:13:36 | 00,059,872 | ---- | C] () -- C:\WINDOWS\System32\TGARC16.DLL
[2009/04/24 18:13:36 | 00,053,864 | ---- | C] () -- C:\WINDOWS\System32\TGSPHR16.DLL
[2009/04/24 18:13:36 | 00,049,256 | ---- | C] () -- C:\WINDOWS\System32\TGTRF16.DLL
[2009/04/24 18:13:36 | 00,044,032 | ---- | C] () -- C:\WINDOWS\System32\TGTOOL16.DLL
[2009/04/24 18:13:36 | 00,042,464 | ---- | C] () -- C:\WINDOWS\System32\TGDBAS16.DLL
[2009/04/24 18:13:36 | 00,030,768 | ---- | C] () -- C:\WINDOWS\System32\TGCONV16.DLL
[2009/04/24 18:13:36 | 00,030,144 | ---- | C] () -- C:\WINDOWS\System32\TGTRIG16.DLL
[2009/04/24 18:13:36 | 00,027,304 | ---- | C] () -- C:\WINDOWS\System32\TGAREA16.DLL
[2009/04/24 18:13:36 | 00,026,408 | ---- | C] () -- C:\WINDOWS\System32\TGTRIA16.DLL
[2009/04/24 18:13:36 | 00,025,612 | ---- | C] () -- C:\WINDOWS\System32\TGVOL16.DLL
[2009/04/23 14:14:37 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/04/23 13:47:40 | 00,001,822 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/04/15 23:58:51 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4957.dll
[2009/04/15 23:58:19 | 00,001,154 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2009/04/15 21:28:36 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/04/15 21:16:58 | 00,000,234 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/04/25 16:26:32 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/15 06:27:18 | 00,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\n558.sys
[2005/10/11 21:20:10 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2001/07/07 02:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/12/06 14:37:12 | 00,068,096 | R--- | C] () -- C:\WINDOWS\System32\lfplt11n.dll
[1999/01/22 13:46:56 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 03:00:00 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== Alternate Data Streams ==========

@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Robert Hoagland\Desktop\Resume.pdf:SummaryInformation
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:44 PM

Posted 10 January 2010 - 05:45 PM

Hi,

that logs looks rather good.

Could you please try to run gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

AS well as win32kdiag:

Download and run Win32kDiag:Please post back both logs in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 January 2010 - 07:54 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-10 18:56:31
Windows 5.1.2600 Service Pack 3
Running: gf7kdhwh.exe; Driver: C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\uxldqpod.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9ECE514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9EBD282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9EBD474]
SSDT BA77A514 ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9ECED00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9ECEFB8]
SSDT BA77A532 ZwLoadKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9ECD3FA]
SSDT BA77A500 ZwOpenProcess
SSDT BA77A505 ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9ECF422]
SSDT BA77A53C ZwReplaceKey
SSDT BA77A537 ZwRestoreKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9ECE7D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9EBCF32]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe[432] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00ED28F5
.text C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe[432] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00ED2781
.text C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe[432] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00ED2873
.text C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe[432] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00ED27B9
.text C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe[432] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00ED27F1
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[472] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01B928F5
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[472] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01B92781
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[472] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01B92873
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[472] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01B927B9
.text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[472] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01B927F1
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01F328F5
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01F32781
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01F32873
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01F327B9
.text C:\Program Files\Java\jre6\bin\jqs.exe[572] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01F327F1
.text C:\Program Files\Common Files\Motive\McciCMService.exe[612] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E028F5
.text C:\Program Files\Common Files\Motive\McciCMService.exe[612] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E02781
.text C:\Program Files\Common Files\Motive\McciCMService.exe[612] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E02873
.text C:\Program Files\Common Files\Motive\McciCMService.exe[612] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E027B9
.text C:\Program Files\Common Files\Motive\McciCMService.exe[612] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E027F1
.text C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe[1128] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 003E28F5
.text C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe[1128] WS2_32.dll!send 71AB4C27 5 Bytes JMP 003E2781
.text C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe[1128] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 003E2873
.text C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe[1128] WS2_32.dll!recv 71AB676F 5 Bytes JMP 003E27B9
.text C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe[1128] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 003E27F1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02D9299D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02D9294D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02D92911
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 02D92EA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 02D92F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 02D92BF3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 02D929B9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 02D9370F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 02D92D5B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] CRYPT32.dll!CertGetCertificateChain 77A92F67 5 Bytes JMP 02D932E9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 5 Bytes JMP 02D932F2
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1524] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 018928F5
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1524] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01892781
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1524] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01892873
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1524] WS2_32.dll!recv 71AB676F 5 Bytes JMP 018927B9
.text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1524] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 018927F1
.text C:\WINDOWS\Explorer.EXE[1644] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01B328F5
.text C:\WINDOWS\Explorer.EXE[1644] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01B32781
.text C:\WINDOWS\Explorer.EXE[1644] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01B32873
.text C:\WINDOWS\Explorer.EXE[1644] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01B327B9
.text C:\WINDOWS\Explorer.EXE[1644] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01B327F1
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1828] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E728F5
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1828] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E72781
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1828] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E72873
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1828] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E727B9
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1828] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E727F1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 0292299D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 0292294D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02922911
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 02922EA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 02922F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 02922BF3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 029229B9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0292370F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 02922D5B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] CRYPT32.dll!CertGetCertificateChain 77A92F67 5 Bytes JMP 029232E9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 5 Bytes JMP 029232F2
.text C:\WINDOWS\System32\alg.exe[2840] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B928F5
.text C:\WINDOWS\System32\alg.exe[2840] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B92781
.text C:\WINDOWS\System32\alg.exe[2840] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B92873
.text C:\WINDOWS\System32\alg.exe[2840] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B927B9
.text C:\WINDOWS\System32\alg.exe[2840] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B927F1
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 0269299D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 0269294D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02692911
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 02692EA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 02692F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 02692BF3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 026929B9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0269370F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 02692D5B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] CRYPT32.dll!CertGetCertificateChain 77A92F67 5 Bytes JMP 026932E9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3080] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 5 Bytes JMP 026932F2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 020E299D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 020E294D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 020E2911
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 020E2EA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 020E2F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 020E2BF3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 020E29B9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 020E370F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 020E2D5B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] CRYPT32.dll!CertGetCertificateChain 77A92F67 5 Bytes JMP 020E32E9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 5 Bytes JMP 020E32F2
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 022D299D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 022D294D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 022D2911
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21541D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9865 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCEE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED6EC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254602 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E441F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4351 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E43BC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4222 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4284 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4482 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E42E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED748 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E47A0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 022D2EA5
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 022D2F01
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 022D2BF3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 022D29B9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 022D370F
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 022D2D5B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] CRYPT32.dll!CertGetCertificateChain 77A92F67 5 Bytes JMP 022D32E9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A9B76F 5 Bytes JMP 022D32F2


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[1520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2408] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3260] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdePort0 8A9EC760
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A9EC760
Device \Driver\atapi \Device\Ide\IdePort1 8A9EC760
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8A9EC760

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet001\Services\UACd.sys\modules@uacav
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacav
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacav
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet005\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet006\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet007\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet008\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet009\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet010\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet010\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet010\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet010\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet010\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet010\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet010\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet010\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet010\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet011\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet011\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet011\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet011\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet011\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet011\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet011\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet011\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet011\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet012\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet012\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet012\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet012\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet012\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet012\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet012\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet012\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet012\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet013\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet013\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet013\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet013\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet013\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet013\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet013\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet013\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet013\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet014\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet014\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet014\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet014\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet014\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet014\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet014\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet014\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet014\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet015\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet015\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet015\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet015\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet015\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet015\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet015\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet015\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet015\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet016\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet016\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet016\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet016\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet016\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet016\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet016\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet016\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet016\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet017\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet017\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet017\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet017\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet017\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet017\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet017\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet017\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet017\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\ControlSet018\Services\BTHPORT\Parameters\Keys\00027204a312 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet018\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet018\Services\UACd.sys@imagepath \systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet018\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet018\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UAClyavymnadx.sys
Reg HKLM\SYSTEM\ControlSet018\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACvoybnejkcb.dll
Reg HKLM\SYSTEM\ControlSet018\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACyxtlgwwyed.dll
Reg HKLM\SYSTEM\ControlSet018\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACovmrvyvmei.dat
Reg HKLM\SYSTEM\ControlSet018\Services\UACd.sys\modules@uacav \\?\globalroot\systemroot\system32\UACpdxcdqloyl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027204a312
Reg HKLM\SYSTEM\ControlSet020\Services\BTHPORT\Parameters\Keys\00027204a312 (not active ControlSet)


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----




Running from: C:\Documents and Settings\Robert Hoagland\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Robert Hoagland\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...


Finished!

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:44 PM

Posted 10 January 2010 - 08:03 PM

Hi,

you seem to have a MBR-rootkit infection, please download and run mbr.exe:

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -f >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 January 2010 - 08:23 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a78e498
NDIS: Broadcom NetLink ™ Gigabit Ethernet -> SendCompleteHandler -> 0x8aa121a0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x02542E2B0
malicious code @ sector 0x02542E2B3 !
PE file found in sector at 0x02542E2C9 !
Use "Recovery Console" command "fixmbr" to clear infection !

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:44 PM

Posted 10 January 2010 - 08:26 PM

Hi,

that did not fix the infection, please run ComboFix as a next step:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 January 2010 - 08:41 PM

ComboFix 10-01-04.01 - Robert Hoagland 01/10/2010 20:32:44.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2647 [GMT -5:00]
Running from: c:\documents and settings\Robert Hoagland\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2010-01-11 01:20 . 2010-01-11 01:20 77312 ----a-w- C:\mbr.exe
2009-12-28 05:58 . 2009-12-28 05:58 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2009-12-28 03:03 . 2009-12-28 03:03 -------- d-----w- c:\documents and settings\Robert Hoagland\DoctorWeb
2009-12-28 02:57 . 2009-12-28 03:17 -------- d-----w- c:\program files\DrWeb
2009-12-28 02:57 . 2009-12-28 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2009-12-27 05:56 . 2009-12-27 05:56 52224 ----a-w- c:\documents and settings\Robert Hoagland\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-26 23:17 . 2009-12-26 23:17 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-12-26 23:17 . 2009-12-26 23:17 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-12-26 23:16 . 2009-12-27 02:36 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2009-12-26 23:16 . 2009-12-26 23:16 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 14:13 . 2009-09-05 20:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-08 14:13 . 2009-09-17 23:36 -------- d-----w- c:\program files\SpywareBlaster
2010-01-08 14:05 . 2009-06-08 13:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 13:55 . 2009-06-24 12:59 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2009-06-08 13:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-06-08 13:02 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 23:10 . 2009-04-16 02:16 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-01-04 23:10 . 2009-04-16 02:16 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-04 23:09 . 2009-11-14 04:45 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\Move Networks
2009-12-27 16:27 . 2009-09-23 16:17 -------- d-----w- c:\program files\CleanUp!
2009-12-27 15:38 . 2009-04-23 19:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-27 05:56 . 2009-04-23 19:30 117760 -c--a-w- c:\documents and settings\Robert Hoagland\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-23 21:21 . 2009-11-18 17:54 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\vlc
2009-12-08 03:46 . 2009-04-23 18:43 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-19 13:54 . 2009-09-15 02:35 -------- d-----w- c:\program files\ATT-SST
2009-11-18 17:53 . 2009-11-18 17:53 -------- d-----w- c:\program files\VideoLAN
2009-11-15 18:07 . 2009-11-15 18:07 -------- d-----w- c:\program files\Dell
2009-11-15 18:01 . 2009-11-15 18:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland
2009-11-15 17:27 . 2009-04-29 21:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-15 04:24 . 2009-11-15 04:24 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\ppStream
2009-11-14 16:40 . 2009-11-14 16:40 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\PPMate
2009-11-14 16:40 . 2009-11-14 16:40 -------- d-----w- c:\program files\Common Files\Synacast
2009-10-29 07:45 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-25 15:11 . 2009-10-25 15:10 5519752 ----a-w- c:\documents and settings\Robert Hoagland\Application Data\TVU Networks\TVU AutoUpgrade\TVUPlayer2.4.7.2.exe
2009-10-22 20:17 . 2009-10-22 20:17 206144 ----a-w- c:\windows\system32\ftd2xx.dll
2009-10-22 20:17 . 2009-10-22 20:17 120136 ----a-w- c:\windows\system32\ftbusui.dll
2009-10-22 20:16 . 2009-10-22 20:16 197952 ----a-w- c:\windows\system32\FTLang.dll
2009-10-22 20:11 . 2009-10-22 20:11 57800 ----a-w- c:\windows\system32\drivers\ftdibus.sys
2009-10-22 20:09 . 2009-10-22 20:09 72520 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2009-10-22 20:08 . 2009-10-22 20:08 52552 ----a-w- c:\windows\system32\ftserui2.dll
2009-10-21 05:38 . 2008-04-25 16:16 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-25 16:16 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-04-25 16:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-04-29 18:28 . 2009-04-29 18:26 2172080 -c--a-w- c:\program files\ptreplicator-setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-17 23:54 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATT-SST_McciTrayApp]
2008-09-19 01:11 1529856 ----a-w- c:\program files\ATT-SST\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 09:42 110592 -c--a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 -c----w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-01-19 04:11 170520 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-01-19 04:11 150040 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 21:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-05-23 19:06 128296 -c----w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-01-19 04:11 141848 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2008-07-16 03:40 1044480 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-16 03:26 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-12-27 15:38 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"MSConfig"=c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9581:TCP"= 9581:TCP:Services
"7471:TCP"= 7471:TCP:Services

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/6/2009 12:17 AM 130936]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [4/15/2009 11:58 PM 24064]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 1:07 PM 74480]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 3:47 AM 98304]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/23/2009 1:43 PM 108289]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 2:40 AM 118784]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [4/15/2009 11:58 PM 176640]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 1:07 PM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-10-04 19:31]

2009-10-07 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-10-04 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL =
mStart Page = hxxp://www.google.com
uSearchAssistant =
Trusted Zone: rexplorer.net
Trusted Zone: rexplorer.net\cmls
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe
MSConfigStartUp-Antivirus Pro 2010 - c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
MSConfigStartUp-braviax - braviax.exe
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe
MSConfigStartUp-Monopod - c:\docume~1\ROBERT~1\LOCALS~1\Temp\a.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-Protection System - c:\program files\Protection System\psystem.exe
MSConfigStartUp-ribekafir - c:\windows\system32\popiwoba.dll
MSConfigStartUp-Windows System Recover! - c:\docume~1\ROBERT~1\LOCALS~1\Temp\winlogon.exe
MSConfigStartUp-winupdate - c:\windows\system32\winupdate.exe
MSConfigStartUp-wujayefana - c:\windows\system32\nurofoyi.dll
AddRemove-ATTToolbar - c:\program files\ATTToolbar\uninstall.exe
AddRemove-Spyware Doctor - c:\program files\Spyware Doctor\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 20:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(4024)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-10 20:39:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-11 01:39
ComboFix2.txt 2009-09-15 15:35

Pre-Run: 298,991,767,552 bytes free
Post-Run: 299,007,717,376 bytes free

- - End Of File - - B924E9559F8F059E94CBB8247DE1E770

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:44 PM

Posted 10 January 2010 - 09:00 PM

Hi,


that does look better. How is your PC doing?

please run another scan with mbr:
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 January 2010 - 09:05 PM

Thanks for the help. The PC seemes to being running fine. I never know when it will freeze up, that happens at various times. I will post here if it hangs again.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x02542E2B0
malicious code @ sector 0x02542E2B3 !
PE file found in sector at 0x02542E2C9 !

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:44 PM

Posted 10 January 2010 - 09:26 PM

Hi,

it seems we got most of the infection removed. Please let me know if the PC freezes again.
There are a couple of things left, I would like to remove with the following script:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\HelpAssistant
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"= -
"2479:TCP"=-
"3389:TCP"=-
"9581:TCP"= -
"7471:TCP"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

Edited by myrti, 10 January 2010 - 09:26 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 10 January 2010 - 09:49 PM

ComboFix 10-01-04.01 - Robert Hoagland 01/10/2010 21:40:37.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3061.2653 [GMT -5:00]
Running from: c:\documents and settings\Robert Hoagland\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert Hoagland\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-12-11 to 2010-01-11 )))))))))))))))))))))))))))))))
.

2009-12-28 05:58 . 2009-12-28 05:58 -------- d-----w- c:\documents and settings\HelpAssistant\DoctorWeb
2009-12-28 03:03 . 2009-12-28 03:03 -------- d-----w- c:\documents and settings\Robert Hoagland\DoctorWeb
2009-12-28 02:57 . 2009-12-28 03:17 -------- d-----w- c:\program files\DrWeb
2009-12-28 02:57 . 2009-12-28 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Doctor Web
2009-12-27 05:56 . 2009-12-27 05:56 52224 ----a-w- c:\documents and settings\Robert Hoagland\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-26 23:17 . 2009-12-26 23:17 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-12-26 23:17 . 2009-12-26 23:17 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-12-26 23:16 . 2009-12-27 02:36 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2009-12-26 23:16 . 2009-12-26 23:16 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-11 02:39 . 2009-09-05 20:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-08 14:13 . 2009-09-17 23:36 -------- d-----w- c:\program files\SpywareBlaster
2010-01-08 14:05 . 2009-06-08 13:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 13:55 . 2009-06-24 12:59 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 21:07 . 2009-06-08 13:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-06-08 13:02 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 23:10 . 2009-04-16 02:16 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-01-04 23:10 . 2009-04-16 02:16 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-04 23:09 . 2009-11-14 04:45 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\Move Networks
2009-12-27 16:27 . 2009-09-23 16:17 -------- d-----w- c:\program files\CleanUp!
2009-12-27 15:38 . 2009-04-23 19:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-27 05:56 . 2009-04-23 19:30 117760 -c--a-w- c:\documents and settings\Robert Hoagland\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-23 21:21 . 2009-11-18 17:54 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\vlc
2009-12-08 03:46 . 2009-04-23 18:43 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-19 13:54 . 2009-09-15 02:35 -------- d-----w- c:\program files\ATT-SST
2009-11-18 17:53 . 2009-11-18 17:53 -------- d-----w- c:\program files\VideoLAN
2009-11-15 18:07 . 2009-11-15 18:07 -------- d-----w- c:\program files\Dell
2009-11-15 18:01 . 2009-11-15 18:01 -------- d-----w- c:\documents and settings\LocalService\Application Data\Softland
2009-11-15 17:27 . 2009-04-29 21:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-15 04:24 . 2009-11-15 04:24 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\ppStream
2009-11-14 16:40 . 2009-11-14 16:40 -------- d-----w- c:\documents and settings\Robert Hoagland\Application Data\PPMate
2009-11-14 16:40 . 2009-11-14 16:40 -------- d-----w- c:\program files\Common Files\Synacast
2009-10-29 07:45 . 2008-04-25 16:16 916480 ------w- c:\windows\system32\wininet.dll
2009-10-25 15:11 . 2009-10-25 15:10 5519752 ----a-w- c:\documents and settings\Robert Hoagland\Application Data\TVU Networks\TVU AutoUpgrade\TVUPlayer2.4.7.2.exe
2009-10-22 20:17 . 2009-10-22 20:17 206144 ----a-w- c:\windows\system32\ftd2xx.dll
2009-10-22 20:17 . 2009-10-22 20:17 120136 ----a-w- c:\windows\system32\ftbusui.dll
2009-10-22 20:16 . 2009-10-22 20:16 197952 ----a-w- c:\windows\system32\FTLang.dll
2009-10-22 20:11 . 2009-10-22 20:11 57800 ----a-w- c:\windows\system32\drivers\ftdibus.sys
2009-10-22 20:09 . 2009-10-22 20:09 72520 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2009-10-22 20:08 . 2009-10-22 20:08 52552 ----a-w- c:\windows\system32\ftserui2.dll
2009-10-21 05:38 . 2008-04-25 16:16 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2008-04-25 16:16 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2008-04-14 00:23 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2008-04-25 16:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-04-29 18:28 . 2009-04-29 18:26 2172080 -c--a-w- c:\program files\ptreplicator-setup.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-01-11_01.37.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-11 02:31 . 2010-01-11 02:31 16384 c:\windows\temp\Perflib_Perfdata_7d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-17 23:54 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATT-SST_McciTrayApp]
2008-09-19 01:11 1529856 ----a-w- c:\program files\ATT-SST\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 09:42 110592 -c--a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 -c----w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-01-19 04:11 170520 -c--a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-01-19 04:11 150040 -c--a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-01-07 21:07 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-05-23 19:06 128296 -c----w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-01-19 04:11 141848 -c--a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2008-07-16 03:40 1044480 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-16 03:26 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-12-27 15:38 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/6/2009 12:17 AM 130936]
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [4/15/2009 11:58 PM 24064]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [3/23/2009 1:07 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [3/23/2009 1:07 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/23/2009 1:43 PM 108289]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [4/15/2009 11:58 PM 176640]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 3:47 AM 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 2:40 AM 118784]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [3/23/2009 1:07 PM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe --> c:\program files\Spyware Doctor\pctsAuxs.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-10-04 19:31]

2009-10-07 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-10-04 19:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL =
mStart Page = hxxp://www.google.com
uSearchAssistant =
Trusted Zone: rexplorer.net
Trusted Zone: rexplorer.net\cmls
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 21:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1752)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-10 21:44:25
ComboFix-quarantined-files.txt 2010-01-11 02:44
ComboFix2.txt 2009-09-15 15:35

Pre-Run: 299,016,126,464 bytes free
Post-Run: 298,974,244,864 bytes free

- - End Of File - - E644B12FCFA2F9468F5D686423EE7BFD

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:44 PM

Posted 11 January 2010 - 08:43 AM

Hi,

I have a doubt that the infection is really gone.
  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:
    net user HelpAssistent /delete
  • a line will appear. Please copy and post the content in your next reply.
  • Please also type the following into that window and hit enter:
    dir "C:\documents and settings" >"%temp%\tmp.log" && "%temp%\tmp.log"
  • a log file should open. Please post the content in your next reply as well.
If you do not have the run-command in your Start menu:
Please right click on your taskbar, select Properties, select the Start Menu tab, click on Customize and tick the Display Run checkbox and click OK.


Please also run a scan with rootrepeal:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click Posted Image on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 11 January 2010 - 09:23 AM

Volume in drive C is OS
Volume Serial Number is 00FF-606E

Directory of C:\documents and settings

12/26/2009 06:15 PM <DIR> .
12/26/2009 06:15 PM <DIR> ..
09/16/2009 03:03 PM <DIR> Administrator
04/23/2009 01:33 PM <DIR> All Users
01/07/2010 04:05 PM <DIR> HelpAssistant
01/10/2010 09:02 PM <DIR> Robert Hoagland
0 File(s) 0 bytes
6 Dir(s) 298,986,016,768 bytes free




ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/11 09:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\DOCUME~1\ROBERT~1\LOCALS~1\Temp\catchme.sys
Address: 0xBA448000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA898B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5DC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA5D8000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA86A3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\robert hoagland\privacie\index.dat
Status: Allocation size mismatch (API: 61440, Raw: 40960)

Path: c:\documents and settings\robert hoagland\local settings\temp\~df7b73.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xb9ece514

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ebd282

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xb9ebd474

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7e361c

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xb9eced00

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecefb8

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7e363a

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecd3fa

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba7e3608

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7e360d

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xb9ecf422

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7e3644

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7e363f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xb9ece7d8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xb9ebcf32

==EOF==




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users