Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit and Trojan


  • This topic is locked This topic is locked
11 replies to this topic

#1 AJB27

AJB27

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 01 July 2010 - 12:55 PM

Thanks for taking the time to read my post. I just got back a desktop I loaned to a friend for a few years and apparently it has picked up some malware. The superantispyware scan picked up a rootkit and trojan(GEN something). When attempting to remove them with sas, my ethernet controller was disabled. I just ran gmer and dds and have the logs. After gmer, my computer crashed and now my ethernet card is working correctly. Any help would be greatly appreciated! Logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Burke at 11:51:09.95 on Thu 07/01/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.717 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Burke\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://aimtoday.aol.com/segmentation/welcome.adp?version=puccini&build=3797&service=AIM
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{7432B540-DE19-3CC2-4C97-A07DDD9B24D2}] "c:\documents and settings\burke\application data\xyehuz\amar.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Uqadosafu] rundll32.exe "c:\windows\azopowije.dll",Startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg311t\wlancfg5.exe
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: {9DAF0152-8261-4F8C-990A-750FC9EDFC73} = 208.67.222.222,208.67.220.220
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\burke\applic~1\mozilla\firefox\profiles\xapav8a7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\burke\application data\mozilla\firefox\profiles\xapav8a7.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - HiddenExtension: XULRunner: {C6CD00A9-1FFA-4D55-A5BC-8A0A715CA019} - c:\documents and settings\burke\local settings\application data\{C6CD00A9-1FFA-4D55-A5BC-8A0A715CA019}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2005-11-29 16194]
S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\drivers\wg311tn5.sys --> c:\windows\system32\drivers\wg311tn5.sys [?]
S3 sk98xwin;NDIS5 Miniport Driver for SysKonnect SK-98xx Gigabit Ethernet Server Adapter (SK-NET GE);c:\windows\system32\drivers\sk98xwin.SYS [2008-6-30 94698]
S3 SkFpWin;SysKonnect FDDI PCI Adapter Driver;c:\windows\system32\drivers\SkFpWin.SYS [2010-7-1 91294]

=============== Created Last 30 ================

2010-07-01 16:40:41 91294 -c--a-w- c:\windows\system32\dllcache\skfpwin.sys
2010-07-01 16:40:41 91294 ----a-w- c:\windows\system32\drivers\SkFpWin.SYS
2010-07-01 16:31:48 0 d-----w- C:\Marvell
2010-07-01 16:30:55 5843 ----a-w- C:\README.htm
2010-07-01 16:30:55 0 d-----w- C:\Readmes
2010-07-01 15:55:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 15:55:06 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 21:30:55 0 d-----w- C:\gmer
2010-06-30 21:14:18 2395131 ----a-w- C:\MGtools.exe
2010-06-30 21:14:12 464491 ----a-w- C:\RootRepeal.zip
2010-06-30 20:54:12 0 d-----w- c:\docume~1\burke\applic~1\SUPERAntiSpyware.com
2010-06-30 20:54:12 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-30 20:54:08 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-30 14:37:50 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-30 14:31:42 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-30 14:27:21 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-30 14:24:22 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-06-30 14:24:21 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2010-06-30 14:24:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-06-30 14:24:20 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-06-30 14:24:19 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-06-30 14:24:19 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-06-30 14:24:19 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-06-30 14:24:19 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-06-30 14:24:19 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-06-30 14:13:48 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-30 14:06:02 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-06-30 13:56:52 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-06-30 05:43:37 0 d-----w- c:\docume~1\alluse~1\applic~1\id Software
2010-06-17 00:43:05 0 ----a-w- c:\windows\Xbafunitobabuyu.bin
2010-06-17 00:43:04 120 ----a-w- c:\windows\Tpowahiga.dat

==================== Find3M ====================

2010-06-30 20:14:25 139336 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-30 20:14:12 214720 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-30 05:43:38 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2006-04-25 22:30:40 469824 ----a-w- c:\windows\inf\wg311t\WG311T13.sys
2006-04-25 22:30:38 35232 ----a-w- c:\windows\inf\wg311t\ME_INST.EXE
2006-04-25 22:30:38 26112 ----a-w- c:\windows\inf\wg311t\install.exe

============= FINISH: 11:52:13.64 ===============





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-01 12:47:04
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Burke\LOCALS~1\Temp\fxddapoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xECC21620]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF57AE380, 0x2FF527, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00B646FC
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00B648C5
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00B6496C
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 00B793EF
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00B79367
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00B79C40
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 00B793AB
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00B77C36
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00B77C90
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00B77B92
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00B71D9D
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00B71E41
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!DefWindowProcW 7E41B33C 5 Bytes JMP 00B71A67
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!BeginPaint 7E41B609 5 Bytes JMP 00B7924F
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!EndPaint 7E41B61D 5 Bytes JMP 00B792C2
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00B77A50
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetMessagePos 7E41BF94 5 Bytes JMP 00B77A19
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!CallWindowProcW 7E41C64A 5 Bytes JMP 00B71CC5
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!PeekMessageA 7E41C96C 5 Bytes JMP 00B77CC0
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!DefWindowProcA 7E41D4EE 5 Bytes JMP 00B71AB2
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!SetCapture 7E41D6CE 5 Bytes JMP 00B77ADE
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!ReleaseCapture 7E41D6EA 5 Bytes JMP 00B77B3D
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetUpdateRect 7E41D6F7 5 Bytes JMP 00B79434
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetDCEx 7E41E875 5 Bytes JMP 00B79307
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!CallWindowProcA 7E41F642 5 Bytes JMP 00B71D13
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!RegisterClassA 7E420A36 5 Bytes JMP 00B71DEF
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!RegisterClassExA 7E422DA0 5 Bytes JMP 00B71E98
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!DefDlgProcW 7E42379A 5 Bytes JMP 00B71AFD
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!OpenInputDesktop 7E427C7A 5 Bytes JMP 00B719EF
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!SwitchDesktop 7E429496 5 Bytes JMP 00B71A44
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetMessageA 7E42E002 5 Bytes JMP 00B77C63
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetUpdateRgn 7E42F5AC 5 Bytes JMP 00B794CC
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!DefFrameProcW 7E4307F3 5 Bytes JMP 00B71B93
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!DefMDIChildProcW 7E430A07 5 Bytes JMP 00B71C2F
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00B79DB2
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!DefDlgProcA 7E43E53F 5 Bytes JMP 00B71B48
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!DefFrameProcA 7E44F705 5 Bytes JMP 00B71BE1
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!DefMDIChildProcA 7E44F754 5 Bytes JMP 00B71C7A
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] USER32.dll!SetCursorPos 7E455F53 5 Bytes JMP 00B77A9C
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00B7ACB3
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00B7ADBF
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00B7ACFB
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00B7AD8E
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00B7AB18
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00B7AB71
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00B7AABF
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00B7AD3F
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00B7AC12
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WS2_32.dll!send 71AB428A 5 Bytes JMP 00B6FB73
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00B6FB99
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00B6FB36
.text C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe[120] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00B72112
.text C:\WINDOWS\Explorer.EXE[248] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 012C46FC
.text C:\WINDOWS\Explorer.EXE[248] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 012C48C5
.text C:\WINDOWS\Explorer.EXE[248] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 012C496C
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 012D93EF
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 012D9367
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 012D9C40
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 012D93AB
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 012D7C36
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 012D7C90
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 012D7B92
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 012D1D9D
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 012D1E41
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!DefWindowProcW 7E41B33C 5 Bytes JMP 012D1A67
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!BeginPaint 7E41B609 5 Bytes JMP 012D924F
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!EndPaint 7E41B61D 5 Bytes JMP 012D92C2
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 012D7A50
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetMessagePos 7E41BF94 5 Bytes JMP 012D7A19
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!CallWindowProcW 7E41C64A 5 Bytes JMP 012D1CC5
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!PeekMessageA 7E41C96C 5 Bytes JMP 012D7CC0
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!DefWindowProcA 7E41D4EE 5 Bytes JMP 012D1AB2
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!SetCapture 7E41D6CE 5 Bytes JMP 012D7ADE
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!ReleaseCapture 7E41D6EA 5 Bytes JMP 012D7B3D
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetUpdateRect 7E41D6F7 5 Bytes JMP 012D9434
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetDCEx 7E41E875 5 Bytes JMP 012D9307
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!CallWindowProcA 7E41F642 5 Bytes JMP 012D1D13
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!RegisterClassA 7E420A36 5 Bytes JMP 012D1DEF
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!RegisterClassExA 7E422DA0 5 Bytes JMP 012D1E98
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!DefDlgProcW 7E42379A 5 Bytes JMP 012D1AFD
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!OpenInputDesktop 7E427C7A 5 Bytes JMP 012D19EF
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!SwitchDesktop 7E429496 5 Bytes JMP 012D1A44
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetMessageA 7E42E002 5 Bytes JMP 012D7C63
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetUpdateRgn 7E42F5AC 5 Bytes JMP 012D94CC
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!DefFrameProcW 7E4307F3 5 Bytes JMP 012D1B93
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!DefMDIChildProcW 7E430A07 5 Bytes JMP 012D1C2F
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 012D9DB2
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!DefDlgProcA 7E43E53F 5 Bytes JMP 012D1B48
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!DefFrameProcA 7E44F705 5 Bytes JMP 012D1BE1
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!DefMDIChildProcA 7E44F754 5 Bytes JMP 012D1C7A
.text C:\WINDOWS\Explorer.EXE[248] USER32.dll!SetCursorPos 7E455F53 5 Bytes JMP 012D7A9C
.text C:\WINDOWS\Explorer.EXE[248] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 012D2112
.text C:\WINDOWS\Explorer.EXE[248] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 012DACB3
.text C:\WINDOWS\Explorer.EXE[248] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 012DADBF
.text C:\WINDOWS\Explorer.EXE[248] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 012DACFB
.text C:\WINDOWS\Explorer.EXE[248] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 012DAD8E
.text C:\WINDOWS\Explorer.EXE[248] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 012DAB18
.text C:\WINDOWS\Explorer.EXE[248] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 012DAB71
.text C:\WINDOWS\Explorer.EXE[248] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 012DAABF
.text C:\WINDOWS\Explorer.EXE[248] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 012DAD3F
.text C:\WINDOWS\Explorer.EXE[248] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 012DAC12
.text C:\WINDOWS\Explorer.EXE[248] WS2_32.dll!send 71AB428A 5 Bytes JMP 012CFB73
.text C:\WINDOWS\Explorer.EXE[248] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 012CFB99
.text C:\WINDOWS\Explorer.EXE[248] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 012CFB36
.text C:\WINDOWS\system32\ctfmon.exe[788] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00A746FC
.text C:\WINDOWS\system32\ctfmon.exe[788] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A748C5
.text C:\WINDOWS\system32\ctfmon.exe[788] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00A7496C
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 00A893EF
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00A89367
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00A89C40
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 00A893AB
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00A87C36
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00A87C90
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00A87B92
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00A81D9D
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00A81E41
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!DefWindowProcW 7E41B33C 5 Bytes JMP 00A81A67
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!BeginPaint 7E41B609 5 Bytes JMP 00A8924F
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!EndPaint 7E41B61D 5 Bytes JMP 00A892C2
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00A87A50
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetMessagePos 7E41BF94 5 Bytes JMP 00A87A19
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!CallWindowProcW 7E41C64A 5 Bytes JMP 00A81CC5
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!PeekMessageA 7E41C96C 5 Bytes JMP 00A87CC0
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!DefWindowProcA 7E41D4EE 5 Bytes JMP 00A81AB2
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!SetCapture 7E41D6CE 5 Bytes JMP 00A87ADE
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!ReleaseCapture 7E41D6EA 5 Bytes JMP 00A87B3D
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetUpdateRect 7E41D6F7 5 Bytes JMP 00A89434
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetDCEx 7E41E875 5 Bytes JMP 00A89307
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!CallWindowProcA 7E41F642 5 Bytes JMP 00A81D13
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!RegisterClassA 7E420A36 5 Bytes JMP 00A81DEF
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!RegisterClassExA 7E422DA0 5 Bytes JMP 00A81E98
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!DefDlgProcW 7E42379A 5 Bytes JMP 00A81AFD
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!OpenInputDesktop 7E427C7A 5 Bytes JMP 00A819EF
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!SwitchDesktop 7E429496 5 Bytes JMP 00A81A44
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetMessageA 7E42E002 5 Bytes JMP 00A87C63
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetUpdateRgn 7E42F5AC 5 Bytes JMP 00A894CC
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!DefFrameProcW 7E4307F3 5 Bytes JMP 00A81B93
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!DefMDIChildProcW 7E430A07 5 Bytes JMP 00A81C2F
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00A89DB2
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!DefDlgProcA 7E43E53F 5 Bytes JMP 00A81B48
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!DefFrameProcA 7E44F705 5 Bytes JMP 00A81BE1
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!DefMDIChildProcA 7E44F754 5 Bytes JMP 00A81C7A
.text C:\WINDOWS\system32\ctfmon.exe[788] USER32.dll!SetCursorPos 7E455F53 5 Bytes JMP 00A87A9C
.text C:\WINDOWS\system32\ctfmon.exe[788] WS2_32.dll!send 71AB428A 5 Bytes JMP 00A7FB73
.text C:\WINDOWS\system32\ctfmon.exe[788] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00A7FB99
.text C:\WINDOWS\system32\ctfmon.exe[788] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00A7FB36
.text C:\WINDOWS\system32\ctfmon.exe[788] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00A82112
.text C:\WINDOWS\system32\ctfmon.exe[788] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00A8ACB3
.text C:\WINDOWS\system32\ctfmon.exe[788] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00A8ADBF
.text C:\WINDOWS\system32\ctfmon.exe[788] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00A8ACFB
.text C:\WINDOWS\system32\ctfmon.exe[788] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00A8AD8E
.text C:\WINDOWS\system32\ctfmon.exe[788] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00A8AB18
.text C:\WINDOWS\system32\ctfmon.exe[788] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00A8AB71
.text C:\WINDOWS\system32\ctfmon.exe[788] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00A8AABF
.text C:\WINDOWS\system32\ctfmon.exe[788] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00A8AD3F
.text C:\WINDOWS\system32\ctfmon.exe[788] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00A8AC12
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 062946FC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 062948C5
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0629496C
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 062A93EF
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 062A9367
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 062A9C40
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 062A93AB
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 062A7C36
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 062A7C90
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 062A7B92
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 062A1D9D
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 062A1E41
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!DefWindowProcW 7E41B33C 5 Bytes JMP 062A1A67
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!BeginPaint 7E41B609 5 Bytes JMP 062A924F
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!EndPaint 7E41B61D 5 Bytes JMP 062A92C2
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 062A7A50
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetMessagePos 7E41BF94 5 Bytes JMP 062A7A19
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!CallWindowProcW 7E41C64A 5 Bytes JMP 062A1CC5
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!PeekMessageA 7E41C96C 5 Bytes JMP 062A7CC0
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!DefWindowProcA 7E41D4EE 5 Bytes JMP 062A1AB2
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!SetCapture 7E41D6CE 5 Bytes JMP 062A7ADE
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!ReleaseCapture 7E41D6EA 5 Bytes JMP 062A7B3D
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetUpdateRect 7E41D6F7 5 Bytes JMP 062A9434
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetDCEx 7E41E875 5 Bytes JMP 062A9307
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!CallWindowProcA 7E41F642 5 Bytes JMP 062A1D13
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!RegisterClassA 7E420A36 5 Bytes JMP 062A1DEF
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!RegisterClassExA 7E422DA0 5 Bytes JMP 062A1E98
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!DefDlgProcW 7E42379A 5 Bytes JMP 062A1AFD
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!OpenInputDesktop 7E427C7A 5 Bytes JMP 062A19EF
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!SwitchDesktop 7E429496 5 Bytes JMP 062A1A44
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetMessageA 7E42E002 5 Bytes JMP 062A7C63
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetUpdateRgn 7E42F5AC 5 Bytes JMP 062A94CC
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!DefFrameProcW 7E4307F3 5 Bytes JMP 062A1B93
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!DefMDIChildProcW 7E430A07 5 Bytes JMP 062A1C2F
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 062A9DB2
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!DefDlgProcA 7E43E53F 5 Bytes JMP 062A1B48
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!DefFrameProcA 7E44F705 5 Bytes JMP 062A1BE1
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!DefMDIChildProcA 7E44F754 5 Bytes JMP 062A1C7A
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] USER32.dll!SetCursorPos 7E455F53 5 Bytes JMP 062A7A9C
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WS2_32.dll!send 71AB428A 5 Bytes JMP 0629FB73
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0629FB99
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0629FB36
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 062AACB3
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 062AADBF
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 062AACFB
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 062AAD8E
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 062AAB18
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 062AAB71
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 062AAABF
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 062AAD3F
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 062AAC12
.text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[812] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 062A2112
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 011646FC
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 011648C5
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0116496C
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WS2_32.dll!send 71AB428A 5 Bytes JMP 0116FB73
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0116FB99
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0116FB36
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 011793EF
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 01179367
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 01179C40
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 011793AB
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 01177C36
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 01177C90
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 01177B92
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 01171D9D
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 01171E41
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!DefWindowProcW 7E41B33C 5 Bytes JMP 01171A67
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!BeginPaint 7E41B609 5 Bytes JMP 0117924F
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!EndPaint 7E41B61D 5 Bytes JMP 011792C2
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 01177A50
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetMessagePos 7E41BF94 5 Bytes JMP 01177A19
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!CallWindowProcW 7E41C64A 5 Bytes JMP 01171CC5
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!PeekMessageA 7E41C96C 5 Bytes JMP 01177CC0
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!DefWindowProcA 7E41D4EE 5 Bytes JMP 01171AB2
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!SetCapture 7E41D6CE 5 Bytes JMP 01177ADE
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!ReleaseCapture 7E41D6EA 5 Bytes JMP 01177B3D
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetUpdateRect 7E41D6F7 5 Bytes JMP 01179434
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetDCEx 7E41E875 5 Bytes JMP 01179307
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!CallWindowProcA 7E41F642 5 Bytes JMP 01171D13
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!RegisterClassA 7E420A36 5 Bytes JMP 01171DEF
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!RegisterClassExA 7E422DA0 5 Bytes JMP 01171E98
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!DefDlgProcW 7E42379A 5 Bytes JMP 01171AFD
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!OpenInputDesktop 7E427C7A 5 Bytes JMP 011719EF
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!SwitchDesktop 7E429496 5 Bytes JMP 01171A44
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetMessageA 7E42E002 5 Bytes JMP 01177C63
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetUpdateRgn 7E42F5AC 5 Bytes JMP 011794CC
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!DefFrameProcW 7E4307F3 5 Bytes JMP 01171B93
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!DefMDIChildProcW 7E430A07 5 Bytes JMP 01171C2F
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 01179DB2
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!DefDlgProcA 7E43E53F 5 Bytes JMP 01171B48
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!DefFrameProcA 7E44F705 5 Bytes JMP 01171BE1
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!DefMDIChildProcA 7E44F754 5 Bytes JMP 01171C7A
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] USER32.dll!SetCursorPos 7E455F53 5 Bytes JMP 01177A9C
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 01172112
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 0117ACB3
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0117ADBF
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0117ACFB
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 0117AD8E
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 0117AB18
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 0117AB71
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 0117AABF
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 0117AD3F
.text C:\Program Files\NETGEAR\WG311T\wlancfg5.exe[936] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0117AC12
.text C:\WINDOWS\system32\wscntfy.exe[2044] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 008046FC
.text C:\WINDOWS\system32\wscntfy.exe[2044] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 008048C5
.text C:\WINDOWS\system32\wscntfy.exe[2044] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0080496C
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 008193EF
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00819367
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00819C40
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 008193AB
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00817C36
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00817C90
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00817B92
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00811D9D
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00811E41
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!DefWindowProcW 7E41B33C 5 Bytes JMP 00811A67
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!BeginPaint 7E41B609 5 Bytes JMP 0081924F
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!EndPaint 7E41B61D 5 Bytes JMP 008192C2
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00817A50
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetMessagePos 7E41BF94 5 Bytes JMP 00817A19
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!CallWindowProcW 7E41C64A 5 Bytes JMP 00811CC5
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!PeekMessageA 7E41C96C 5 Bytes JMP 00817CC0
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!DefWindowProcA 7E41D4EE 5 Bytes JMP 00811AB2
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!SetCapture 7E41D6CE 5 Bytes JMP 00817ADE
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!ReleaseCapture 7E41D6EA 5 Bytes JMP 00817B3D
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetUpdateRect 7E41D6F7 5 Bytes JMP 00819434
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetDCEx 7E41E875 5 Bytes JMP 00819307
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!CallWindowProcA 7E41F642 5 Bytes JMP 00811D13
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!RegisterClassA 7E420A36 5 Bytes JMP 00811DEF
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!RegisterClassExA 7E422DA0 5 Bytes JMP 00811E98
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!DefDlgProcW 7E42379A 5 Bytes JMP 00811AFD
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!OpenInputDesktop 7E427C7A 5 Bytes JMP 008119EF
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!SwitchDesktop 7E429496 5 Bytes JMP 00811A44
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetMessageA 7E42E002 5 Bytes JMP 00817C63
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetUpdateRgn 7E42F5AC 5 Bytes JMP 008194CC
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!DefFrameProcW 7E4307F3 5 Bytes JMP 00811B93
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!DefMDIChildProcW 7E430A07 5 Bytes JMP 00811C2F
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00819DB2
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!DefDlgProcA 7E43E53F 5 Bytes JMP 00811B48
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!DefFrameProcA 7E44F705 5 Bytes JMP 00811BE1
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!DefMDIChildProcA 7E44F754 5 Bytes JMP 00811C7A
.text C:\WINDOWS\system32\wscntfy.exe[2044] USER32.dll!SetCursorPos 7E455F53 5 Bytes JMP 00817A9C
.text C:\WINDOWS\system32\wscntfy.exe[2044] WS2_32.dll!send 71AB428A 5 Bytes JMP 0080FB73
.text C:\WINDOWS\system32\wscntfy.exe[2044] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0080FB99
.text C:\WINDOWS\system32\wscntfy.exe[2044] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0080FB36
.text C:\WINDOWS\system32\wscntfy.exe[2044] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00812112
.text C:\WINDOWS\system32\wscntfy.exe[2044] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 0081ACB3
.text C:\WINDOWS\system32\wscntfy.exe[2044] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0081ADBF
.text C:\WINDOWS\system32\wscntfy.exe[2044] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0081ACFB
.text C:\WINDOWS\system32\wscntfy.exe[2044] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 0081AD8E
.text C:\WINDOWS\system32\wscntfy.exe[2044] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 0081AB18
.text C:\WINDOWS\system32\wscntfy.exe[2044] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 0081AB71
.text C:\WINDOWS\system32\wscntfy.exe[2044] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 0081AABF
.text C:\WINDOWS\system32\wscntfy.exe[2044] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 0081AD3F
.text C:\WINDOWS\system32\wscntfy.exe[2044] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0081AC12
.text C:\WINDOWS\system32\wuauclt.exe[2560] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 00B946FC
.text C:\WINDOWS\system32\wuauclt.exe[2560] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00B948C5
.text C:\WINDOWS\system32\wuauclt.exe[2560] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 00B9496C
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 00BA93EF
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00BA9367
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00BA9C40
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 00BA93AB
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00BA7C36
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00BA7C90
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00BA7B92
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00BA1D9D
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00BA1E41
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!DefWindowProcW 7E41B33C 5 Bytes JMP 00BA1A67
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!BeginPaint 7E41B609 5 Bytes JMP 00BA924F
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!EndPaint 7E41B61D 5 Bytes JMP 00BA92C2
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00BA7A50
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetMessagePos 7E41BF94 5 Bytes JMP 00BA7A19
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!CallWindowProcW 7E41C64A 5 Bytes JMP 00BA1CC5
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!PeekMessageA 7E41C96C 5 Bytes JMP 00BA7CC0
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!DefWindowProcA 7E41D4EE 5 Bytes JMP 00BA1AB2
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!SetCapture 7E41D6CE 5 Bytes JMP 00BA7ADE
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!ReleaseCapture 7E41D6EA 5 Bytes JMP 00BA7B3D
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetUpdateRect 7E41D6F7 5 Bytes JMP 00BA9434
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetDCEx 7E41E875 5 Bytes JMP 00BA9307
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!CallWindowProcA 7E41F642 5 Bytes JMP 00BA1D13
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!RegisterClassA 7E420A36 5 Bytes JMP 00BA1DEF
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!RegisterClassExA 7E422DA0 5 Bytes JMP 00BA1E98
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!DefDlgProcW 7E42379A 5 Bytes JMP 00BA1AFD
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!OpenInputDesktop 7E427C7A 5 Bytes JMP 00BA19EF
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!SwitchDesktop 7E429496 5 Bytes JMP 00BA1A44
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetMessageA 7E42E002 5 Bytes JMP 00BA7C63
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetUpdateRgn 7E42F5AC 5 Bytes JMP 00BA94CC
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!DefFrameProcW 7E4307F3 5 Bytes JMP 00BA1B93
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!DefMDIChildProcW 7E430A07 5 Bytes JMP 00BA1C2F
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00BA9DB2
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!DefDlgProcA 7E43E53F 5 Bytes JMP 00BA1B48
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!DefFrameProcA 7E44F705 5 Bytes JMP 00BA1BE1
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!DefMDIChildProcA 7E44F754 5 Bytes JMP 00BA1C7A
.text C:\WINDOWS\system32\wuauclt.exe[2560] USER32.dll!SetCursorPos 7E455F53 5 Bytes JMP 00BA7A9C
.text C:\WINDOWS\system32\wuauclt.exe[2560] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00BA2112
.text C:\WINDOWS\system32\wuauclt.exe[2560] WS2_32.dll!send 71AB428A 5 Bytes JMP 00B9FB73
.text C:\WINDOWS\system32\wuauclt.exe[2560] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00B9FB99
.text C:\WINDOWS\system32\wuauclt.exe[2560] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00B9FB36
.text C:\WINDOWS\system32\wuauclt.exe[2560] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 00BAACB3
.text C:\WINDOWS\system32\wuauclt.exe[2560] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 00BAADBF
.text C:\WINDOWS\system32\wuauclt.exe[2560] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 00BAACFB
.text C:\WINDOWS\system32\wuauclt.exe[2560] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 00BAAD8E
.text C:\WINDOWS\system32\wuauclt.exe[2560] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 00BAAB18
.text C:\WINDOWS\system32\wuauclt.exe[2560] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 00BAAB71
.text C:\WINDOWS\system32\wuauclt.exe[2560] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 00BAAABF
.text C:\WINDOWS\system32\wuauclt.exe[2560] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 00BAAD3F
.text C:\WINDOWS\system32\wuauclt.exe[2560] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 00BAAC12
.text C:\gmer\gmer.exe[2648] ntdll.dll!NtCreateThread 7C90D1AE 5 Bytes JMP 001346FC
.text C:\gmer\gmer.exe[2648] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 001348C5
.text C:\gmer\gmer.exe[2648] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 0013496C
.text C:\gmer\gmer.exe[2648] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 001493EF
.text C:\gmer\gmer.exe[2648] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 00149367
.text C:\gmer\gmer.exe[2648] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00149C40
.text C:\gmer\gmer.exe[2648] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 001493AB
.text C:\gmer\gmer.exe[2648] USER32.dll!GetMessageW 7E4191C6 5 Bytes JMP 00147C36
.text C:\gmer\gmer.exe[2648] USER32.dll!PeekMessageW 7E41929B 5 Bytes JMP 00147C90
.text C:\gmer\gmer.exe[2648] USER32.dll!GetCapture 7E4194DA 5 Bytes JMP 00147B92
.text C:\gmer\gmer.exe[2648] USER32.dll!RegisterClassW 7E41A39A 5 Bytes JMP 00141D9D
.text C:\gmer\gmer.exe[2648] USER32.dll!RegisterClassExW 7E41AF7F 5 Bytes JMP 00141E41
.text C:\gmer\gmer.exe[2648] USER32.dll!DefWindowProcW 7E41B33C 5 Bytes JMP 00141A67
.text C:\gmer\gmer.exe[2648] USER32.dll!BeginPaint 7E41B609 5 Bytes JMP 0014924F
.text C:\gmer\gmer.exe[2648] USER32.dll!EndPaint 7E41B61D 5 Bytes JMP 001492C2
.text C:\gmer\gmer.exe[2648] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00147A50
.text C:\gmer\gmer.exe[2648] USER32.dll!GetMessagePos 7E41BF94 5 Bytes JMP 00147A19
.text C:\gmer\gmer.exe[2648] USER32.dll!CallWindowProcW 7E41C64A 5 Bytes JMP 00141CC5
.text C:\gmer\gmer.exe[2648] USER32.dll!PeekMessageA 7E41C96C 5 Bytes JMP 00147CC0
.text C:\gmer\gmer.exe[2648] USER32.dll!DefWindowProcA 7E41D4EE 5 Bytes JMP 00141AB2
.text C:\gmer\gmer.exe[2648] USER32.dll!SetCapture 7E41D6CE 5 Bytes JMP 00147ADE
.text C:\gmer\gmer.exe[2648] USER32.dll!ReleaseCapture 7E41D6EA 5 Bytes JMP 00147B3D
.text C:\gmer\gmer.exe[2648] USER32.dll!GetUpdateRect 7E41D6F7 5 Bytes JMP 00149434
.text C:\gmer\gmer.exe[2648] USER32.dll!GetDCEx 7E41E875 5 Bytes JMP 00149307
.text C:\gmer\gmer.exe[2648] USER32.dll!CallWindowProcA 7E41F642 5 Bytes JMP 00141D13
.text C:\gmer\gmer.exe[2648] USER32.dll!RegisterClassA 7E420A36 5 Bytes JMP 00141DEF
.text C:\gmer\gmer.exe[2648] USER32.dll!RegisterClassExA 7E422DA0 5 Bytes JMP 00141E98
.text C:\gmer\gmer.exe[2648] USER32.dll!DefDlgProcW 7E42379A 5 Bytes JMP 00141AFD
.text C:\gmer\gmer.exe[2648] USER32.dll!OpenInputDesktop 7E427C7A 5 Bytes JMP 001419EF
.text C:\gmer\gmer.exe[2648] USER32.dll!SwitchDesktop 7E429496 5 Bytes JMP 00141A44
.text C:\gmer\gmer.exe[2648] USER32.dll!GetMessageA 7E42E002 5 Bytes JMP 00147C63
.text C:\gmer\gmer.exe[2648] USER32.dll!GetUpdateRgn 7E42F5AC 5 Bytes JMP 001494CC
.text C:\gmer\gmer.exe[2648] USER32.dll!DefFrameProcW 7E4307F3 5 Bytes JMP 00141B93
.text C:\gmer\gmer.exe[2648] USER32.dll!DefMDIChildProcW 7E430A07 5 Bytes JMP 00141C2F
.text C:\gmer\gmer.exe[2648] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00149DB2
.text C:\gmer\gmer.exe[2648] USER32.dll!DefDlgProcA 7E43E53F 5 Bytes JMP 00141B48
.text C:\gmer\gmer.exe[2648] USER32.dll!DefFrameProcA 7E44F705 5 Bytes JMP 00141BE1
.text C:\gmer\gmer.exe[2648] USER32.dll!DefMDIChildProcA 7E44F754 5 Bytes JMP 00141C7A
.text C:\gmer\gmer.exe[2648] USER32.dll!SetCursorPos 7E455F53 5 Bytes JMP 00147A9C
.text C:\gmer\gmer.exe[2648] WS2_32.dll!send 71AB428A 5 Bytes JMP 0013FB73
.text C:\gmer\gmer.exe[2648] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 0013FB99
.text C:\gmer\gmer.exe[2648] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0013FB36
.text C:\gmer\gmer.exe[2648] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00142112
.text C:\gmer\gmer.exe[2648] WININET.dll!InternetCloseHandle 3D944261 5 Bytes JMP 0014ACB3
.text C:\gmer\gmer.exe[2648] WININET.dll!HttpQueryInfoA 3D947425 5 Bytes JMP 0014ADBF
.text C:\gmer\gmer.exe[2648] WININET.dll!InternetReadFile 3D9513D4 5 Bytes JMP 0014ACFB
.text C:\gmer\gmer.exe[2648] WININET.dll!InternetQueryDataAvailable 3D951615 5 Bytes JMP 0014AD8E
.text C:\gmer\gmer.exe[2648] WININET.dll!HttpSendRequestA 3D953558 5 Bytes JMP 0014AB18
.text C:\gmer\gmer.exe[2648] WININET.dll!HttpSendRequestExW 3D958C49 5 Bytes JMP 0014AB71
.text C:\gmer\gmer.exe[2648] WININET.dll!HttpSendRequestW 3D95FDF9 5 Bytes JMP 0014AABF
.text C:\gmer\gmer.exe[2648] WININET.dll!InternetReadFileExA 3D963384 5 Bytes JMP 0014AD3F
.text C:\gmer\gmer.exe[2648] WININET.dll!HttpSendRequestExA 3D9AA92E 5 Bytes JMP 0014AC12

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by AJB27, 01 July 2010 - 01:04 PM.


BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:22 AM

Posted 05 July 2010 - 10:40 AM

Hi AJB27
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up.

I see you have P2P software ( Vuze, Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file sharing as a major conduit to spread their wares and their infections. See here and here

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall any P2P programs you have on your system,

Please do this.


Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 AJB27

AJB27
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 06 July 2010 - 10:28 AM

Vuze has been uninstalled as recommended. Thank you. Combofix ran and here is the log:

ComboFix 10-07-05.03 - Burke 07/06/2010 10:11:19.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.722 [GMT -5:00]
Running from: c:\documents and settings\Burke\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Burke\Application Data\Xyehuz
c:\documents and settings\Burke\Application Data\Xyehuz\amar.exe
c:\documents and settings\Burke\GRefs.dat
c:\documents and settings\Burke\Local Settings\Application Data\{C6CD00A9-1FFA-4D55-A5BC-8A0A715CA019}
c:\documents and settings\Burke\Local Settings\Application Data\{C6CD00A9-1FFA-4D55-A5BC-8A0A715CA019}\chrome.manifest
c:\documents and settings\Burke\Local Settings\Application Data\{C6CD00A9-1FFA-4D55-A5BC-8A0A715CA019}\chrome\content\_cfg.js
c:\documents and settings\Burke\Local Settings\Application Data\{C6CD00A9-1FFA-4D55-A5BC-8A0A715CA019}\chrome\content\overlay.xul
c:\documents and settings\Burke\Local Settings\Application Data\{C6CD00A9-1FFA-4D55-A5BC-8A0A715CA019}\install.rdf
c:\documents and settings\Burke\Loki.exe
c:\windows\azopowije.dll
c:\windows\jestertb.dll
c:\windows\system32\bszip.dll
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.

2010-07-02 14:23 . 2010-07-02 14:23 -------- d-----w- C:\Downloads2
2010-07-01 16:40 . 2001-08-17 17:12 91294 -c--a-w- c:\windows\system32\dllcache\skfpwin.sys
2010-07-01 16:40 . 2001-08-17 17:12 91294 ----a-w- c:\windows\system32\drivers\SkFpWin.SYS
2010-07-01 16:31 . 2010-07-01 16:32 -------- d-----w- C:\Marvell
2010-07-01 16:30 . 2010-04-26 20:14 -------- d-----w- C:\Readmes
2010-07-01 15:55 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 15:55 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 21:30 . 2010-06-30 21:30 -------- d-----w- C:\gmer
2010-06-30 21:14 . 2010-06-30 21:14 2395131 ----a-w- C:\MGtools.exe
2010-06-30 21:14 . 2010-06-30 21:14 464491 ----a-w- C:\RootRepeal.zip
2010-06-30 20:54 . 2010-06-30 20:54 63488 ----a-w- c:\documents and settings\Burke\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-30 20:54 . 2010-06-30 20:54 52224 ----a-w- c:\documents and settings\Burke\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-30 20:54 . 2010-06-30 20:54 117760 ----a-w- c:\documents and settings\Burke\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-30 20:54 . 2010-06-30 20:54 -------- d-----w- c:\documents and settings\Burke\Application Data\SUPERAntiSpyware.com
2010-06-30 20:54 . 2010-06-30 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-30 20:54 . 2010-07-06 14:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-30 14:37 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-30 14:31 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-30 14:27 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-30 14:24 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-06-30 14:24 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2010-06-30 14:24 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-06-30 14:24 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-06-30 14:24 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-06-30 14:24 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-06-30 14:24 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-06-30 14:24 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-06-30 14:24 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-06-30 14:13 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-30 14:06 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-06-30 13:56 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-06-30 05:43 . 2010-06-30 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2010-06-17 00:43 . 2010-07-06 14:15 0 ----a-w- c:\windows\Xbafunitobabuyu.bin
2010-06-17 00:43 . 2010-07-06 14:15 120 ----a-w- c:\windows\Tpowahiga.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 15:17 . 2005-11-29 22:32 -------- d-----w- c:\program files\Viewpoint
2010-07-06 14:55 . 2005-11-29 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-02 18:26 . 2010-07-02 18:26 -------- d-----w- c:\program files\MSBuild
2010-07-02 18:26 . 2010-07-02 18:26 -------- d-----w- c:\program files\Reference Assemblies
2010-07-02 17:38 . 2009-04-15 03:42 371776 ----a-w- c:\documents and settings\Burke\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2010-07-02 17:38 . 2009-04-15 03:42 187456 ----a-w- c:\documents and settings\Burke\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2010-07-02 17:35 . 2007-08-23 12:16 139336 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-07-02 17:35 . 2007-08-23 12:16 214720 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-02 17:34 . 2009-04-15 03:41 57344 ----a-w- c:\documents and settings\Burke\Application Data\id Software\quakelive\home\pb\pbag.dll
2010-07-02 17:34 . 2009-04-15 03:41 887448 ----a-w- c:\documents and settings\Burke\Application Data\id Software\quakelive\home\pb\pbcl.dll
2010-07-02 17:34 . 2009-04-15 03:41 2436160 ----a-w- c:\documents and settings\Burke\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2010-07-02 14:40 . 2009-08-21 18:44 -------- d-----w- c:\documents and settings\Burke\Application Data\Agyx
2010-07-01 15:55 . 2010-02-02 00:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 21:06 . 2005-12-01 18:50 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-30 20:48 . 2005-12-01 17:23 -------- d-----w- c:\program files\Java
2010-06-30 20:46 . 2005-11-29 22:32 -------- d-----w- c:\program files\AIM
2010-06-30 20:45 . 2008-09-08 18:36 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-06-30 20:45 . 2008-09-08 18:36 -------- d-----w- c:\program files\AVS4YOU
2010-06-30 05:43 . 2009-04-15 03:38 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-06-19 16:51 . 2010-02-21 22:27 -------- d-----w- c:\program files\Heroes of Newerth
2010-05-18 22:59 . 2010-05-08 22:13 -------- d-----w- c:\program files\Full Tilt Poker
2010-05-11 23:41 . 2010-05-11 23:30 -------- d-----w- c:\program files\PokerStars
2010-05-04 17:20 . 2005-06-18 05:49 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2003-03-31 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2003-03-31 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 18:10 . 2010-04-13 18:10 629824 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
2010-04-13 18:03 . 2010-04-13 18:03 2373712 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-06 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2006-9-15 1503232]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Burke^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Burke\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Burke^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Burke\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-09-08 17:06 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series]
2003-05-27 09:00 99840 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S4I2C1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:56 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 17:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2007-02-27 22:57 716456 ----a-w- c:\program files\Maxtor\ManagerApp\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-03-25 21:44 81920 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-06-29 05:43 8466432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-06-29 05:43 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-06-29 05:43 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-12-02 22:15 155648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-10-24 20:45 90112 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-24 04:47 1217872 ----a-w- c:\program files\Valve\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\id Software\\Quake 4\\quake4ded.exe"=
"c:\\Program Files\\id Software\\Quake 4\\quake4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeblooblip\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\id Software\\Quake 4 Echelon\\Quake 4 Echelon.exe"=
"c:\\Games\\Paintball2\\paintball2.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeblooblip\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [11/29/2005 5:11 PM 16194]
S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\DRIVERS\wg311tn5.sys --> c:\windows\system32\DRIVERS\wg311tn5.sys [?]
S3 sk98xwin;NDIS5 Miniport Driver for SysKonnect SK-98xx Gigabit Ethernet Server Adapter (SK-NET GE);c:\windows\system32\drivers\sk98xwin.SYS [6/30/2008 4:11 PM 94698]
S3 SkFpWin;SysKonnect FDDI PCI Adapter Driver;c:\windows\system32\drivers\SkFpWin.SYS [7/1/2010 11:40 AM 91294]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://aimtoday.aol.com/segmentation/welcome.adp?version=puccini&build=3797&service=AIM
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
TCP: {9DAF0152-8261-4F8C-990A-750FC9EDFC73} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Burke\Application Data\Mozilla\Firefox\Profiles\xapav8a7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\Burke\Application Data\Mozilla\Firefox\Profiles\xapav8a7.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{7432B540-DE19-3CC2-4C97-A07DDD9B24D2} - c:\documents and settings\Burke\Application Data\Xyehuz\amar.exe
HKLM-Run-Uqadosafu - c:\windows\azopowije.dll
MSConfigStartUp-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 10:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2812)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Maxtor\Utils\SyncServices.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-06 10:25:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-06 15:25

Pre-Run: 112,338,284,544 bytes free
Post-Run: 113,043,234,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 77CC10E02401181059A18B891B24BAAC


#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:22 AM

Posted 06 July 2010 - 11:09 AM

Hi
Please do the following.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.
CODE
KillAll::
File::
c:\windows\Tpowahiga.dat
Folder::
c:\windows\Xbafunitobabuyu.bin


Please post the Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 AJB27

AJB27
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 06 July 2010 - 11:46 AM

Second combofix ran. For some reason it disabled my ethernet some how. On a restart, the ethernet controller is working just fine. Log:

ComboFix 10-07-05.03 - Burke 07/06/2010 11:31:14.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.723 [GMT -5:00]
Running from: c:\documents and settings\Burke\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Burke\Desktop\CFScript.txt

FILE ::
"c:\windows\Tpowahiga.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tpowahiga.dat

.
((((((((((((((((((((((((( Files Created from 2010-06-06 to 2010-07-06 )))))))))))))))))))))))))))))))
.

2010-07-02 14:23 . 2010-07-02 14:23 -------- d-----w- C:\Downloads2
2010-07-01 16:40 . 2001-08-17 17:12 91294 -c--a-w- c:\windows\system32\dllcache\skfpwin.sys
2010-07-01 16:40 . 2001-08-17 17:12 91294 ----a-w- c:\windows\system32\drivers\SkFpWin.SYS
2010-07-01 16:31 . 2010-07-01 16:32 -------- d-----w- C:\Marvell
2010-07-01 16:30 . 2010-04-26 20:14 -------- d-----w- C:\Readmes
2010-07-01 15:55 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-01 15:55 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 21:30 . 2010-06-30 21:30 -------- d-----w- C:\gmer
2010-06-30 21:14 . 2010-06-30 21:14 2395131 ----a-w- C:\MGtools.exe
2010-06-30 21:14 . 2010-06-30 21:14 464491 ----a-w- C:\RootRepeal.zip
2010-06-30 20:54 . 2010-06-30 20:54 63488 ----a-w- c:\documents and settings\Burke\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-30 20:54 . 2010-06-30 20:54 52224 ----a-w- c:\documents and settings\Burke\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-30 20:54 . 2010-06-30 20:54 117760 ----a-w- c:\documents and settings\Burke\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-30 20:54 . 2010-06-30 20:54 -------- d-----w- c:\documents and settings\Burke\Application Data\SUPERAntiSpyware.com
2010-06-30 20:54 . 2010-06-30 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-30 20:54 . 2010-07-06 14:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-30 14:37 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-06-30 14:31 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-06-30 14:27 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-06-30 14:24 . 2009-03-06 14:44 283648 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-06-30 14:24 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2010-06-30 14:24 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-06-30 14:24 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-06-30 14:24 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-06-30 14:24 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-06-30 14:24 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-06-30 14:24 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-06-30 14:24 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-06-30 14:13 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-06-30 14:06 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-06-30 13:56 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-06-30 05:43 . 2010-06-30 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2010-06-17 00:43 . 2010-07-06 14:15 0 ----a-w- c:\windows\Xbafunitobabuyu.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-06 15:17 . 2005-11-29 22:32 -------- d-----w- c:\program files\Viewpoint
2010-07-06 14:55 . 2005-11-29 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-02 18:26 . 2010-07-02 18:26 -------- d-----w- c:\program files\MSBuild
2010-07-02 18:26 . 2010-07-02 18:26 -------- d-----w- c:\program files\Reference Assemblies
2010-07-02 17:38 . 2009-04-15 03:42 371776 ----a-w- c:\documents and settings\Burke\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2010-07-02 17:38 . 2009-04-15 03:42 187456 ----a-w- c:\documents and settings\Burke\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2010-07-02 17:35 . 2007-08-23 12:16 139336 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-07-02 17:35 . 2007-08-23 12:16 214720 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-02 17:34 . 2009-04-15 03:41 57344 ----a-w- c:\documents and settings\Burke\Application Data\id Software\quakelive\home\pb\pbag.dll
2010-07-02 17:34 . 2009-04-15 03:41 887448 ----a-w- c:\documents and settings\Burke\Application Data\id Software\quakelive\home\pb\pbcl.dll
2010-07-02 17:34 . 2009-04-15 03:41 2436160 ----a-w- c:\documents and settings\Burke\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2010-07-02 14:40 . 2009-08-21 18:44 -------- d-----w- c:\documents and settings\Burke\Application Data\Agyx
2010-07-01 15:55 . 2010-02-02 00:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 21:06 . 2005-12-01 18:50 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-30 20:48 . 2005-12-01 17:23 -------- d-----w- c:\program files\Java
2010-06-30 20:46 . 2005-11-29 22:32 -------- d-----w- c:\program files\AIM
2010-06-30 20:45 . 2008-09-08 18:36 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-06-30 20:45 . 2008-09-08 18:36 -------- d-----w- c:\program files\AVS4YOU
2010-06-30 05:43 . 2009-04-15 03:38 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-06-19 16:51 . 2010-02-21 22:27 -------- d-----w- c:\program files\Heroes of Newerth
2010-05-18 22:59 . 2010-05-08 22:13 -------- d-----w- c:\program files\Full Tilt Poker
2010-05-11 23:41 . 2010-05-11 23:30 -------- d-----w- c:\program files\PokerStars
2010-05-04 17:20 . 2005-06-18 05:49 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2003-03-31 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2003-03-31 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2003-03-31 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 18:10 . 2010-04-13 18:10 629824 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
2010-04-13 18:03 . 2010-04-13 18:03 2373712 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-06 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311T Smart Wizard.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2006-9-15 1503232]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Burke^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Burke\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Burke^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Burke\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-09-08 17:06 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series]
2003-05-27 09:00 99840 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_S4I2C1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:56 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2005-10-18 17:58 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
2007-02-27 22:57 716456 ----a-w- c:\program files\Maxtor\ManagerApp\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-03-25 21:44 81920 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-06-29 05:43 8466432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-06-29 05:43 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-06-29 05:43 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-12-02 22:15 155648 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-10-24 20:45 90112 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-24 04:47 1217872 ----a-w- c:\program files\Valve\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 07:11 132496 ----a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\id Software\\Quake 4\\quake4ded.exe"=
"c:\\Program Files\\id Software\\Quake 4\\quake4.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeblooblip\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\id Software\\Quake 4 Echelon\\Quake 4 Echelon.exe"=
"c:\\Games\\Paintball2\\paintball2.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\bleeblooblip\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [11/29/2005 5:11 PM 16194]
S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\DRIVERS\wg311tn5.sys --> c:\windows\system32\DRIVERS\wg311tn5.sys [?]
S3 sk98xwin;NDIS5 Miniport Driver for SysKonnect SK-98xx Gigabit Ethernet Server Adapter (SK-NET GE);c:\windows\system32\drivers\sk98xwin.SYS [6/30/2008 4:11 PM 94698]
S3 SkFpWin;SysKonnect FDDI PCI Adapter Driver;c:\windows\system32\drivers\SkFpWin.SYS [7/1/2010 11:40 AM 91294]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://aimtoday.aol.com/segmentation/welcome.adp?version=puccini&build=3797&service=AIM
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
TCP: {9DAF0152-8261-4F8C-990A-750FC9EDFC73} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Burke\Application Data\Mozilla\Firefox\Profiles\xapav8a7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\Burke\Application Data\Mozilla\Firefox\Profiles\xapav8a7.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-06 11:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
c:\program files\Maxtor\Utils\SyncServices.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-06 11:41:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-06 16:41
ComboFix2.txt 2010-07-06 15:25

Pre-Run: 112,998,486,016 bytes free
Post-Run: 113,025,138,688 bytes free

- - End Of File - - B3E315F377085DECB1BF394DF8704B37


#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:22 AM

Posted 06 July 2010 - 02:16 PM

Hi

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

c:\windows\Xbafunitobabuyu.bin

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.
Close ATF Cleaner

After that, Reboot.

Please do this next.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on Accept, If your pop up blocker blocks any windows from opening.

Read then Click Accept on the Information page.
Windows Vista users you must open the web browser using the Run as Administrator command.
  • The program will launch and then begin downloading the latest definition files:
  • Under Scan on the left side, Click on My Computer
  • This will start the program and scan your system.
  • Click the “Scan Report” On the left side.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
  • Save the text file to your desktop.
  • Copy and paste that information in your next post.

Please post the Kaspersky results. and let me know how things are running.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 AJB27

AJB27
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 06 July 2010 - 02:45 PM

Not quite sure if Kapersky is running or not. It has been trying to gather system information for about 15 minutes.

Edit: Running it in IE right now and started right up.

Edited by AJB27, 06 July 2010 - 02:49 PM.


#8 AJB27

AJB27
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 06 July 2010 - 06:15 PM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, July 6, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, July 06, 2010 11:58:53
Records in database: 4243698
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 77827
Threats found: 5
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 02:35:15


File name / Threat / Threats count
C:\MGtools.exe Infected: Trojan-Dropper.Win32.Agent.chem 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Qoobox\Quarantine\C\Documents and Settings\Burke\Application Data\Xyehuz\amar.exe.vir Infected: Packed.Win32.Krap.gx 1
C:\System Volume Information\_restore{47A8E931-DB99-4E68-A74E-414CC0177075}\RP1282\A0143992.exe Infected: Trojan-Spy.Win32.Zbot.akjn 1
C:\System Volume Information\_restore{47A8E931-DB99-4E68-A74E-414CC0177075}\RP1295\A0145037.rbf Infected: not-a-virus:RiskTool.Win32.Deleter.e 1
C:\System Volume Information\_restore{47A8E931-DB99-4E68-A74E-414CC0177075}\RP1298\A0148449.exe Infected: Packed.Win32.Krap.gx 1

Selected area has been scanned.


#9 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:22 AM

Posted 06 July 2010 - 09:43 PM

Hi
This seems to be a false/positive.
C:\MGtools.exe
Did you download the MGTools.exe tool from MajorGeeks at one time?

Please do the following.

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall

This will uninstall ComboFix and remove the files/folders it created.
This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. If they weren't please delete them manually.

Please delete DDS and its log also GMER and its log.

Let me know how things are running.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#10 AJB27

AJB27
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 07 July 2010 - 08:48 AM

I did visit Majorgeeks and did download MGtools but never ran it. Deleted everything you said and things seem to be running just fine all around.

#11 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:22 AM

Posted 07 July 2010 - 11:49 AM

Hi
OK thats good to hear.

You're good to go.

Here are a few Preventive recommendations:

The following is a list of tools and utilities that we recommend to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft.
    To do this just Click > Start > All Programs Click on > Windows Update, and follow the online instructions from there.
    (It is recommended that you have Windows Updates set to download and install automatically.)

  2. Malwarebytes' Anti-Malware (MBAM)
    http://www.malwarebytes.org/mbam.php (Home page)
    Malwarebytes' Anti-Malware is considered to be the next step in the detection and removal of malware.
    Some Key Features:
    Operating Systems: Microsoft ® Windows 2000, XP, Vista and 7 (32-bit and 64-bit).
    Database updates released daily.
    Works together with other anti-malware utilities.
    This is a free program with the option of Activating a full version, unlocking realtime protection, scheduled scanning, and scheduled updating. There is a one time fee for the full version.
    Remember to ALWAYS check for and install available updates prior to scanning!

  3. SpywareBlaster is a Freeware (for personal use) application that will help to prevent the installation of spyware and other potentially unwanted software. It accomplishes this by blocking the installation of many known bad ActiveX controls, spyware and tracking cookies, and restricting the actions of potentially unwanted sites. SpywareBlaster does not require any running or background processes to work once protections are enabled, which means it will not slow down your system in any way.
    Remember to check for and install available updates once a month!


  4. SpywareGuard - A Spyware "Shield" to protect your computer, acting much like your antivirus real-time protection. It's features include scanning files for spyware before you open them, blocking spyware downloads in Internet Explorer and monitoring/preventing attempted browser hijacking. Small and lightweight, yet powerful! Compatible with Windows 98, ME, 2000 & XP
    FREEWARE (for personal use)

  5. The MVPS Hosts File or similar HOSTS file will actually block a list of known bad sites from even loading in your browser. It can also be used to block ads, banners, 3rd party cookies and more. Operating system compatibility and installation instructions are provided.

  6. Install WinPatrol to monitor some key registry locations, file system changes, and other important areas, and have it alert you of the changes BEFORE allowing them to take place.

  7. Another thing we would suggest is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites. When using a search engine, The Ratings show up as small dots next to the web site. Green for Good, Yellow for Caution, Red for bad. Set your cursor on the dot for a small pop up window that provides more information on that web site.
    Web Browser: Internet Explorer 6 or 7. : Also works with Firefox.
    Operating System: Windows 2000 (Service Pack 4) Windows XP and Windows Vista

  8. If you would prefer something other then McAfee SiteAdvisor, you can go with this.
    WOT Web Of Trust.
    This is also free and is a well respected tool.
Now just because you have security applications installed, they are useless unless updated regularly.
Most of the above recommended applications are updated periodically, and it's up to you to check for updates. Set aside time in a day each month to update all of your protections.


To find out more information about how you got infected in the first place and more great guidelines to follow to prevent future infections you can read
this article by Grinler

Surf Safely!
maranatha


Edited by maranatha, 07 July 2010 - 11:50 AM.

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#12 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:02:22 AM

Posted 08 July 2010 - 10:29 PM

Hi
You can delete Combofix and other tools

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall

This will uninstall ComboFix and remove the files/folders it created.
This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. If they weren't please delete them manually.

Please delete DDS and its log also GMER and its log.

Since this issue appears to be resolved ... this Topic has been closed.

If you’re the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users