Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet pages redirected - unsure of exact malware


  • This topic is locked This topic is locked
23 replies to this topic

#1 Gingerbridgeman

Gingerbridgeman

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 20 November 2010 - 10:52 AM

Whenever I click on a website link or type in an URL i often get taken to fake websites - ebay, dating sites etc. Happens with a variety of sites and urls. Problem seemed to come when I downloaded AVG 11 from CNET. That also kept on coming up with the AVG Resident Shield Alert, constantly telling me I was infected with Win32 and Winlogon. It pop up every 5 seconds and got so annoying I've deleted AVG entirely. I also had to do that to get GMER to run without freezing my system.

Thank you in advance for your help.


DDS (Ver_10-11-10.01) - NTFSx86
Run by Richard at 15:46:58.76 on 20/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.375 [GMT 0:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [CHotkey] mHotkey.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [isamini.exe] c:\program files\video activex object\isamonitor.exe
mExplorerRun: [Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%s] c:\program files\video activex object\isamonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobe reader speed launch.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microsoft office.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - c:\program files\hello\PicasaCapture.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richard\applic~1\mozilla\firefox\profiles\3a080en1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-1-24 532224]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 gupdate1ca397953812da2;Google Update Service (gupdate1ca397953812da2);c:\program files\google\update\GoogleUpdate.exe [2009-9-19 133104]
S3 NETDLWL;D-Link Air Wireless Adapter(DL) NT Driver;c:\windows\system32\drivers\NETDLWL.sys [2004-9-10 159104]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-9-25 27064]

=============== Created Last 30 ================

2010-11-07 09:00:19 249856 ----a-w- c:\program files\mozilla firefox\freebl3.dll
2010-11-06 15:00:15 -------- d--h--w- C:\$AVG
2010-11-06 13:29:24 -------- d-----w- c:\docume~1\richard\applic~1\AVG10
2010-11-06 13:09:21 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-11-06 13:07:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-11-06 13:01:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-11-06 11:28:44 -------- d-----w- c:\docume~1\richard\applic~1\Ymmy
2010-11-06 11:28:44 -------- d-----w- c:\docume~1\richard\applic~1\Ezboel
2010-11-06 11:28:36 -------- d-----w- c:\program files\windows
2010-11-06 10:49:12 -------- d-----w- c:\docume~1\richard\locals~1\applic~1\WinZip
2010-10-26 20:29:43 -------- d-----w- c:\docume~1\richard\applic~1\BitComet
2010-10-24 08:43:21 -------- dc-h--w- c:\windows\ie8
2010-10-24 07:48:06 912344 ----a-w- c:\program files\mozilla firefox\firefox.exe
2010-10-24 07:48:06 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll

==================== Find3M ====================

2010-10-02 15:51:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-02 15:51:42 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 11:23:26 974848 -c--a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 -c--a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 -c--a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 -c--a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 -c--a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

============= FINISH: 15:48:36.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 29 November 2010 - 06:07 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply



Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • extract RKUnhooker to your desktop
    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

In your next post I need the following

1.logs from DDS
2.log from RKUnHooker
3.let me know of any problems you may have had
[/list]
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 29 November 2010 - 03:51 PM

Hi Gringo,

Thank you for your reply. Please find the logs below. I had no problems running these.

Regards,
Richard




DDS (Ver_10-11-27.01) - NTFSx86
Run by Richard at 20:35:13.60 on 29/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.348 [GMT 0:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\O2\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Richard\My Documents\Downloads\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [CHotkey] mHotkey.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [isamini.exe] c:\program files\video activex object\isamonitor.exe
mExplorerRun: [Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%s] c:\program files\video activex object\isamonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobe reader speed launch.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microsoft office.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - c:\program files\hello\PicasaCapture.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richard\applic~1\mozilla\firefox\profiles\3a080en1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\richard\applic~1\mozilla\firefox\profiles\3a080en1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-1-24 532224]
R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\o2\bin\sprtsvc.exe [2007-6-7 202280]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 gupdate1ca397953812da2;Google Update Service (gupdate1ca397953812da2);c:\program files\google\update\GoogleUpdate.exe [2009-9-19 133104]
S3 NETDLWL;D-Link Air Wireless Adapter(DL) NT Driver;c:\windows\system32\drivers\NETDLWL.sys [2004-9-10 159104]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-9-25 27064]

=============== Created Last 30 ================

2010-11-28 20:10:40 -------- d-----w- c:\program files\iPod
2010-11-28 20:10:35 -------- d-----w- c:\program files\iTunes
2010-11-07 09:00:19 249856 ----a-w- c:\program files\mozilla firefox\freebl3.dll
2010-11-06 15:00:15 -------- d--h--w- C:\$AVG
2010-11-06 13:29:24 -------- d-----w- c:\docume~1\richard\applic~1\AVG10
2010-11-06 13:09:21 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2010-11-06 13:07:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2010-11-06 13:01:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2010-11-06 11:28:44 -------- d-----w- c:\docume~1\richard\applic~1\Ymmy
2010-11-06 11:28:44 -------- d-----w- c:\docume~1\richard\applic~1\Ezboel
2010-11-06 11:28:36 -------- d-----w- c:\program files\windows
2010-11-06 10:49:12 -------- d-----w- c:\docume~1\richard\locals~1\applic~1\WinZip

==================== Find3M ====================

2010-10-02 15:51:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-02 15:51:42 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 11:23:26 974848 -c--a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17:46 94208 -c--a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17:46 69632 -c--a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

============= FINISH: 20:36:47.82 ===============





UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/09/2004 13:58:50
System Uptime: 29/11/2010 19:10:18 (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4S800D
Processor: Intel® Pentium® 4 CPU 3.00GHz | CPU 1 | 3000/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 77 GiB total, 26.436 GiB free.
D: is CDROM ()
E: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link Air DWL-510 Wireless PCI Adapter
Device ID: PCI\VEN_1186&DEV_3300&SUBSYS_33011186&REV_20\3&267A616A&0&40
Manufacturer: D-Link
Name: D-Link Air DWL-510 Wireless PCI Adapter
PNP Device ID: PCI\VEN_1186&DEV_3300&SUBSYS_33011186&REV_20\3&267A616A&0&40
Service: NETDLWL

==== System Restore Points ===================

RP1: 06/11/2010 12:51:06 - System Checkpoint
RP2: 06/11/2010 13:06:25 - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP3: 06/11/2010 13:06:47 - Installed AVG 2011
RP4: 06/11/2010 13:07:17 - Installed AVG 2011
RP5: 07/11/2010 09:34:57 - Removed SUPERAntiSpyware Free Edition
RP6: 07/11/2010 14:39:35 - RB's own one
RP7: 13/11/2010 13:44:11 - Software Distribution Service 3.0
RP8: 20/11/2010 10:58:52 - Removed AVG 2011
RP9: 20/11/2010 11:00:26 - Removed AVG 2011
RP10: 27/11/2010 15:05:57 - System Checkpoint
RP11: 28/11/2010 15:18:48 - System Checkpoint
RP12: 29/11/2010 20:14:08 - System Checkpoint

==== Installed Programs ======================


Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 9.4.0
Advanced SystemCare 3
AOL YGP Picture Downloader
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HydraVision
AutoUpdate
BitComet 1.23
BitTorrent 4.0.1
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner
Critical Update for Windows Media Player 11 (KB959772)
DivX
DivX Player
Google Chrome
Google Update Helper
Hello (remove only)
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
InterActual Player
iTunes
Java Auto Updater
Java™ 6 Update 21
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.1
Microsoft IntelliType Pro 6.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Monkey's Audio
Mozilla Firefox (3.6.12)
MS Word Export To Multiple PDF Files Software 7.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Nero OEM
O2 Broadband Assistant
PDF Writer
Picasa 3
QuickTime
RealPlayer
Revo Uninstaller Pro 2.4.1
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sibelius Scorch Plugin
SiS 900 PCI Fast Ethernet Adapter Driver
SiSRaidPackage
Skins
Skype™ 3.5
Smart Defrag 1.20
SoundMAX
Spybot - Search & Destroy
SUPERAntiSpyware
Switch Sound File Converter
UK-Elect v6.8 Professional
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Wireless Keyboard Driver Ver1.1
VC 9.0 Runtime
Viewpoint Media Player
WebFldrs XP
Winamp
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinRAR archiver
WinZip 14.5
ZoneAlarm

==== End Of File ===========================




RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xF63E7000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 5271552 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF19A000 C:\WINDOWS\System32\ati3duag.dll 3919872 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xBF557000 C:\WINDOWS\System32\ativvaxx.dll 2187264 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF54EA000 C:\WINDOWS\system32\drivers\smwdm.sys 581632 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
0xF75DE000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF062000 C:\WINDOWS\System32\ati2cqag.dll 561152 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xB1338000 C:\WINDOWS\System32\vsdatant.sys 528384 bytes (Check Point Software Technologies LTD, ZoneAlarm Firewalling Driver)
0xB0FAC000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF0EB000 C:\WINDOWS\System32\atikvmag.dll 442368 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xF53BE000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB142A000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA7300000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 327680 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF157000 C:\WINDOWS\System32\atiok3x2.dll 274432 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xA6C6D000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF7714000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA73D0000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF75B1000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB101C000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB13DF000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB13B9000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA75D0000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF54C6000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF54A2000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF5593000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB1047000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7694000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF76E4000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7597000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF76CC000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF76B4000 C:\WINDOWS\system32\drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF766B000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF548B000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA7694000 C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys 90112 bytes (Microsoft Corporation, NWLINK2 IPX Protocol Driver)
0xA7543000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF5656000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF566A000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB1483000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7682000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xA71D6000 C:\WINDOWS\system32\drivers\tmcomm.sys 73728 bytes (Trend Micro Inc., TrendMicro Common Module)
0xF7703000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF541C000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB0EB2000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF7903000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7843000 C:\WINDOWS\system32\DRIVERS\nwlnknb.sys 65536 bytes (Microsoft Corporation, NWLINK2 IPX Netbios Protocol Driver)
0xF78E3000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF7923000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7913000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF5626000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF5606000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB0E32000 C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys 57344 bytes (Microsoft Corporation, NWLINK2 SPX Protocol Driver)
0xF77B3000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7933000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7783000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF6DD4000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7793000 SiSRaid.sys 49152 bytes (Silicon Integrated Systems, SiS RAID Miniport Driver)
0xB2668000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF78F3000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7773000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF6DE4000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF77D3000 uagp35.sys 45056 bytes (Microsoft Corporation, MS AGPv3.5 Filter)
0xF7763000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7963000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF6DA4000 C:\WINDOWS\system32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xF77E3000 SISAGPX.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS AGPv3.5 Filter)
0xF6DB4000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF77A3000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xAFFE2000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF79B3000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF6DC4000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB2678000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA6B22000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF77C3000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF4B31000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF5376000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF79F3000 sisidex.sys 32768 bytes (Windows ® 2000 DDK provider, FileSpy Filter Driver)
0xF7A2B000 C:\WINDOWS\system32\DRIVERS\sisnic.sys 32768 bytes (SiS Corporation, SiS PCI Fast Ethernet Adapter Driver)
0xB00CA000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7A23000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7B63000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF538E000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB0F47000 C:\DOCUME~1\Richard\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF79E3000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB191A000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7B6B000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7A53000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7A5B000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB00C2000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xF5386000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF5396000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF537E000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF79EB000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7A3B000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7A43000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7A33000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7A03000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xB168F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA7564000 C:\WINDOWS\System32\Drivers\ASPI32.SYS 16384 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xAFDD9000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7C4B000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF6906000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF68EE000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7B73000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xAA5CE000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB019C000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB018C000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7C37000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF68FE000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7CE1000 C:\WINDOWS\system32\drivers\aeaudio.sys 8192 bytes (Andrea Electronics Corporation, Andrea Audio Stub Driver)
0xF7D09000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7D07000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7C63000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7D0B000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7D23000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF7D0D000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7CE3000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7CF9000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7C65000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7E8A000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xA96AA000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7DD9000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7D2B000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x8674A488 ] TID: 136
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x866B0DA8 ] TID: 140, 497880 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x871BCDA8 ] TID: 180
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x869117B0 ] TID: 260
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868ADBE8 ] TID: 296
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x868A82D0 ] TID: 312
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x8667EB30 ] TID: 316
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86814A28 ] TID: 320
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8667C020 ] TID: 332
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x8667E8B8 ] TID: 336
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x866027A0 ] TID: 340
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x86800898 ] TID: 348
0x80562520 Faked ServiceTable-->jqs.exe [ ETHREAD 0x8668E868 ] TID: 352
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x867E77E0 ] TID: 376, 4194368 bytes
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x87227868 ] TID: 392, 425088 bytes
0x80562520 Faked ServiceTable-->AppleMobileDeviceService.exe [ ETHREAD 0x867279B8 ] TID: 396, 3997757 bytes
0x80562520 Faked ServiceTable-->smss.exe [ ETHREAD 0x87118360 ] TID: 456
0x80562520 Faked ServiceTable-->smss.exe [ ETHREAD 0x87116DA8 ] TID: 460
0x80562520 Faked ServiceTable-->smss.exe [ ETHREAD 0x871FA2B8 ] TID: 464
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868FE4E8 ] TID: 468
0x80562520 Faked ServiceTable-->WINZIP32.EXE [ ETHREAD 0x86723C08 ] TID: 480
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86663538 ] TID: 496
0x80562520 Faked ServiceTable-->csrss.exe [ ETHREAD 0x86BE58A8 ] TID: 508
0x80562520 Faked ServiceTable-->csrss.exe [ ETHREAD 0x86BE64C8 ] TID: 520
0x80562520 Faked ServiceTable-->csrss.exe [ ETHREAD 0x86BE69C8 ] TID: 528
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8719B170 ] TID: 544
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8712DDA8 ] TID: 548, 8781826 bytes
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8711E208 ] TID: 568
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x87233DA8 ] TID: 572, 8781826 bytes
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x867EB400 ] TID: 576
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x87165DA8 ] TID: 580, 8781826 bytes
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x8712B8A0 ] TID: 608
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x87126DA8 ] TID: 612, 8781826 bytes
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x8710B500 ] TID: 616
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8726C7D8 ] TID: 620, 8781826 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x87130020 ] TID: 624
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8727CDA8 ] TID: 628, 8781826 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x87210B60 ] TID: 632
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x87114DA8 ] TID: 636, 8781826 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8715EA20 ] TID: 648
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x871243F0 ] TID: 672, 8781826 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x86BED020 ] TID: 680
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8716D930 ] TID: 684, 8781826 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x871978A8 ] TID: 692
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x870FA5F8 ] TID: 704
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868DD838 ] TID: 708
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x87100BE8 ] TID: 724, 8781828 bytes
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x871965B0 ] TID: 728
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x871082E8 ] TID: 736, 8781828 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x87160400 ] TID: 740
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x8716D3B8 ] TID: 744, 8781829 bytes
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x87163A68 ] TID: 780
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x86BFD4C0 ] TID: 784, 570616 bytes
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8715A9C8 ] TID: 788
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x8720F228 ] TID: 796, 8781831 bytes
0x80562520 Faked ServiceTable-->SMAgent.exe [ ETHREAD 0x8682BDA8 ] TID: 800
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x871612E0 ] TID: 820, 8781835 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x870E54A0 ] TID: 828
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x86BB49C0 ] TID: 840
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x86BBBB18 ] TID: 844
0x80562520 Faked ServiceTable-->ati2evxx.exe [ ETHREAD 0x8716A630 ] TID: 848, 8781838 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x870F84E8 ] TID: 868
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x871F1DA8 ] TID: 872
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x870FADA8 ] TID: 876
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x870FAB30 ] TID: 880, 8781843 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86BF1248 ] TID: 892
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8668C700 ] TID: 916
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8710A020 ] TID: 936
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8727D8B8 ] TID: 940, 8781846 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86725348 ] TID: 976
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x868F22C8 ] TID: 980
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86682650 ] TID: 988
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86687DA8 ] TID: 992
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86825868 ] TID: 996
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868255F0 ] TID: 1000, 8781848 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x871399D8 ] TID: 1008
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8681A430 ] TID: 1012, 8781849 bytes
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x86463738 ] TID: 1024
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8710E020 ] TID: 1032
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x870F98C8 ] TID: 1036
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86819448 ] TID: 1040
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8681A7B0 ] TID: 1044
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x866C45F8 ] TID: 1060
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x870EF258 ] TID: 1068
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x867244A0 ] TID: 1088, 8781855 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x871A42A8 ] TID: 1092
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x87110020 ] TID: 1096, 8781857 bytes
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x86637388 ] TID: 1104
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x871096A8 ] TID: 1116
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86817538 ] TID: 1120
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8667F310 ] TID: 1124
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x868F3800 ] TID: 1132
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x870EF8B8 ] TID: 1136
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x87133BA0 ] TID: 1140
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x87133928 ] TID: 1144, 7929971 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86978DA8 ] TID: 1172
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86978B30 ] TID: 1176
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x86968BE8 ] TID: 1220
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x86968970 ] TID: 1224, 312 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x866E9A48 ] TID: 1228
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8696BBE8 ] TID: 1240
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x8721FDA8 ] TID: 1248
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x86960DA8 ] TID: 1284
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868147B0 ] TID: 1288
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x866EB358 ] TID: 1292
0x80562520 Faked ServiceTable-->jqs.exe [ ETHREAD 0x8688B020 ] TID: 1300
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868B6560 ] TID: 1304
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868EC758 ] TID: 1308
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86717DA8 ] TID: 1320
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x866F2168 ] TID: 1324
0x80562520 Faked ServiceTable-->AppleMobileDeviceService.exe [ ETHREAD 0x868AFB28 ] TID: 1328
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x87227B30 ] TID: 1332
0x80562520 Faked ServiceTable-->ati2evxx.exe [ ETHREAD 0x87222C08 ] TID: 1360
0x80562520 Faked ServiceTable-->ati2evxx.exe [ ETHREAD 0x86966BE8 ] TID: 1388
0x80562520 Faked ServiceTable-->ati2evxx.exe [ ETHREAD 0x8694E7D8 ] TID: 1392, 34209801 bytes
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x86761A30 ] TID: 1412
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x8691E020 ] TID: 1432
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x864629F8 ] TID: 1440
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x8691D478 ] TID: 1444
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86814538 ] TID: 1460
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x868124A0 ] TID: 1468, 405416 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86901DA8 ] TID: 1488
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x866D3B28 ] TID: 1536
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x871846E0 ] TID: 1548
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x8690F528 ] TID: 1552
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x86C30BA8 ] TID: 1556
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x86C2D380 ] TID: 1564
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x868E8718 ] TID: 1568
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x86C237B0 ] TID: 1572
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x86C22DA8 ] TID: 1580
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x86C34BC0 ] TID: 1584
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x86C30370 ] TID: 1588
0x80562520 Faked ServiceTable-->WINZIP32.EXE [ ETHREAD 0x86472020 ] TID: 1596
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86812820 ] TID: 1604
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x86658270 ] TID: 1612
0x80562520 Faked ServiceTable-->mDNSResponder.exe [ ETHREAD 0x868B3A48 ] TID: 1620
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x868DDDA8 ] TID: 1624
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x864F45F0 ] TID: 1648
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x86679020 ] TID: 1656
0x80562520 Faked ServiceTable-->jqs.exe [ ETHREAD 0x8689B620 ] TID: 1660
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x86C2F378 ] TID: 1672
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x86C348D8 ] TID: 1688
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x8691A890 ] TID: 1692
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x86905DA8 ] TID: 1696
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8646B020 ] TID: 1708
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x868DFDA8 ] TID: 1716
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x868DF020 ] TID: 1724
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x86812D10 ] TID: 1736
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x86483020 ] TID: 1740
0x80562520 Faked ServiceTable-->WINZIP32.EXE [ ETHREAD 0x8667A400 ] TID: 1748
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8688B750 ] TID: 1752
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x87257B48 ] TID: 1768
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x868DCDA8 ] TID: 1776
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x868EB4F0 ] TID: 1784
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868DB378 ] TID: 1796
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86C21490 ] TID: 1800
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868DC020 ] TID: 1804
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868DC6A8 ] TID: 1808
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x868E6BE8 ] TID: 1812
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x86894DA8 ] TID: 1832
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86880020 ] TID: 1860
0x80562520 Faked ServiceTable-->sprtsvc.exe [ ETHREAD 0x86809BE8 ] TID: 1868
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86682DA8 ] TID: 1872
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x8688C3D8 ] TID: 1880
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86431020 ] TID: 1888
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x868CEBE8 ] TID: 1904
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x868CE970 ] TID: 1908
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x868F0430 ] TID: 1912
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86C2CBF0 ] TID: 1920
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868BE690 ] TID: 1952
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868BE418 ] TID: 1968
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x868F0DA8 ] TID: 1980
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x86857868 ] TID: 1996
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x868CDDA8 ] TID: 2012
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x868575F0 ] TID: 2016
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x86755DA8 ] TID: 2024
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x866BADA8 ] TID: 2032
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x867FF020 ] TID: 2044
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86670DA8 ] TID: 2056
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86669A28 ] TID: 2068
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8666EBE8 ] TID: 2072
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86BF1668 ] TID: 2104
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x866EC4F8 ] TID: 2108
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x8675E7A0 ] TID: 2128
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86666DA8 ] TID: 2136
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86669530 ] TID: 2148
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86483330 ] TID: 2156
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x866674D8 ] TID: 2160
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x872206B8 ] TID: 2168
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x867FE5E0 ] TID: 2172
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86669DA8 ] TID: 2176
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86807DA8 ] TID: 2188
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8666C868 ] TID: 2192
0x80562520 Faked ServiceTable-->csrss.exe [ ETHREAD 0x86805500 ] TID: 2196
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x867FFDA8 ] TID: 2204
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86669020 ] TID: 2208
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86819A58 ] TID: 2228
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x867FB020 ] TID: 2236
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x867F8838 ] TID: 2240
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x867F7310 ] TID: 2244
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x866D6DA8 ] TID: 2252
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x86667A18 ] TID: 2264
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x868FFA28 ] TID: 2276
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x868DE7B0 ] TID: 2300
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x8714AB80 ] TID: 2308
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x866606A0 ] TID: 2312
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868913F0 ] TID: 2316
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x8665FDA8 ] TID: 2320
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8666FC00 ] TID: 2328
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86802838 ] TID: 2332
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8665BBD8 ] TID: 2336
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86808020 ] TID: 2340
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x8714B4A0 ] TID: 2344
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x8714BA28 ] TID: 2348
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868C5020 ] TID: 2352
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86654DA8 ] TID: 2360
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x867EC5E0 ] TID: 2364
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86652D58 ] TID: 2368
0x80562520 Faked ServiceTable-->WINZIP32.EXE [ ETHREAD 0x8697DC10 ] TID: 2388
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x86BDBDA8 ] TID: 2392
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8664C2F8 ] TID: 2404
0x80562520 Faked ServiceTable-->sprtsvc.exe [ ETHREAD 0x8665D820 ] TID: 2408
0x80562520 Faked ServiceTable-->sprtsvc.exe [ ETHREAD 0x867EF3D8 ] TID: 2416
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x86488650 ] TID: 2500
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86903770 ] TID: 2508
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x866012D0 ] TID: 2516
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86642B20 ] TID: 2524
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x86643C58 ] TID: 2536
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x866E57A0 ] TID: 2564
0x80562520 Faked ServiceTable-->AdobeARM.exe [ ETHREAD 0x868EFA38 ] TID: 2616
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x868B1DA8 ] TID: 2656
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x865C9750 ] TID: 2680
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x8725EC10 ] TID: 2724
0x80562520 Faked ServiceTable-->zlclient.exe [ ETHREAD 0x86636DA8 ] TID: 2744
0x80562520 Faked ServiceTable-->realsched.exe [ ETHREAD 0x87265DA8 ] TID: 2748
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x865F8B30 ] TID: 2788
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x8648EDA8 ] TID: 2796, 6619251 bytes
0x80562520 Faked ServiceTable-->zlclient.exe [ ETHREAD 0x87173020 ] TID: 2808, 131075 bytes
0x80562520 Faked ServiceTable-->realsched.exe [ ETHREAD 0x867E5020 ] TID: 2816, 7471211 bytes
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x87173590 ] TID: 2864, 393225 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x87168B30 ] TID: 2872
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x866EF7D8 ] TID: 2876
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x87078DA8 ] TID: 2884
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x865FC348 ] TID: 2904
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x865C7020 ] TID: 2916
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86673DA8 ] TID: 2924, 328304 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868D1DA8 ] TID: 2928
0x80562520 Faked ServiceTable-->mHotkey.exe [ ETHREAD 0x868D2998 ] TID: 2936
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x86941020 ] TID: 2944
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x86938880 ] TID: 2948
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x87078690 ] TID: 2960
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x864ACB30 ] TID: 2964
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x864757D8 ] TID: 2968
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x871743B8 ] TID: 2988
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x870F1DA8 ] TID: 2996
0x80562520 Faked ServiceTable-->zlclient.exe [ ETHREAD 0x868D8C10 ] TID: 3036, 7471205 bytes
0x80562520 Faked ServiceTable-->AdobeARM.exe [ ETHREAD 0x866C54E8 ] TID: 3048
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8647F020 ] TID: 3064
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x867C8178 ] TID: 3092, 7864421 bytes
0x80562520 Faked ServiceTable-->WINZIP32.EXE [ ETHREAD 0x86719020 ] TID: 3096
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x86604660 ] TID: 3108, 7471205 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86973988 ] TID: 3112
0x80562520 Faked ServiceTable-->mHotkey.exe [ ETHREAD 0x864B0020 ] TID: 3124
0x80562520 Faked ServiceTable-->WINZIP32.EXE [ ETHREAD 0x864AF020 ] TID: 3136
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x868B4788 ] TID: 3152
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x866BE2A8 ] TID: 3184
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x868CBC10 ] TID: 3192
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x86801A88 ] TID: 3196
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x872A5DA8 ] TID: 3220
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x872A0020 ] TID: 3224, 3276851 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86638020 ] TID: 3232, 7471211 bytes
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x86915568 ] TID: 3240, 458754 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x868FAC18 ] TID: 3252
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x872D9DA8 ] TID: 3288, 3801155 bytes
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x86453DA8 ] TID: 3324
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x872D9020 ] TID: 3352
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x86DC2B60 ] TID: 3356
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x870E8DA8 ] TID: 3364
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x866E83B8 ] TID: 3384
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x8663BA38 ] TID: 3388
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x87078020 ] TID: 3392
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x8724D770 ] TID: 3396, 6684782 bytes
0x80562520 Faked ServiceTable-->iTunesHelper.exe [ ETHREAD 0x86800C10 ] TID: 3404
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86811330 ] TID: 3412
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86763930 ] TID: 3420
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86C01988 ] TID: 3484
0x80562520 Faked ServiceTable-->spoolsv.exe [ ETHREAD 0x86910800 ] TID: 3492
0x80562520 Faked ServiceTable-->explorer.exe [ ETHREAD 0x87174020 ] TID: 3568
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x871C40C8 ] TID: 3620
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x8675F9A8 ] TID: 3628
0x80562520 Faked ServiceTable-->winlogon.exe [ ETHREAD 0x87254020 ] TID: 3644
0x80562520 Faked ServiceTable-->lsass.exe [ ETHREAD 0x866D3340 ] TID: 3648, 6815843 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x87112760 ] TID: 3676, 5242953 bytes
0x80562520 Faked ServiceTable-->WINZIP32.EXE [ ETHREAD 0x8693E020 ] TID: 3728, 7077989 bytes
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x865FCDA8 ] TID: 3748, 2097200 bytes
0x80562520 Faked ServiceTable-->AdobeARM.exe [ ETHREAD 0x86733A38 ] TID: 3756, 6029370 bytes
0x80562520 Faked ServiceTable-->AdobeARM.exe [ ETHREAD 0x870E8020 ] TID: 3760
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8667EDA8 ] TID: 3824
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x8662EB80 ] TID: 3840
0x80562520 Faked ServiceTable-->chrome.exe [ ETHREAD 0x865CBA30 ] TID: 3848
0x80562520 Faked ServiceTable-->alg.exe [ ETHREAD 0x86758B20 ] TID: 3868
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x865CCA08 ] TID: 3908, 3538994 bytes
0x80562520 Faked ServiceTable-->iPodService.exe [ ETHREAD 0x872A0330 ] TID: 3920, 7733353 bytes
0x80562520 Faked ServiceTable-->ipoint.exe [ ETHREAD 0x865FD3D8 ] TID: 3940, 6684783 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86463020 ] TID: 3972, 6422560 bytes
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x87105BF8 ] TID: 3980, 5701711 bytes
0x80562520 Faked ServiceTable-->vsmon.exe [ ETHREAD 0x868AD020 ] TID: 4004, 7274608 bytes
0x80562520 Faked ServiceTable-->svchost.exe [ ETHREAD 0x86C00020 ] TID: 4012
0x80562520 Faked ServiceTable-->services.exe [ ETHREAD 0x870E8778 ] TID: 4072
WARNING: Virus alike driver modification [ndistapi.sys]
WARNING: Virus alike driver modification [bthpan.sys]
WARNING: Virus alike driver modification [sffp_mmc.sys]
WARNING: Virus alike driver modification [hidusb.sys]
WARNING: Virus alike driver modification [hsfdpsp2.sys]
WARNING: Virus alike driver modification [dxapi.sys]
WARNING: Virus alike driver modification [atinrvxx.sys]
WARNING: Virus alike driver modification [mup.sys]
WARNING: Virus alike driver modification [sffp_sd.sys]
WARNING: Virus alike driver modification [irenum.sys]
WARNING: Virus alike driver modification [wadv08nt.sys]
WARNING: Virus alike driver modification [sfloppy.sys]
WARNING: Virus alike driver modification [ati1mdxx.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [wadv07nt.sys]
WARNING: Virus alike driver modification [mdmxsdk.sys]
WARNING: Virus alike driver modification [wadv09nt.sys]
WARNING: Virus alike driver modification [sffdisk.sys]
WARNING: Virus alike driver modification [wadv11nt.sys]
WARNING: Virus alike driver modification [pcmcia.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [tdpipe.sys]
WARNING: Virus alike driver modification [ati1pdxx.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [mouhid.sys]
WARNING: Virus alike driver modification [usbvideo.sys]
WARNING: Virus alike driver modification [tunmp.sys]
WARNING: Virus alike driver modification [nwlnkflt.sys]
WARNING: Virus alike driver modification [ftdisk.sys]
WARNING: Virus alike driver modification [mtlmnt5.sys]
WARNING: Virus alike driver modification [mutohpen.sys]
WARNING: Virus alike driver modification [usb8023.sys]
WARNING: Virus alike driver modification [usb8023x.sys]
WARNING: Virus alike driver modification [slnt7554.sys]
WARNING: Virus alike driver modification [fltmgr.sys]
WARNING: Virus alike driver modification [mtlstrm.sys]
WARNING: Virus alike driver modification [slwdmsup.sys]
WARNING: Virus alike driver modification [recagent.sys]
WARNING: Virus alike driver modification [atinmdxx.sys]
WARNING: Virus alike driver modification [atinttxx.sys]
WARNING: Virus alike driver modification [afd.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [rdpwd.sys]
WARNING: Virus alike driver modification [ks.sys]
WARNING: Virus alike driver modification [diskdump.sys]
WARNING: Virus alike driver modification [wacompen.sys]
WARNING: Virus alike driver modification [asyncmac.sys]
WARNING: Virus alike driver modification [atinpdxx.sys]
WARNING: Virus alike driver modification [fastfat.sys]
WARNING: Virus alike driver modification [usbport.sys]
WARNING: Virus alike driver modification [hdaudbus.sys]
WARNING: Virus alike driver modification [kbdhid.sys]
WARNING: Virus alike driver modification [ndisuio.sys]
WARNING: Virus alike driver modification [smclib.sys]
WARNING: Virus alike driver modification [portcls.sys]
WARNING: Virus alike driver modification [tape.sys]
WARNING: Virus alike driver modification [usbscan.sys]
WARNING: Virus alike driver modification [ipnat.sys]
WARNING: Virus alike driver modification [dmio.sys]
WARNING: Virus alike driver modification [mssmbios.sys]
WARNING: Virus alike driver modification [serenum.sys]
WARNING: Virus alike driver modification [usbintel.sys]
WARNING: Virus alike driver modification [NETDLWL.sys]
WARNING: Virus alike driver modification [netbt.sys]
WARNING: Virus alike driver modification [raspti.sys]
WARNING: Virus alike driver modification [s3gnbm.sys]
WARNING: Virus alike driver modification [ASPI32.SYS]
WARNING: Virus alike driver modification [bthenum.sys]
WARNING: Virus alike driver modification [usbohci.sys]
WARNING: Virus alike driver modification [kmixer.sys]
WARNING: Virus alike driver modification [rdbss.sys]
WARNING: Virus alike driver modification [ptilink.sys]
WARNING: Virus alike driver modification [ntmtlfax.sys]
WARNING: Virus alike driver modification [mrxdav.sys]
WARNING: Virus alike driver modification [ndis.sys]
WARNING: Virus alike driver modification [acpi.sys]
WARNING: Virus alike driver modification [bthusb.sys]
WARNING: Virus alike driver modification [nv4_mini.sys]
WARNING: Virus alike driver modification [msfs.sys]
WARNING: Virus alike driver modification [tdi.sys]
WARNING: Virus alike driver modification [hidir.sys]
WARNING: Virus alike driver modification [rdpdr.sys]
WARNING: Virus alike driver modification [partmgr.sys]
WARNING: Virus alike driver modification [rmcast.sys]
WARNING: Virus alike driver modification [flpydisk.sys]
WARNING: Virus alike driver modification [secdrv.sys]
WARNING: Virus alike driver modification [ipinip.sys]
WARNING: Virus alike driver modification [vga.sys]
WARNING: Virus alike driver modification [ati1ttxx.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [point32.sys]
WARNING: Virus alike driver modification [tdtcp.sys]
WARNING: Virus alike driver modification [hsfbs2s2.sys]
WARNING: Virus alike driver modification [watv06nt.sys]
WARNING: Virus alike driver modification [tcpip6.sys]
WARNING: Virus alike driver modification [mouclass.sys]
WARNING: Virus alike driver modification [kbdclass.sys]
WARNING: Virus alike driver modification [hidparse.sys]
WARNING: Virus alike driver modification [pciidex.sys]
WARNING: Virus alike driver modification [sonydcam.sys]
WARNING: Virus alike driver modification [watv10nt.sys]
WARNING: Virus alike driver modification [hidbth.sys]
WARNING: Virus alike driver modification [usbcamd.sys]
WARNING: Virus alike driver modification [usbcamd2.sys]
WARNING: Virus alike driver modification [usbprint.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [ati1snxx.sys]
WARNING: Virus alike driver modification [usbstor.sys]
WARNING: Virus alike driver modification [http.sys]
WARNING: Virus alike driver modification [GEARAspiWDM.sys]
WARNING: Virus alike driver modification [bthport.sys]
WARNING: Virus alike driver modification [fdc.sys]
WARNING: Virus alike driver modification [atinsnxx.sys]
WARNING: Virus alike driver modification [ati1xbxx.sys]
WARNING: Virus alike driver modification [modem.sys]
WARNING: Virus alike driver modification [usbehci.sys]
WARNING: Virus alike driver modification [rndismp.sys]
WARNING: Virus alike driver modification [rndismpx.sys]
WARNING: Virus alike driver modification [ati1raxx.sys]
WARNING: Virus alike driver modification [npfs.sys]
WARNING: Virus alike driver modification [atmepvc.sys]
WARNING: Virus alike driver modification [atinxbxx.sys]
WARNING: Virus alike driver modification [usbccgp.sys]
WARNING: Virus alike driver modification [nwlnkfwd.sys]
WARNING: Virus alike driver modification [sisidex.sys]
WARNING: Virus alike driver modification [ati2mtag.sys]
WARNING: Virus alike driver modification [ati2mtaa.sys]
WARNING: Virus alike driver modification [sisnic.sys]
WARNING: Virus alike driver modification [ipfltdrv.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [wanarp.sys]
WARNING: Virus alike driver modification [netbios.sys]
WARNING: Virus alike driver modification [ati1xsxx.sys]
WARNING: Virus alike driver modification [msgpc.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [srv.sys]
WARNING: Virus alike driver modification [processr.sys]
WARNING: Virus alike driver modification [tcpip.sys]
WARNING: Virus alike driver modification [disk.sys]
WARNING: Virus alike driver modification [intelppm.sys]
WARNING: Virus alike driver modification [ati1tuxx.sys]
WARNING: Virus alike driver modification [bthprint.sys]
WARNING: Virus alike driver modification [ip6fw.sys]
WARNING: Virus alike driver modification [crusoe.sys]
WARNING: Virus alike driver modification [hidclass.sys]
WARNING: Virus alike driver modification [SISAGPX.SYS]
WARNING: Virus alike driver modification [isapnp.sys]
WARNING: Virus alike driver modification [amdk6.sys]
WARNING: Virus alike driver modification [amdk7.sys]
WARNING: Virus alike driver modification [bthmodem.sys]
WARNING: Virus alike driver modification [update.sys]
WARNING: Virus alike driver modification [wpdusb.sys]
WARNING: Virus alike driver modification [nmnt.sys]
WARNING: Virus alike driver modification [slntamr.sys]
WARNING: Virus alike driver modification [ndproxy.sys]
WARNING: Virus alike driver modification [termdd.sys]
WARNING: Virus alike driver modification [sisagp.sys]
WARNING: Virus alike driver modification [raspppoe.sys]
WARNING: Virus alike driver modification [usbaapl.sys]
WARNING: Virus alike driver modification [imapi.sys]
WARNING: Virus alike driver modification [beep.sys]
WARNING: Virus alike driver modification [mnmdd.sys]
WARNING: Virus alike driver modification [rdpcdd.sys]
WARNING: Virus alike driver modification [viaagp.sys]
WARNING: Virus alike driver modification [agp440.sys]
WARNING: Virus alike driver modification [mountmgr.sys]
WARNING: Virus alike driver modification [alim1541.sys]
WARNING: Virus alike driver modification [p3.sys]
WARNING: Virus alike driver modification [amdagp.sys]
WARNING: Virus alike driver modification [swenum.sys]
WARNING: Virus alike driver modification [wmilib.sys]
WARNING: Virus alike driver modification [pxhelp20.sys]
WARNING: Virus alike driver modification [fips.sys]
WARNING: Virus alike driver modification [uagp35.sys]
WARNING: Virus alike driver modification [agpcpq.sys]
WARNING: Virus alike driver modification [mtxparhm.sys]
WARNING: Virus alike driver modification [SiSRaid.sys]
WARNING: Virus alike driver modification [mrxsmb.sys]
WARNING: Virus alike driver modification [gagp30kx.sys]
WARNING: Virus alike driver modification [usbd.sys]
WARNING: Virus alike driver modification [aeaudio.sys]
WARNING: Virus alike driver modification [raspptp.sys]
WARNING: Virus alike driver modification [stream.sys]
WARNING: Virus alike driver modification [classpnp.sys]
WARNING: Virus alike driver modification [mspqm.sys]
WARNING: Virus alike driver modification [rasl2tp.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [atinraxx.sys]
WARNING: Virus alike driver modification [volsnap.sys]
WARNING: Virus alike driver modification [i8042prt.sys]
WARNING: Virus alike driver modification [dmusic.sys]
WARNING: Virus alike driver modification [mspclock.sys]
WARNING: Virus alike driver modification [atmlane.sys]
WARNING: Virus alike driver modification [nwlnkspx.sys]
WARNING: Virus alike driver modification [swmidi.sys]
WARNING: Virus alike driver modification [ati1btxx.sys]
WARNING: Virus alike driver modification [ntfs.sys]
WARNING: Virus alike driver modification [redbook.sys]
WARNING: Virus alike driver modification [smwdm.sys]
WARNING: Virus alike driver modification [atinbtxx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [ASUSHWIO.SYS]
WARNING: Virus alike driver modification [dmload.sys]
WARNING: Virus alike driver modification [rootmdm.sys]
WARNING: Virus alike driver modification [smbali.sys]
WARNING: Virus alike driver modification [rfcomm.sys]
WARNING: Virus alike driver modification [usbhub.sys]
WARNING: Virus alike driver modification [atmarpc.sys]
WARNING: Virus alike driver modification [drmk.sys]
WARNING: Virus alike driver modification [arp1394.sys]
WARNING: Virus alike driver modification [sysaudio.sys]
WARNING: Virus alike driver modification [nic1394.sys]
WARNING: Virus alike driver modification [splitter.sys]
WARNING: Virus alike driver modification [cdrom.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [atinxsxx.sys]
WARNING: Virus alike driver modification [ati1rvxx.sys]
WARNING: Virus alike driver modification [cdfs.sys]
WARNING: Virus alike driver modification [mf.sys]
WARNING: Virus alike driver modification [serial.sys]
WARNING: Virus alike driver modification [udfs.sys]
WARNING: Virus alike driver modification [parvdm.sys]
WARNING: Virus alike driver modification [pci.sys]
WARNING: Virus alike driver modification [hsfcxts2.sys]
WARNING: Virus alike driver modification [psched.sys]
WARNING: Virus alike driver modification [bridge.sys]
WARNING: Virus alike driver modification [atintuxx.sys]
WARNING: Virus alike driver modification [sr.sys]
WARNING: Virus alike driver modification [ipsec.sys]
WARNING: Virus alike driver modification [mskssrv.sys]
WARNING: Virus alike driver modification [SONYPVU1.SYS]
WARNING: Virus alike driver modification [tmcomm.sys]
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [WudfPf.sys]
WARNING: Virus alike driver modification [sdbus.sys]
WARNING: Virus alike driver modification [fs_rec.sys]
WARNING: Virus alike driver modification [dmboot.sys]
WARNING: Virus alike driver modification [parport.sys]
WARNING: Virus alike driver modification [videoprt.sys]
WARNING: Virus alike driver modification [WudfRd.sys]
WARNING: Virus alike driver modification [wdmaud.sys]
WARNING: Virus alike driver modification [rasacd.sys]
WARNING: Virus alike driver modification [nwlnkipx.sys]
WARNING: Virus alike driver modification [ndiswan.sys]
WARNING: Virus alike driver modification [ksecdd.sys]
WARNING: Virus alike driver modification [slnthal.sys]
WARNING: Virus alike driver modification [scsiport.sys]
WARNING: Virus alike driver modification [atapi.sys]

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 29 November 2010 - 04:37 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 29 November 2010 - 05:58 PM

Hi Gringo,

Here is the report, no problems in the scan. The two infected files it found were those that AVG kept on saying were infected (but couldn't fix). Unfortunately the problem still exists - often when I click on Google results I get directed to another site (info.co.uk, gumtree etc).

Thanks,
Richard


ComboFix 10-11-29.03 - Richard 29/11/2010 22:24:27.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.471 [GMT 0:00]
Running from: c:\documents and settings\Richard\My Documents\Downloads\ComboFix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\All Users\Documents\Server\admin.txt
c:\windows\AhnRpta.exe
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\dmlconf.dat
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg

c:\windows\system32\winlogon.exe . . . is infected!!

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-28 20:10 . 2010-11-28 20:10 -------- d-----w- c:\program files\iPod
2010-11-28 20:10 . 2010-11-28 20:11 -------- d-----w- c:\program files\iTunes
2010-11-07 09:00 . 2010-10-27 04:49 249856 ----a-w- c:\program files\Mozilla Firefox\freebl3.dll
2010-11-06 15:00 . 2010-11-06 15:00 -------- d-----w- C:\$AVG
2010-11-06 13:29 . 2010-11-06 13:29 -------- d-----w- c:\documents and settings\Richard\Application Data\AVG10
2010-11-06 13:09 . 2010-11-06 13:09 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-06 13:07 . 2010-11-20 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-06 13:01 . 2010-11-06 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-06 11:28 . 2010-11-06 15:10 -------- d-----w- c:\documents and settings\Richard\Application Data\Ymmy
2010-11-06 11:28 . 2010-11-06 14:05 -------- d-----w- c:\documents and settings\Richard\Application Data\Ezboel
2010-11-06 11:28 . 2010-11-06 12:14 -------- d-----w- c:\program files\windows
2010-11-06 10:49 . 2010-11-06 10:49 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\WinZip
2010-11-06 10:48 . 2010-11-06 10:49 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-02 15:51 . 2010-10-02 15:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-02 15:51 . 2010-06-19 12:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 11:23 . 2004-08-04 12:00 974848 -c--a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17 . 2010-09-08 10:17 94208 -c--a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 -c--a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
.

------- Sigcheck -------

[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 . 873E7C67837B998ED53AD54C6BFBBB74 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . 358F7515ABCDCBB13201A42BEADD170E . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"CHotkey"="mHotkey.exe" [2002-07-29 473088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12148:TCP"= 12148:TCP:BitComet 12148 TCP
"12148:UDP"= 12148:UDP:BitComet 12148 UDP

R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 15:19 202280]
S2 gupdate1ca397953812da2;Google Update Service (gupdate1ca397953812da2);c:\program files\Google\Update\GoogleUpdate.exe [19/09/2009 22:32 133104]
S3 NETDLWL;D-Link Air Wireless Adapter(DL) NT Driver;c:\windows\system32\drivers\NETDLWL.sys [10/09/2004 13:52 159104]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [04/08/2004 12:00 14336]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [25/09/2010 14:04 27064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-19 22:31]

2010-11-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-19 22:31]

2010-05-09 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2008-11-16 09:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\3a080en1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\NOS\bin\np_gp.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\3a080en1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKLM-Run-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
HKLM-Run-{0228e555-4f9c-4e35-a3ec-b109a192b4c2} - c:\program files\Google\Gmail Notifier\gnotify.exe
HKLM-Run-RemoteControl - c:\program files\CyberLink\PowerDVD\PDVDServ.exe
HKLM-Explorer_Run-Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\%s - c:\program files\Video ActiveX Object\isamonitor.exe
AddRemove-All ATI Software - c:\program files\ATI Technologies\UninstallAll\AtiCimUn.exe
AddRemove-HijackThis - c:\program files\HijackThis\HijackThis.exe
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe
AddRemove-PDF Writer - c:\program files\PDF Writer\uninstpw.exe
AddRemove-RealPlayer 12.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-Sibelius Scorch Plugin - c:\program files\Musicnotes\uninstsc.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe
AddRemove-WinRAR archiver - c:\program files\WinRAR\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 22:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2156)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\mHotkey.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-11-29 22:51:57 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-29 22:51

Pre-Run: 28,353,138,688 bytes free
Post-Run: 28,427,419,648 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E184E6E0F114B169F4A45FC6469ABD0D

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 29 November 2010 - 06:21 PM

Run Batch File

Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
copy /y c:\windows\ServicePackFiles\i386\winlogon.exe c:\
copy /y c:\windows\ServicePackFiles\i386\explorer.exe c:\
del %0
Save this as copy.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.
It should look like this: Posted Image <--vista
It should look like this: Posted Image <--XP
Double-click on copy.bat to run it. This batchfile will delete itself when complete.

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 30 November 2010 - 06:21 PM

Hi Gringo,

Log below. Tomorrow morning (UK time) I go away for a few days until Sunday. I will login early tomorrow morning to run the next set of instructions but after that I'm afraid I won't be able to reply.

Regards,
Richard


SystemLook 04.09.10 by jpshortstuff
Log created at 23:18 on 30/11/2010 by Richard
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\explorer.exe --a---- 1033728 bytes [23:18 30/11/2010] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [12:00 04/08/2004] [00:12 14/04/2008] 358F7515ABCDCBB13201A42BEADD170E
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a---- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1033216 bytes [16:40 15/06/2008] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
C:\WINDOWS\$NtUninstallKB938828$\explorer.exe -----c- 1032192 bytes [18:39 18/08/2007] [12:00 04/08/2004] A0732187050030AE399B241436565E64
C:\WINDOWS\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [16:18 15/06/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

Searching for "winlogon.exe"
C:\winlogon.exe --a---- 507904 bytes [23:18 30/11/2010] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c- 502272 bytes [16:40 15/06/2008] [12:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe -----c- 507904 bytes [16:19 15/06/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [12:00 04/08/2004] [00:12 14/04/2008] 873E7C67837B998ED53AD54C6BFBBB74

-= EOF =-

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 30 November 2010 - 07:29 PM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
DeleteFile:
C:\Windows\explorer.exe
C:\WINDOWS\system32\winlogon.exe
MoveFile:
C:\explorer.exe C:\Windows\explorer.exe
C:\winlogon.exe C:\WINDOWS\system32\winlogon.exe
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 01 December 2010 - 02:53 AM

Log below. I now go away until Sunday but will respond to the next instruction as soon as I return. Thank you for your help so far.

Regards,
Richard



BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
MoveFileOnReboot: sourceFile = "\??\c:\windows\explorer.exe", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\windows\system32\winlogon.exe", destinationFile = "(null)", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe", replaceWithDummy = 0
MoveFileOnReboot: sourceFile = "\??\c:\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe", replaceWithDummy = 0

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 01 December 2010 - 03:04 AM

Hello

Ok thanks for letting me know - when you come back this is what I would like you to do

update combofix

I would like you to download an updated virsion of combofix.

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
[/list]

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 03 December 2010 - 11:31 PM

12/6 :busy:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 05 December 2010 - 05:19 PM

Hi Gringo,

Here is the Combofix log. I had to run it twice as my computer shut down / crashed during the first scan. I thought it might be Combfix that did it but it didn't continue or provide a log.

Thanks,
Richard

ComboFix 10-12-04.02 - Richard 05/12/2010 21:39:46.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1023.589 [GMT 0:00]
Running from: c:\documents and settings\Richard\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-11-05 to 2010-12-05 )))))))))))))))))))))))))))))))
.

2010-11-28 20:10 . 2010-11-28 20:10 -------- d-----w- c:\program files\iPod
2010-11-28 20:10 . 2010-11-28 20:11 -------- d-----w- c:\program files\iTunes
2010-11-07 09:00 . 2010-10-27 04:49 249856 ----a-w- c:\program files\Mozilla Firefox\freebl3.dll
2010-11-06 15:00 . 2010-11-06 15:00 -------- d-----w- C:\$AVG
2010-11-06 13:29 . 2010-11-06 13:29 -------- d-----w- c:\documents and settings\Richard\Application Data\AVG10
2010-11-06 13:09 . 2010-11-06 13:09 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-06 13:07 . 2010-11-20 11:00 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-06 13:01 . 2010-11-06 13:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-11-06 11:28 . 2010-11-06 15:10 -------- d-----w- c:\documents and settings\Richard\Application Data\Ymmy
2010-11-06 11:28 . 2010-11-06 14:05 -------- d-----w- c:\documents and settings\Richard\Application Data\Ezboel
2010-11-06 11:28 . 2010-11-06 12:14 -------- d-----w- c:\program files\windows
2010-11-06 10:49 . 2010-11-06 10:49 -------- d-----w- c:\documents and settings\Richard\Local Settings\Application Data\WinZip
2010-11-06 10:48 . 2010-11-06 10:49 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-01 07:50 . 2004-08-04 12:00 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-12-01 07:50 . 2004-08-04 12:00 1033728 ----a-w- c:\windows\explorer.exe
2010-10-02 15:51 . 2010-10-02 15:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-02 15:51 . 2010-06-19 12:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 11:23 . 2004-08-04 12:00 974848 -c--a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 10:17 . 2010-09-08 10:17 94208 -c--a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 10:17 . 2010-09-08 10:17 69632 -c--a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"CHotkey"="mHotkey.exe" [2002-07-29 473088]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-17 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\O2\\bin\\wificfg.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont.exe"=
"c:\\Program Files\\Common Files\\SupportSoft\\bin\\ssrc.exe"=
"c:\\Program Files\\O2\\agent\\bin\\bcont_nm.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12148:TCP"= 12148:TCP:BitComet 12148 TCP
"12148:UDP"= 12148:UDP:BitComet 12148 UDP

R2 sprtsvc_O2;SupportSoft Sprocket Service (O2);c:\program files\O2\bin\sprtsvc.exe [07/06/2007 15:19 202280]
S2 gupdate1ca397953812da2;Google Update Service (gupdate1ca397953812da2);c:\program files\Google\Update\GoogleUpdate.exe [19/09/2009 22:32 133104]
S3 NETDLWL;D-Link Air Wireless Adapter(DL) NT Driver;c:\windows\system32\drivers\NETDLWL.sys [10/09/2004 13:52 159104]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [04/08/2004 12:00 14336]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [25/09/2010 14:04 27064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-19 22:31]

2010-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-19 22:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\3a080en1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\NOS\bin\np_gp.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\3a080en1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-05 21:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2804)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-05 22:08:47
ComboFix-quarantined-files.txt 2010-12-05 22:08
ComboFix2.txt 2010-11-29 22:51

Pre-Run: 28,173,303,808 bytes free
Post-Run: 28,081,807,360 bytes free

- - End Of File - - FEAB14E86D6FC34A0AE5F328C0CAA340

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 05 December 2010 - 06:41 PM

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.0
Viewpoint Media Player


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:32 PM

Posted 08 December 2010 - 02:22 AM

Hello

three day bump

It has been Three days since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Gingerbridgeman

Gingerbridgeman
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:06:32 PM

Posted 08 December 2010 - 03:10 AM

Hi Gringo,

I've had a few issues running through these and so haven't got beyond the Malwarebytes stage. They are:

Stage 1:

WHen trying to uninstall Adobe 9.4 it came up with this error message:

“Error 1905.Module C:\Program Files\Adobe\Reader9.0\Reader\authplay.dll failed to unregister. HRESULT-2147220472.”

When trying to install new Adobe came up with this:

“Setup has detected that you already have a more functional product installed. Setup will now terminate”

But it does say it’s installed.

There is no Viewpoint Media Player in the Add/Remove programs list to uninstall


Stage 2.

When I click on the Java tab nothing happens. It doesn’t open. So I can’t update or clean the cache.

Stage 3.
Each time I go to the MalwareBytes page and click download now it takes me to this page but does nothing (in either Firefox or IE)

https://www.regnow.com/softsell/visitor.cgi?affiliate=10793&action=site&vendor=12128&ref=http%3A%2F%2Ffileforum.betanews.com%2Fsendfile%2F1186760019%2F1%2F1291795469.105d44a155d5e87ae25849941f3eef07a67f8f86%2Fmbam-setup.exe

The file download doesn’t actually start. Also, do I have to purchase a licence or is it a free piece of kit?

Regards,
Richard




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users