Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad Image Error Pop Ups and random music


  • This topic is locked This topic is locked
9 replies to this topic

#1 Ssco

Ssco

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 15 April 2011 - 11:31 AM

I have recently started hearing random music playing in the background and since then we have been getting bad image errors and most recently script errors. Acrobat Reader also open's up on it's own with an error message (Adobe failed to load its core DLL - happened just now)and now I get a fatal error for it popping up. Today Internet Explorer failed to run and Firefox followed. A separate user account has allowed me back in, but it's not ideal

I have followed the guidelines but the DDS failed to run and all I ended up with was a text file

GMER Log

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-15 17:28:34
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.FG00
Running: gmer.exe; Driver: C:\Users\Jo\AppData\Local\Temp\kgldyuow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x925CAFAE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x925CBA44]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwCreateThread [0x9160FDB6]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwCreateThreadEx [0x9160FE54]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwDeleteFile [0x9160EE12]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x925CF1D4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x925CF206]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0x925CF368]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x925CBB1A]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x94625780]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x925CB2E4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x925CB416]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x925CF2DE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x925CF248]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x925CF27A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x925CF2AC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x925CAF54]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwSetInformationFile [0x9160EE86]
SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys ZwSetValueKey [0x9160FC92]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x925CAEF0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x94625830]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x946258D0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x94625970]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 83047589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8306C092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 830738AC 4 Bytes [AE, AF, 5C, 92] {SCASB ; SCASD ; POP ESP; XCHG EDX, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 2F8 83073908 4 Bytes [44, BA, 5C, 92]
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 8307395C 8 Bytes [B6, FD, 60, 91, 54, FE, 60, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 388 83073998 8 Bytes [12, EE, 60, 91, D4, F1, 5C, ...] {ADC CH, DH; PUSHA ; XCHG ECX, EAX; AAM 0xf1; POP ESP; XCHG EDX, EAX}
.text ntkrnlpa.exe!RtlSidHashLookup + 398 830739A8 4 Bytes [06, F2, 5C, 92]
.text ...
PAGE ntkrnlpa.exe!ZwDeleteKey + 3393 8320490E 7 Bytes JMP 9236A138

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1028] ntdll.dll!KiUserApcDispatcher 776661E8 5 Bytes JMP 00413D30 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1028] WS2_32.dll!getaddrinfo 767F6737 5 Bytes JMP 71A50022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1028] WS2_32.dll!gethostbyname 76807133 5 Bytes JMP 71AE0022
.text C:\Windows\Explorer.EXE[1992] WININET.dll!HttpAddRequestHeadersA 76999ABA 5 Bytes JMP 0039164F
.text C:\Windows\Explorer.EXE[1992] WININET.dll!HttpAddRequestHeadersW 769A0848 5 Bytes JMP 00391817
.text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Windows\system32\taskhost.exe[2060] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Windows\system32\taskhost.exe[2060] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Windows\system32\conhost.exe[2120] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Windows\system32\conhost.exe[2120] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Windows\system32\conhost.exe[2120] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Windows\system32\conhost.exe[2120] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2136] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2136] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2136] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe[2136] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2304] ntdll.dll!KiUserApcDispatcher 776661E8 5 Bytes JMP 0043E9D0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2304] WS2_32.dll!getaddrinfo 767F6737 5 Bytes JMP 71A50022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2304] WS2_32.dll!gethostbyname 76807133 5 Bytes JMP 71AE0022
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] ntdll.dll!KiUserApcDispatcher 776661E8 5 Bytes JMP 01587700 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] ntdll.dll!LdrLoadDll 7767F5B5 6 Bytes PUSH 71A60022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] WS2_32.dll!closesocket 767F3BED 5 Bytes JMP 007A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] WS2_32.dll!recv 767F47DF 5 Bytes JMP 0078000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] WS2_32.dll!connect 767F48BE 5 Bytes JMP 0079000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] WS2_32.dll!getaddrinfo 767F6737 5 Bytes JMP 007D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] WS2_32.dll!send 767FC4C8 5 Bytes JMP 007B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] WS2_32.dll!gethostbyname 76807133 5 Bytes JMP 007C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] USER32.dll!CreateWindowExA 7667E18A 6 Bytes JMP 7197000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] USER32.dll!CreateWindowExW 76680E51 6 Bytes JMP 719B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] USER32.dll!RegisterClassExW 7668212B 6 Bytes PUSH 71AE0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2332] USER32.dll!PeekMessageW 766891B5 6 Bytes JMP 71A1000A
.text C:\Windows\system32\Dwm.exe[2444] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Windows\system32\Dwm.exe[2444] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Windows\system32\Dwm.exe[2444] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Windows\system32\Dwm.exe[2444] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
? C:\Windows\Explorer.EXE[2472] time/date stamp mismatch; unknown module: WINMM.dllunknown module: CFGMGR32.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: WINBRAND.dllunknown module: DUI70.dllunknown module: SndVolSSO.DLLunknown module: netutils.dllunknown module: wkscli.dllunknown module: PROPSYS.dllunknown module: gdiplus.dllunknown module: slc.dllunknown module: dwmapi.dllunknown module: POWRPROF.dllunknown module: UxTheme.dllunknown module: EXPLORERFRAME.dllunknown module: OLEAUT32.dll
.text C:\Windows\Explorer.EXE[2472] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Windows\Explorer.EXE[2472] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Windows\Explorer.EXE[2472] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Windows\Explorer.EXE[2472] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Windows\Explorer.EXE[2472] WS2_32.dll!sendto 767F3AED 5 Bytes JMP 2004D423
.text C:\Windows\Explorer.EXE[2472] WS2_32.dll!closesocket 767F3BED 5 Bytes JMP 2004DA66
.text C:\Windows\Explorer.EXE[2472] WS2_32.dll!WSARecvFrom 767F418D 5 Bytes JMP 2004D985
.text C:\Windows\Explorer.EXE[2472] WS2_32.dll!recv 767F47DF 5 Bytes JMP 2004D6DE
.text C:\Windows\Explorer.EXE[2472] WS2_32.dll!WSASend 767F68A7 5 Bytes JMP 2004D7C2
.text C:\Windows\Explorer.EXE[2472] WS2_32.dll!recvfrom 767FBF39 5 Bytes JMP 2004D74D
.text C:\Windows\Explorer.EXE[2472] WS2_32.dll!WSARecv 767FC29F 5 Bytes JMP 2004D8AA
.text C:\Windows\Explorer.EXE[2472] WS2_32.dll!send 767FC4C8 5 Bytes JMP 2004D3D5
.text C:\Windows\Explorer.EXE[2472] WS2_32.dll!WSASendTo 7680ADC4 5 Bytes JMP 2004D833
.text C:\Windows\Explorer.EXE[2472] WININET.dll!HttpAddRequestHeadersA 76999ABA 5 Bytes JMP 005A164F
.text C:\Windows\Explorer.EXE[2472] WININET.dll!InternetCloseHandle 7699C83E 5 Bytes JMP 2004E132
.text C:\Windows\Explorer.EXE[2472] WININET.dll!InternetReadFile 7699E264 5 Bytes JMP 2004EAD7
.text C:\Windows\Explorer.EXE[2472] WININET.dll!HttpSendRequestW 7699EEB3 5 Bytes JMP 2004E0D3
.text C:\Windows\Explorer.EXE[2472] WININET.dll!HttpOpenRequestA 769A03FA 5 Bytes JMP 2004EB92
.text C:\Windows\Explorer.EXE[2472] WININET.dll!HttpOpenRequestW 769A05D3 5 Bytes JMP 2004EBBF
.text C:\Windows\Explorer.EXE[2472] WININET.dll!HttpAddRequestHeadersW 769A0848 5 Bytes JMP 005A1817
.text C:\Windows\Explorer.EXE[2472] WININET.dll!InternetQueryDataAvailable 769A41CB 5 Bytes JMP 2004E7B8
.text C:\Windows\Explorer.EXE[2472] WININET.dll!InternetOpenUrlA 769ADBD0 5 Bytes JMP 2004EBEC
.text C:\Windows\Explorer.EXE[2472] WININET.dll!HttpSendRequestExW 769B8E44 5 Bytes JMP 2004E012
.text C:\Windows\Explorer.EXE[2472] WININET.dll!InternetWriteFile 769B90F0 5 Bytes JMP 2004E105
.text C:\Windows\Explorer.EXE[2472] WININET.dll!InternetReadFileExW 769C12E9 5 Bytes JMP 2004E9BC
.text C:\Windows\Explorer.EXE[2472] WININET.dll!InternetReadFileExA 769C1321 5 Bytes JMP 2004E915
.text C:\Windows\Explorer.EXE[2472] WININET.dll!InternetOpenUrlW 769FE0D4 5 Bytes JMP 2004EC13
.text C:\Windows\Explorer.EXE[2472] WININET.dll!HttpSendRequestExA 76A104D6 5 Bytes JMP 2004E058
.text C:\Windows\Explorer.EXE[2472] WININET.dll!HttpSendRequestA 76A105BC 5 Bytes JMP 2004E09E
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2001FF3F
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20017A40
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] ntdll.dll!KiUserApcDispatcher 776661E8 5 Bytes JMP 01337700 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] ntdll.dll!LdrLoadDll 7767F5B5 6 Bytes JMP 2001FDBB
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!sendto 767F3AED 5 Bytes JMP 2001D423
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!closesocket 767F3BED 5 Bytes JMP 0216000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!WSARecvFrom 767F418D 5 Bytes JMP 2001D985
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!recv 767F47DF 5 Bytes JMP 0214000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!connect 767F48BE 5 Bytes JMP 0215000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!getaddrinfo 767F6737 5 Bytes JMP 0229000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!WSASend 767F68A7 5 Bytes JMP 2001D7C2
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!recvfrom 767FBF39 5 Bytes JMP 2001D74D
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!WSARecv 767FC29F 5 Bytes JMP 2001D8AA
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!send 767FC4C8 5 Bytes JMP 0227000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!gethostbyname 76807133 5 Bytes JMP 0228000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WS2_32.dll!WSASendTo 7680ADC4 5 Bytes JMP 2001D833
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!CreateWindowExA 7667E18A 6 Bytes JMP 7197000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!CreateWindowExW 76680E51 6 Bytes JMP 719B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!RegisterClassExW 7668212B 6 Bytes PUSH 71AE0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2001C9AD
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] USER32.dll!PeekMessageW 766891B5 6 Bytes JMP 71A1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!InternetCloseHandle 7699C83E 5 Bytes JMP 2001E132
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!InternetReadFile 7699E264 5 Bytes JMP 2001EAD7
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!HttpSendRequestW 7699EEB3 5 Bytes JMP 2001E0D3
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!HttpOpenRequestA 769A03FA 5 Bytes JMP 2001EB92
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!HttpOpenRequestW 769A05D3 5 Bytes JMP 2001EBBF
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!InternetQueryDataAvailable 769A41CB 5 Bytes JMP 2001E7B8
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!InternetOpenUrlA 769ADBD0 5 Bytes JMP 2001EBEC
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!HttpSendRequestExW 769B8E44 5 Bytes JMP 2001E012
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!InternetWriteFile 769B90F0 5 Bytes JMP 2001E105
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!InternetReadFileExW 769C12E9 5 Bytes JMP 2001E9BC
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!InternetReadFileExA 769C1321 5 Bytes JMP 2001E915
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!InternetOpenUrlW 769FE0D4 5 Bytes JMP 2001EC13
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!HttpSendRequestExA 76A104D6 5 Bytes JMP 2001E058
.text C:\Program Files\Internet Explorer\iexplore.exe[2764] WININET.dll!HttpSendRequestA 76A105BC 5 Bytes JMP 2001E09E
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] WS2_32.dll!sendto 767F3AED 5 Bytes JMP 2004D423
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] WS2_32.dll!closesocket 767F3BED 5 Bytes JMP 2004DA66
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] WS2_32.dll!WSARecvFrom 767F418D 5 Bytes JMP 2004D985
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] WS2_32.dll!recv 767F47DF 5 Bytes JMP 2004D6DE
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] WS2_32.dll!WSASend 767F68A7 5 Bytes JMP 2004D7C2
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] WS2_32.dll!recvfrom 767FBF39 5 Bytes JMP 2004D74D
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] WS2_32.dll!WSARecv 767FC29F 5 Bytes JMP 2004D8AA
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] WS2_32.dll!send 767FC4C8 5 Bytes JMP 2004D3D5
.text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[3080] WS2_32.dll!WSASendTo 7680ADC4 5 Bytes JMP 2004D833
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] WS2_32.dll!sendto 767F3AED 5 Bytes JMP 2004D423
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] WS2_32.dll!closesocket 767F3BED 5 Bytes JMP 2004DA66
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] WS2_32.dll!WSARecvFrom 767F418D 5 Bytes JMP 2004D985
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] WS2_32.dll!recv 767F47DF 5 Bytes JMP 2004D6DE
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] WS2_32.dll!WSASend 767F68A7 5 Bytes JMP 2004D7C2
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] WS2_32.dll!recvfrom 767FBF39 5 Bytes JMP 2004D74D
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] WS2_32.dll!WSARecv 767FC29F 5 Bytes JMP 2004D8AA
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] WS2_32.dll!send 767FC4C8 5 Bytes JMP 2004D3D5
.text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3112] WS2_32.dll!WSASendTo 7680ADC4 5 Bytes JMP 2004D833
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!InternetCloseHandle 7699C83E 5 Bytes JMP 2004E132
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!InternetReadFile 7699E264 5 Bytes JMP 2004EAD7
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!HttpSendRequestW 7699EEB3 5 Bytes JMP 2004E0D3
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!HttpOpenRequestA 769A03FA 5 Bytes JMP 2004EB92
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!HttpOpenRequestW 769A05D3 5 Bytes JMP 2004EBBF
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!InternetQueryDataAvailable 769A41CB 5 Bytes JMP 2004E7B8
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!InternetOpenUrlA 769ADBD0 5 Bytes JMP 2004EBEC
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!HttpSendRequestExW 769B8E44 5 Bytes JMP 2004E012
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!InternetWriteFile 769B90F0 5 Bytes JMP 2004E105
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!InternetReadFileExW 769C12E9 5 Bytes JMP 2004E9BC
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!InternetReadFileExA 769C1321 5 Bytes JMP 2004E915
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!InternetOpenUrlW 769FE0D4 5 Bytes JMP 2004EC13
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!HttpSendRequestExA 76A104D6 5 Bytes JMP 2004E058
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3120] WININET.dll!HttpSendRequestA 76A105BC 5 Bytes JMP 2004E09E
.text C:\Program Files\dvd43\DVD43_Tray.exe[3128] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\dvd43\DVD43_Tray.exe[3128] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\dvd43\DVD43_Tray.exe[3128] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\dvd43\DVD43_Tray.exe[3128] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\iWare\iWare Mouse\3.2\Mouse32A.exe[3136] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\iWare\iWare Mouse\3.2\Mouse32A.exe[3136] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\iWare\iWare Mouse\3.2\Mouse32A.exe[3136] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\iWare\iWare Mouse\3.2\Mouse32A.exe[3136] user32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!InternetCloseHandle 7699C83E 5 Bytes JMP 2004E132
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!InternetReadFile 7699E264 5 Bytes JMP 2004EAD7
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!HttpSendRequestW 7699EEB3 5 Bytes JMP 2004E0D3
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!HttpOpenRequestA 769A03FA 5 Bytes JMP 2004EB92
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!HttpOpenRequestW 769A05D3 5 Bytes JMP 2004EBBF
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!InternetQueryDataAvailable 769A41CB 5 Bytes JMP 2004E7B8
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!InternetOpenUrlA 769ADBD0 5 Bytes JMP 2004EBEC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!HttpSendRequestExW 769B8E44 5 Bytes JMP 2004E012
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!InternetWriteFile 769B90F0 5 Bytes JMP 2004E105
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!InternetReadFileExW 769C12E9 5 Bytes JMP 2004E9BC
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!InternetReadFileExA 769C1321 5 Bytes JMP 2004E915
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!InternetOpenUrlW 769FE0D4 5 Bytes JMP 2004EC13
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!HttpSendRequestExA 76A104D6 5 Bytes JMP 2004E058
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3144] WININET.dll!HttpSendRequestA 76A105BC 5 Bytes JMP 2004E09E
.text C:\Windows\System32\igfxtray.exe[3160] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Windows\System32\igfxtray.exe[3160] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Windows\System32\igfxtray.exe[3160] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Windows\System32\igfxtray.exe[3160] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Windows\System32\hkcmd.exe[3168] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Windows\System32\hkcmd.exe[3168] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Windows\System32\hkcmd.exe[3168] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Windows\System32\hkcmd.exe[3168] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!InternetCloseHandle 7699C83E 5 Bytes JMP 2004E132
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!InternetReadFile 7699E264 5 Bytes JMP 2004EAD7
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!HttpSendRequestW 7699EEB3 5 Bytes JMP 2004E0D3
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!HttpOpenRequestA 769A03FA 5 Bytes JMP 2004EB92
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!HttpOpenRequestW 769A05D3 5 Bytes JMP 2004EBBF
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!InternetQueryDataAvailable 769A41CB 5 Bytes JMP 2004E7B8
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!InternetOpenUrlA 769ADBD0 5 Bytes JMP 2004EBEC
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!HttpSendRequestExW 769B8E44 5 Bytes JMP 2004E012
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!InternetWriteFile 769B90F0 5 Bytes JMP 2004E105
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!InternetReadFileExW 769C12E9 5 Bytes JMP 2004E9BC
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!InternetReadFileExA 769C1321 5 Bytes JMP 2004E915
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!InternetOpenUrlW 769FE0D4 5 Bytes JMP 2004EC13
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!HttpSendRequestExA 76A104D6 5 Bytes JMP 2004E058
.text C:\Windows\System32\hkcmd.exe[3168] WININET.dll!HttpSendRequestA 76A105BC 5 Bytes JMP 2004E09E
.text C:\Windows\System32\igfxpers.exe[3176] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Windows\System32\igfxpers.exe[3176] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Windows\System32\igfxpers.exe[3176] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Windows\System32\igfxpers.exe[3176] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!InternetCloseHandle 7699C83E 5 Bytes JMP 2004E132
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!InternetReadFile 7699E264 5 Bytes JMP 2004EAD7
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!HttpSendRequestW 7699EEB3 5 Bytes JMP 2004E0D3
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!HttpOpenRequestA 769A03FA 5 Bytes JMP 2004EB92
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!HttpOpenRequestW 769A05D3 5 Bytes JMP 2004EBBF
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!InternetQueryDataAvailable 769A41CB 5 Bytes JMP 2004E7B8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!InternetOpenUrlA 769ADBD0 5 Bytes JMP 2004EBEC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!HttpSendRequestExW 769B8E44 5 Bytes JMP 2004E012
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!InternetWriteFile 769B90F0 5 Bytes JMP 2004E105
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!InternetReadFileExW 769C12E9 5 Bytes JMP 2004E9BC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!InternetReadFileExA 769C1321 5 Bytes JMP 2004E915
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!InternetOpenUrlW 769FE0D4 5 Bytes JMP 2004EC13
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!HttpSendRequestExA 76A104D6 5 Bytes JMP 2004E058
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3184] WININET.dll!HttpSendRequestA 76A105BC 5 Bytes JMP 2004E09E
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] WS2_32.dll!sendto 767F3AED 5 Bytes JMP 2004D423
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] WS2_32.dll!closesocket 767F3BED 5 Bytes JMP 2004DA66
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] WS2_32.dll!WSARecvFrom 767F418D 5 Bytes JMP 2004D985
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] WS2_32.dll!recv 767F47DF 5 Bytes JMP 2004D6DE
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] WS2_32.dll!WSASend 767F68A7 5 Bytes JMP 2004D7C2
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] WS2_32.dll!recvfrom 767FBF39 5 Bytes JMP 2004D74D
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] WS2_32.dll!WSARecv 767FC29F 5 Bytes JMP 2004D8AA
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] WS2_32.dll!send 767FC4C8 5 Bytes JMP 2004D3D5
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] WS2_32.dll!WSASendTo 7680ADC4 5 Bytes JMP 2004D833
.text C:\Program Files\AVG\AVG10\avgtray.exe[3320] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] ntdll.dll!KiUserApcDispatcher 776661E8 5 Bytes JMP 018E7700 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] ntdll.dll!LdrLoadDll 7767F5B5 6 Bytes PUSH 71A60022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] WS2_32.dll!closesocket 767F3BED 5 Bytes JMP 019A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] WS2_32.dll!recv 767F47DF 5 Bytes JMP 014C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] WS2_32.dll!connect 767F48BE 5 Bytes JMP 014D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] WS2_32.dll!getaddrinfo 767F6737 5 Bytes JMP 0200000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] WS2_32.dll!send 767FC4C8 5 Bytes JMP 019B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] WS2_32.dll!gethostbyname 76807133 5 Bytes JMP 01FF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] USER32.dll!CreateWindowExA 7667E18A 6 Bytes JMP 7197000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] USER32.dll!CreateWindowExW 76680E51 6 Bytes JMP 719B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] USER32.dll!RegisterClassExW 7668212B 6 Bytes PUSH 71AE0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[3332] USER32.dll!PeekMessageW 766891B5 6 Bytes JMP 71A1000A
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!InternetCloseHandle 7699C83E 5 Bytes JMP 2004E132
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!InternetReadFile 7699E264 5 Bytes JMP 2004EAD7
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!HttpSendRequestW 7699EEB3 5 Bytes JMP 2004E0D3
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!HttpOpenRequestA 769A03FA 5 Bytes JMP 2004EB92
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!HttpOpenRequestW 769A05D3 5 Bytes JMP 2004EBBF
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!InternetQueryDataAvailable 769A41CB 5 Bytes JMP 2004E7B8
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!InternetOpenUrlA 769ADBD0 5 Bytes JMP 2004EBEC
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!HttpSendRequestExW 769B8E44 5 Bytes JMP 2004E012
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!InternetWriteFile 769B90F0 5 Bytes JMP 2004E105
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!InternetReadFileExW 769C12E9 5 Bytes JMP 2004E9BC
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!InternetReadFileExA 769C1321 5 Bytes JMP 2004E915
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!InternetOpenUrlW 769FE0D4 5 Bytes JMP 2004EC13
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!HttpSendRequestExA 76A104D6 5 Bytes JMP 2004E058
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] WININET.dll!HttpSendRequestA 76A105BC 5 Bytes JMP 2004E09E
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ws2_32.DLL!sendto 767F3AED 5 Bytes JMP 2004D423
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ws2_32.DLL!closesocket 767F3BED 5 Bytes JMP 2004DA66
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ws2_32.DLL!WSARecvFrom 767F418D 5 Bytes JMP 2004D985
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ws2_32.DLL!recv 767F47DF 5 Bytes JMP 2004D6DE
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ws2_32.DLL!WSASend 767F68A7 5 Bytes JMP 2004D7C2
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ws2_32.DLL!recvfrom 767FBF39 5 Bytes JMP 2004D74D
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ws2_32.DLL!WSARecv 767FC29F 5 Bytes JMP 2004D8AA
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ws2_32.DLL!send 767FC4C8 5 Bytes JMP 2004D3D5
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[3452] ws2_32.DLL!WSASendTo 7680ADC4 5 Bytes JMP 2004D833
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WS2_32.dll!sendto 767F3AED 5 Bytes JMP 2004D423
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WS2_32.dll!closesocket 767F3BED 5 Bytes JMP 2004DA66
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WS2_32.dll!WSARecvFrom 767F418D 5 Bytes JMP 2004D985
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WS2_32.dll!recv 767F47DF 5 Bytes JMP 2004D6DE
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WS2_32.dll!WSASend 767F68A7 5 Bytes JMP 2004D7C2
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WS2_32.dll!recvfrom 767FBF39 5 Bytes JMP 2004D74D
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WS2_32.dll!WSARecv 767FC29F 5 Bytes JMP 2004D8AA
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WS2_32.dll!send 767FC4C8 5 Bytes JMP 2004D3D5
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WS2_32.dll!WSASendTo 7680ADC4 5 Bytes JMP 2004D833
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!InternetCloseHandle 7699C83E 5 Bytes JMP 2004E132
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!InternetReadFile 7699E264 5 Bytes JMP 2004EAD7
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!HttpSendRequestW 7699EEB3 5 Bytes JMP 2004E0D3
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!HttpOpenRequestA 769A03FA 5 Bytes JMP 2004EB92
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!HttpOpenRequestW 769A05D3 5 Bytes JMP 2004EBBF
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!InternetQueryDataAvailable 769A41CB 5 Bytes JMP 2004E7B8
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!InternetOpenUrlA 769ADBD0 5 Bytes JMP 2004EBEC
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!HttpSendRequestExW 769B8E44 5 Bytes JMP 2004E012
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!InternetWriteFile 769B90F0 5 Bytes JMP 2004E105
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!InternetReadFileExW 769C12E9 5 Bytes JMP 2004E9BC
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!InternetReadFileExA 769C1321 5 Bytes JMP 2004E915
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!InternetOpenUrlW 769FE0D4 5 Bytes JMP 2004EC13
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!HttpSendRequestExA 76A104D6 5 Bytes JMP 2004E058
.text C:\Program Files\iTunes\iTunesHelper.exe[3524] WININET.DLL!HttpSendRequestA 76A105BC 5 Bytes JMP 2004E09E
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!InternetCloseHandle 7699C83E 5 Bytes JMP 2004E132
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!InternetReadFile 7699E264 5 Bytes JMP 2004EAD7
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!HttpSendRequestW 7699EEB3 5 Bytes JMP 2004E0D3
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!HttpOpenRequestA 769A03FA 5 Bytes JMP 2004EB92
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!HttpOpenRequestW 769A05D3 5 Bytes JMP 2004EBBF
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!InternetQueryDataAvailable 769A41CB 5 Bytes JMP 2004E7B8
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!InternetOpenUrlA 769ADBD0 5 Bytes JMP 2004EBEC
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!HttpSendRequestExW 769B8E44 5 Bytes JMP 2004E012
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!InternetWriteFile 769B90F0 5 Bytes JMP 2004E105
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!InternetReadFileExW 769C12E9 5 Bytes JMP 2004E9BC
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!InternetReadFileExA 769C1321 5 Bytes JMP 2004E915
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!InternetOpenUrlW 769FE0D4 5 Bytes JMP 2004EC13
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!HttpSendRequestExA 76A104D6 5 Bytes JMP 2004E058
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] WININET.dll!HttpSendRequestA 76A105BC 5 Bytes JMP 2004E09E
.text C:\Program Files\Microsoft Security Client\msseces.exe[3564] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[3624] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[3624] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[3624] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe[3624] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!InternetCloseHandle 7699C83E 5 Bytes JMP 2004E132
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!InternetReadFile 7699E264 5 Bytes JMP 2004EAD7
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!HttpSendRequestW 7699EEB3 5 Bytes JMP 2004E0D3
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!HttpOpenRequestA 769A03FA 5 Bytes JMP 2004EB92
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!HttpOpenRequestW 769A05D3 5 Bytes JMP 2004EBBF
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!InternetQueryDataAvailable 769A41CB 5 Bytes JMP 2004E7B8
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!InternetOpenUrlA 769ADBD0 5 Bytes JMP 2004EBEC
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!HttpSendRequestExW 769B8E44 5 Bytes JMP 2004E012
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!InternetWriteFile 769B90F0 5 Bytes JMP 2004E105
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!InternetReadFileExW 769C12E9 5 Bytes JMP 2004E9BC
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!InternetReadFileExA 769C1321 5 Bytes JMP 2004E915
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!InternetOpenUrlW 769FE0D4 5 Bytes JMP 2004EC13
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!HttpSendRequestExA 76A104D6 5 Bytes JMP 2004E058
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[3656] wininet.dll!HttpSendRequestA 76A105BC 5 Bytes JMP 2004E09E
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] ntdll.dll!NtQueryDirectoryFile 77665240 5 Bytes JMP 2004FF3F
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] ntdll.dll!NtResumeThread 77665750 5 Bytes JMP 20047A40
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] ntdll.dll!LdrLoadDll 7767F5B5 5 Bytes JMP 2004FDBB
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] USER32.dll!TranslateMessage 7668910F 5 Bytes JMP 2004C9AD
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] WS2_32.dll!sendto 767F3AED 5 Bytes JMP 2004D423
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] WS2_32.dll!closesocket 767F3BED 5 Bytes JMP 2004DA66
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] WS2_32.dll!WSARecvFrom 767F418D 5 Bytes JMP 2004D985
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] WS2_32.dll!recv 767F47DF 5 Bytes JMP 2004D6DE
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] WS2_32.dll!WSASend 767F68A7 5 Bytes JMP 2004D7C2
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] WS2_32.dll!recvfrom 767FBF39 5 Bytes JMP 2004D74D
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] WS2_32.dll!WSARecv 767FC29F 5 Bytes JMP 2004D8AA
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] WS2_32.dll!send 767FC4C8 5 Bytes JMP 2004D3D5
.text C:\Program Files\OEM\LIVE! OSD 1.08(AD)\osd.exe[3712] WS2_32.dll!WSASendTo 7680ADC4 5 Bytes JMP 2004D833
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[6280] ntdll.dll!KiUserApcDispatcher 776661E8 5 Bytes JMP 0043E9D0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[6280] WS2_32.dll!getaddrinfo 767F6737 5 Bytes JMP 71A50022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[6280] WS2_32.dll!gethostbyname 76807133 5 Bytes JMP 71AE0022
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] ntdll.dll!KiUserApcDispatcher 776661E8 5 Bytes JMP 015C7700 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] ntdll.dll!LdrLoadDll 7767F5B5 6 Bytes JMP 012D13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] kernel32.dll!SetUnhandledExceptionFilter 764A3162 6 Bytes PUSH 717A0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] WS2_32.dll!getaddrinfo 767F6737 5 Bytes JMP 0145000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] WS2_32.dll!gethostbyname 76807133 5 Bytes JMP 0144000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] GDI32.dll!BitBlt 76837180 6 Bytes PUSH 717E0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] USER32.dll!DdeInitializeW 76676048 6 Bytes PUSH 71760022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] USER32.dll!CreateWindowExA 7667E18A 6 Bytes JMP 7197000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] USER32.dll!CreateWindowExW 76680E51 6 Bytes JMP 719B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] USER32.dll!RegisterClassExW 7668212B 6 Bytes PUSH 71AE0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] USER32.dll!GetWindowRect 76687450 6 Bytes PUSH 71630022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] USER32.dll!DispatchMessageW 76688E8D 6 Bytes PUSH 71720022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] USER32.dll!GetMessageW 76688F97 6 Bytes PUSH 71670022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] USER32.dll!TranslateMessage 7668910F 6 Bytes PUSH 715F0022; RET
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] USER32.dll!PeekMessageW 766891B5 6 Bytes JMP 71A1000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[7144] USER32.dll!GetClipboardData 76694B47 6 Bytes PUSH 716E0022; RET

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Livekbc.SYS (Windows NT Caps-lock Ctrl Swapper/Systems Internals)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI_HAL \Device\00000056 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Threads - GMER 1.0.15 ----

Thread System [4:288] 873BBE41
Thread System [4:292] 873BDF55

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS008A7.log 1048576 bytes
File C:\Windows\Temp\avg-928e6636-c0b1-4015-a47a-460bad6e8955.tmp 0 bytes

---- EOF - GMER 1.0.15 ----
Attached File  ark.txt   72.1KB   0 downloads

Thanks for your help
Ross

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:27 PM

Posted 15 April 2011 - 01:40 PM

Hello Ssco,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
We need to remover Avg Antivirus as it will interfere with some of the tools we will be using.We will re-install when we are finished.

Please use Appremover to remover AVG.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply:;
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:27 PM

Posted 17 April 2011 - 09:22 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 Ssco

Ssco
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 18 April 2011 - 04:57 AM

Hi

Still here. Been away this weeken, but just going through the steps now. Will update later

#5 Ssco

Ssco
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 18 April 2011 - 05:52 AM

I've tried ComboFix, but get the following message after using either of the links:

You appear to have a corrupt download.
Please download a fresh copy of ComboFix.exe

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:27 PM

Posted 18 April 2011 - 09:24 AM

Hello,


Please try this to download and run Combofix.

Download and Rename Combofix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below. You must rename it 1234.scr before saving it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on 1234.scr & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Ssco

Ssco
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:27 PM

Posted 18 April 2011 - 11:32 AM

Ok, so far so good

Bad image errors seem to have stopped and I am yet to hear any random music play. Acrobat has opened and failed once and I've had a couple of script errors appear

Here's the ComboFix Log:

ComboFix 11-04-17.03 - Ross 18/04/2011 16:00:05.1.1 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3033.1664 [GMT 1:00]
Running from: c:\users\Ross\Desktop\1234.scr.exe
AV: AVG Anti-Virus 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AVG Anti-Virus 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Jo\AppData\Roaming\Ithiqe
c:\users\Jo\AppData\Roaming\Ithiqe\kice.cez
c:\users\Ross\AppData\Local\mbk.exe
c:\users\Ross\AppData\Local\vjg.exe
c:\users\Ross\AppData\Roaming\Ikwiyd
c:\users\Ross\AppData\Roaming\Ikwiyd\ohky.aga
c:\users\Ross\AppData\Roaming\Microsoft\Windows\Templates\7a3d8u8784tdd04w7i4a1pj
c:\users\Ross\AppData\Roaming\Osgie
c:\users\Ross\AppData\Roaming\Osgie\onxe.viu
c:\users\Ross\AppData\Roaming\Vuos
c:\users\Ross\AppData\Roaming\Vuos\haubn.kyx
c:\users\Ross\Desktop\Windows Tool.lnk
c:\windows\system32\setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-18 to 2011-04-18 )))))))))))))))))))))))))))))))
.
.
2011-04-18 15:16 . 2011-04-18 15:16 -------- d-----w- c:\users\Jo\AppData\Local\temp
2011-04-18 15:16 . 2011-04-18 15:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-18 15:16 . 2011-04-18 15:19 -------- d-----w- c:\users\Ross\AppData\Local\temp
2011-04-15 23:38 . 2011-04-15 23:38 -------- d-----w- c:\program files\mfsqusbn
2011-04-14 23:55 . 2011-04-18 09:00 184691 --s---w- c:\users\Ross\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vwmbliry.exe
2011-04-14 10:57 . 2011-03-03 03:31 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 10:57 . 2011-02-12 05:30 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-04-14 10:57 . 2011-02-24 05:32 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-14 10:57 . 2011-03-08 05:38 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-14 10:57 . 2011-03-11 05:40 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-04-14 10:57 . 2011-03-11 05:40 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-14 10:57 . 2011-02-23 05:05 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-14 10:57 . 2011-02-23 05:05 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-14 10:57 . 2011-02-23 05:05 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-14 10:57 . 2011-02-23 05:05 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-08 22:45 . 2011-04-08 22:45 -------- d-----w- c:\users\Ross\AppData\Local\Panther
2011-04-07 20:09 . 2011-04-07 20:09 -------- d-----w- c:\users\Jo\AppData\Roaming\AVG10
2011-04-07 19:57 . 2011-04-07 19:57 -------- d-----w- c:\program files\iPod
2011-04-07 19:55 . 2011-04-07 19:55 -------- d-----w- c:\program files\Apple Software Update
2011-04-07 18:03 . 2011-04-07 18:03 -------- d-----w- c:\users\Jo\AppData\Roaming\Meky
2011-04-05 10:42 . 2011-04-05 11:42 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-04-05 10:42 . 2011-04-05 10:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-02 01:57 . 2011-04-02 01:57 -------- d-----w- C:\e318dc370fb7b3cf2fa58a44
2011-04-02 01:56 . 2011-04-02 01:56 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-01 20:15 . 2011-04-01 20:15 -------- d-----w- c:\users\Ross\AppData\Local\Sophos
2011-04-01 20:13 . 2011-04-01 21:55 -------- d-----w- c:\programdata\Sophos
2011-04-01 20:12 . 2011-04-01 20:13 -------- d-----w- C:\stdtsa
2011-04-01 11:05 . 2011-04-01 11:05 -------- d-----w- c:\users\Ross\AppData\Roaming\AVG10
2011-04-01 10:59 . 2011-04-01 10:59 -------- d--h--w- c:\programdata\Common Files
2011-04-01 10:57 . 2011-04-15 23:37 -------- d-----w- c:\programdata\AVG10
2011-04-01 10:57 . 2011-04-01 10:57 -------- d-----w- c:\program files\AVG
2011-04-01 10:48 . 2011-04-01 10:57 -------- d-----w- c:\programdata\MFAData
2011-04-01 10:15 . 2011-02-19 05:56 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-04-01 10:15 . 2011-02-19 05:56 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-04-01 10:15 . 2011-02-19 05:56 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-03-30 19:43 . 2011-04-01 21:56 -------- d-----w- c:\program files\Sophos
2011-03-30 18:48 . 2010-12-18 05:30 2690560 ----a-w- c:\windows\system32\mstscax.dll
2011-03-30 18:48 . 2010-12-18 05:26 1034240 ----a-w- c:\windows\system32\mstsc.exe
2011-03-30 18:48 . 2010-12-23 05:28 642048 ----a-w- c:\windows\system32\CPFilters.dll
2011-03-30 18:48 . 2010-12-23 05:28 850432 ----a-w- c:\windows\system32\sbe.dll
2011-03-30 18:48 . 2010-12-23 05:28 534528 ----a-w- c:\windows\system32\EncDec.dll
2011-03-30 18:48 . 2010-12-23 05:24 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-30 16:34 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-30 16:34 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-22 16:16 . 2011-03-22 16:16 -------- d-----w- c:\users\Ross\AppData\Local\DDMSettings
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 11:51 . 2010-05-18 13:33 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-28 12:08 . 2011-02-28 12:08 734208 ----a-w- c:\programdata\xhwxaNExnsjRHcn.dll
2011-02-18 15:36 . 2011-02-18 15:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 15:36 . 2011-02-18 15:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 21:35 . 2011-02-17 21:35 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-02-11 06:54 . 2011-02-25 09:09 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FF7DF750-D664-4CD7-B846-C9FF42D8CA1B}\mpengine.dll
2011-02-03 05:45 . 2011-02-09 10:15 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2009-10-29 23:15 . 2009-10-29 23:15 93226280 ----a-w- c:\program files\iTunesSetup.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-11 68856]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2010-08-24 247144]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2008-12-11 6703648]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2008-12-11 1833504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-08-06 20480]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-23 827904]
"LWBMOUSE"="c:\program files\iWare\iWare Mouse\3.2\MOUSE32A.EXE" [2002-05-24 357376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 610669]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\users\Ross\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
vwmbliry.exe [2011-4-18 184691]
.
c:\users\Jo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2010-11-22 330142]
Logitech Touch Mouse Server.lnk - c:\users\Ross\AppData\Local\Temp\iTouch-Server-Win.exe [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
OSD.lnk - c:\windows\Installer\{73289228-1853-4623-982A-EB17FF0270CA}\_8C907BDB88568761BFD8AD.exe [2009-6-17 3262]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-26 135664]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\1D4.tmp [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-15 1343400]
S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2011-02-17 53816]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-03-06 390528]
S1 RapportCerberus_25973;RapportCerberus_25973;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [2011-04-14 57144]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2011-02-17 66360]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2011-02-17 157752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 LiveGpdKBFilter;LiveGpdKBFilter; [x]
S2 LiveIO;LiveIO; [x]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2011-02-17 821048]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-09-22 112128]
S3 Livekbc;Livekbc; [x]
S3 Livemouclass;Livemouclass; [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-26 14:33]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-26 14:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=DSGI&bmod=DSGI
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {644F656A-013E-4198-BE03-1D7A4F6AB550} - hxxps://www.promapserver.co.uk/controls/latest/promap.cab
FF - ProfilePath - c:\users\Ross\AppData\Roaming\Mozilla\Firefox\Profiles\h6m479e3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2319576&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Logitech Touch Mouse Server - c:\users\Ross\AppData\Local\Temp\uninst.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1D4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-18 16:53:30
ComboFix-quarantined-files.txt 2011-04-18 15:53
.
Pre-Run: 136,571,170,816 bytes free
Post-Run: 138,505,400,320 bytes free
.
- - End Of File - - 52E669BD3F65D51E23163FF22D9D1485


Thanks
Ross

Attached File  ComboFix.txt   14.77KB   0 downloads

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:27 PM

Posted 18 April 2011 - 01:03 PM

Hello,

We have some work to do.


1.
Please delete the copy of Combofix you have on your desktop. Then download a new copy from one of the links below. This time don't rename it. Don't run it, follow the directions below.
Link 1
Link 2


1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

File::
c:\users\Ross\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vwmbliry.exe
c:\programdata\xhwxaNExnsjRHcn.dll

Folder::
c:\program files\mfsqusbn

DDS::
uInternet Settings,ProxyOverride = *.local
DPF: {644F656A-013E-4198-BE03-1D7A4F6AB550} - hxxps://www.promapserver.co.uk/controls/latest/promap.cab

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=-
"ConsentPromptBehaviorUser"=-
"EnableUIADesktopToggle"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"=-

Driver::
Livekbc
Livemouclass
LiveGpdKBFilter
LiveIO
MEMSWEEP2

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:27 PM

Posted 20 April 2011 - 04:57 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:27 PM

Posted 23 April 2011 - 10:39 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users