Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 and VBS Generic infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 RachelG

RachelG

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 17 April 2011 - 10:55 AM

I'm really hoping someone can help me. This is my daughters computer and she says shes been experiencing problems for past 4 days. Her AVG resident shield has been going crazy bringing up an "infected" file every couple of seconds since Friday. She has tried a system restore twice. She has also tried to go straight to the combofix, at which point i have taken over as i want it cleaned properly (she is too impatient)however reading this forum this is making me a bit worried as your forum says only to do this when told to do so. She stated the combo fix didnt get completly installed as it stated it couldnt function without disabling AVG so hopefully this hasnt dont too much damage. The virus that AVG resident shield is bring up is Win32/Zbot.G and VBS/Generic. I have run Malwarebytes and this has brought nothing up. I have posted the log below. I have been unable to provide the GMER log as this keeps crashing after about an hour. Google results have also been redirecting to various different websites.

I would be so so grateful if anyone could possibly help.


DDS (Ver_11-03-05.01) - NTFSx86
Run by User at 19:45:49.28 on 16/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.204 [GMT 1:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\rugbmqli\abxqaqrv.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [CARPService] carpserv.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\6nfveeg0.default\
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-24 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-24 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-24 243024]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\25973\RapportCerberus_25973.sys [2011-4-13 57144]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
S0 kilmjjnh;kilmjjnh;c:\windows\system32\drivers\ynilxxfnyby.sys [2011-4-14 44032]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-5 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\user\locals~1\temp\hmyxanni.sys --> c:\docume~1\user\locals~1\temp\hmyxanni.sys [?]
.
=============== Created Last 30 ================
.
2011-04-15 23:36:17 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2011-04-15 23:36:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-15 23:36:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-15 23:36:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-15 23:36:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-15 22:48:59 -------- d-----w- c:\program files\rugbmqli
2011-04-14 18:44:07 77385 ----a-w- c:\windows\system32\MAI1E5.tmp
2011-04-14 18:44:07 44032 ----a-w- c:\windows\system32\drivers\ynilxxfnyby.sys
2011-03-20 00:10:50 -------- d-----w- c:\program files\iPod
2011-03-20 00:10:46 -------- d-----w- c:\program files\iTunes
2011-03-20 00:07:31 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-02-18 16:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2000BB-00DWA0 rev.15.05R15 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87331439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x873377d0]; MOV EAX, [0x8733784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x87356AB8]
3 CLASSPNP[0xF74FCFD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000005c[0x873599E8]
5 ACPI[0xF7373620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x87357940]
\Driver\atapi[0x8738F610] -> IRP_MJ_CREATE -> 0x87331439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD2000BB-00DWA0_____________________15.05R15#4457572d414d4845303234333331_038_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8733127F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:48:38.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 17 April 2011 - 11:06 AM

Hello RachelG,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
We need to uninstall avg so we can run our tools. Please use Appremover to uninstall Avg.


2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 RachelG

RachelG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 17 April 2011 - 12:58 PM

Did up to stage 2, ran TDSkiller.exe and pressed cure and reboot. It has rebooted. I tried to get into my C:/drive to locate the log to post it, but it is now saying my C drive files are hidden? I have had to come onto another PC to post this as my computer is now not letting me on the bleeping computer website, saying it cannot connect to the server. Internet connection is ok as its letting me on google, but I don't know what to do next?

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 17 April 2011 - 03:43 PM

Hello,
Go ahead and run Combofix and then post the log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 RachelG

RachelG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 18 April 2011 - 02:45 PM

Hello. I managed to get onto combofix link by using the direct link. The PC is still blocking this website (i'm using another PC to post back and have emailed the log to myself so i can post it) The PC is still redirecting from websites, but is generally connecting to most pages. The only thing i can't find is the Tdsskiller log on my c drive. Anyway heres the combofix log. I am as ever extremely grateful for all your help.

ComboFix 11-04-17.03 - User 18/04/2011 18:21:20.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.602 [GMT 1:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\ynilxxfnyby.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_KILMJJNH
-------\Service_kilmjjnh
.
.
((((((((((((((((((((((((( Files Created from 2011-03-18 to 2011-04-18 )))))))))))))))))))))))))))))))
.
.
2011-04-15 23:36 . 2011-04-17 17:06 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-04-15 22:48 . 2011-04-18 17:55 -------- d-----w- c:\program files\rugbmqli
2011-04-15 18:45 . 2011-04-15 22:48 -------- d-----w- c:\documents and settings\Administrator
2011-04-14 18:44 . 2011-04-14 18:44 77385 ----a-w- c:\windows\system32\MAI1E5.tmp
2011-04-12 18:39 . 2011-04-15 22:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-20 00:10 . 2011-03-20 00:10 -------- d-----w- c:\program files\iPod
2011-03-20 00:10 . 2011-03-20 00:11 -------- d-----w- c:\program files\iTunes
2011-03-20 00:07 . 2011-03-20 00:07 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2010-03-24 12:23 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2006-02-28 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 16:36 . 2010-04-03 00:04 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2010-04-03 00:04 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-03-24 13:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2010-03-24 12:21 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-03-24 12:21 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-10-29 577536]
"CARPService"="carpserv.exe" [2003-05-21 4608]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\rugbmqli\abxqaqrv.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 22:04 57144]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/04/2010 17:52 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
S3 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\User\LOCALS~1\Temp\hmyxanni.sys --> c:\docume~1\User\LOCALS~1\Temp\hmyxanni.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 16:52]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 16:52]
.
2011-04-18 c:\windows\Tasks\User_Feed_Synchronization-{09699606-D470-48E7-8842-28A141BABA08}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\6nfveeg0.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
Notify-avgrsstarter - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-18 18:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\User\Start Menu\Programs\Startup\abxqaqrv.exe 172528 bytes executable
c:\documents and settings\User\Start Menu\Programs\Startup\desktop.ini 84 bytes
C:\abxqaqrv.exe 172528 bytes executable
C:\AUTOEXEC.BAT 0 bytes
C:\b23fd430c0941d59f08e00
C:\Boot.bak 211 bytes
C:\boot.ini 327 bytes
C:\cmdcons
C:\cmldr 260272 bytes
C:\ComboFix
C:\CONFIG.SYS 0 bytes
C:\Documents and Settings
C:\hiberfil.sys 1073270784 bytes
C:\IO.SYS 0 bytes
C:\MSDOS.SYS 0 bytes
C:\NTDETECT.COM 47564 bytes
C:\ntldr 250048 bytes
C:\pagefile.sys 1610612736 bytes
C:\Program Files
C:\Qoobox
C:\TDSSKiller.2.4.21.0_17.04.2011_18.18.04_log.txt 36280 bytes
C:\WINDOWS
.
scan completed successfully
hidden files: 22
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2452)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\carpserv.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-04-18 19:04:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-18 18:04
.
.
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 4476EE49E6F84D6FE7422425775D0BBA

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 18 April 2011 - 10:53 PM

Hello,

Well lets see if we can stop those rediercts.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

File::
c:\documents and settings\User\Start Menu\Programs\Startup\abxqaqrv.exe
C:\abxqaqrv.exe

Folder::
c:\program files\rugbmqli

DDS::
uInternet Settings,ProxyOverride = *.local

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

Driver::
Micorsoft Windows Service



Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


3.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\system32\MAI1E5.tmp

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Things to include in your next reply::
Combofix.txt
MBAM log
Jotti results
How is your machine running now?

Edited by fireman4it, 18 April 2011 - 10:55 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 RachelG

RachelG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 19 April 2011 - 03:22 PM

Hello. I have posted the Combofix log as well as the Malware Bytes log below. Unfortunatly the infected PC is stating it "can't establish a connection to servers" and won't connect to the Jotti sites therefore I have been unable to run this. Have you any other links i could try in order to download this? Thank you.

Combofix log:



ComboFix 11-04-19.01 - User 19/04/2011 20:06:41.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.642 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
FILE ::
"C:\abxqaqrv.exe"
"c:\documents and settings\User\Start Menu\Programs\Startup\abxqaqrv.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\abxqaqrv.exe
c:\documents and settings\User\Start Menu\Programs\Startup\abxqaqrv.exe
c:\program files\rugbmqli
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-03-19 to 2011-04-19 )))))))))))))))))))))))))))))))
.
.
2011-04-19 19:20 . 2011-04-19 19:20 -------- d-----w- c:\program files\rugbmqli
2011-04-15 23:36 . 2011-04-17 17:06 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-04-15 18:45 . 2011-04-15 22:48 -------- d-----w- c:\documents and settings\Administrator
2011-04-14 18:44 . 2011-04-14 18:44 77385 ----a-w- c:\windows\system32\MAI1E5.tmp
2011-04-12 18:39 . 2011-04-15 22:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2010-03-24 12:23 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2006-02-28 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 16:36 . 2010-04-03 00:04 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2010-04-03 00:04 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-03-24 13:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2010-03-24 12:21 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-03-24 12:21 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2006-02-28 12:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-10-29 577536]
"CARPService"="carpserv.exe" [2003-05-21 4608]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\rugbmqli\abxqaqrv.exe"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 22:04 57144]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/04/2010 17:52 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-04-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 16:52]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 16:52]
.
2011-04-19 c:\windows\Tasks\User_Feed_Synchronization-{09699606-D470-48E7-8842-28A141BABA08}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\6nfveeg0.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-19 20:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\User\Start Menu\Programs\Startup\abxqaqrv.exe 172528 bytes executable
c:\documents and settings\User\Start Menu\Programs\Startup\desktop.ini 84 bytes
C:\abxqaqrv.exe 172528 bytes executable
C:\AUTOEXEC.BAT 0 bytes
C:\b23fd430c0941d59f08e00
C:\Boot.bak 211 bytes
C:\boot.ini 327 bytes
C:\cmdcons
C:\cmldr 260272 bytes
C:\ComboFix
C:\CONFIG.SYS 0 bytes
C:\Documents and Settings
C:\hiberfil.sys 1073270784 bytes
C:\IO.SYS 0 bytes
C:\MSDOS.SYS 0 bytes
C:\NTDETECT.COM 47564 bytes
C:\ntldr 250048 bytes
C:\pagefile.sys 1610612736 bytes
C:\Program Files
C:\Qoobox
C:\TDSSKiller.2.4.21.0_17.04.2011_18.18.04_log.txt 36280 bytes
C:\WINDOWS
.
scan completed successfully
hidden files: 22
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(252)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\program files\Common Files\Ahead\Lib\NeroDigitalExt.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\carpserv.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\SearchProtocolHost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-04-19 20:30:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-19 19:29
ComboFix2.txt 2011-04-18 18:04
.
.
.
- - End Of File - - 582E28FD5AD002B5B7E663414B53394C


Malware Bytes log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6399

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

19/04/2011 20:57:18
mbam-log-2011-04-19 (20-57-18).txt

Scan type: Quick scan
Objects scanned: 154977
Time elapsed: 15 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 RachelG

RachelG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 19 April 2011 - 03:24 PM

p.s also won't connect to virustotal.com

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 19 April 2011 - 04:58 PM

Hello,

Can you burn CD's and have access to a usb flash drive?

1.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


2.
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

3.
Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image
Click the "Scan" button to start scan


Posted Image
On completion of the scan click save log, save it to your desktop and post in your next reply

4.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\program files\rugbmqli
c:\windows\system32\MAI1E5.tmp

Folder::
c:\program files\rugbmqli

Rootkit::
C:\abxqaqrv.exe
c:\documents and settings\User\Start Menu\Programs\Startup\abxqaqrv.exe
c:\program files\rugbmqli\abxqaqrv.exe



Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"


Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



Things to include in your next reply::
Gmer log
RkuUnhooker
aswMBR log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 RachelG

RachelG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 21 April 2011 - 01:58 PM

Hi

I initally just ran the Rootkit Unhooker and Combofix as that was all the infected PC would let me access, it said it wouldnt connect to aswMBR, after the combofix rebooted, i tried this website from the infected PC - first it redircted me - but after an second attempt through google it let me on. I straight away downloaded the aswMBR so i could complete all steps, but when i've gone to post on here on the infected PC its gone back to saying it cannot connect again.

Last few times of restarting the computer my firewall has come up asking me if i want to continue to block aspects of Internet Explorer. I've clicked ignore on these occasions. But i dont know if i'm doing something wrong. Also as we use Firefox instead of IE, Everytime i open the firefox browser it asks if i want to make it my default browser, again i don't know whether this is part of the infection, so i've pressed ignore.

Lastly after i downloaded aswMBR something else has appeared on my desktop. A gold disk with a play button icon with "MBR" underneath. Not sure what it is...

I have included the RkuUnhooker, aswMBR and Combofix logs below. I haven't included the GMER log. I ran it for 7 hours yesterday, but when the computer went into its screen saver mode and i logged back in - it had frozen.


RkuUnhooker
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 4276224 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 56.73 )
0xF69D9000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 3960832 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2069376 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2069376 bytes
0x804D7000 RAW 2069376 bytes
0x804D7000 WMIxWDM 2069376 bytes
0xF6FCA000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 1900544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 56.73 )
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6E5F000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1064960 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF6DC4000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 634880 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF7229000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF46A5000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6823000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF47B3000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF0C94000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF426000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xEFD36000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF6F86000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 196608 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
0xF68A9000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF736D000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF0E04000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF71FC000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEE75D000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF473E000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF4715000 C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys 167936 bytes (Trusteer Ltd., RapportPG)
0xF478B000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7317000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF467F000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xEFB68000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF69B5000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6DA0000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6F63000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF4769000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806D1000 ACPI_HAL 131840 bytes
0x806D1000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF72DF000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF733D000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF71E2000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xEE788000 C:\DOCUME~1\User\LOCALS~1\Temp\kgwdqfog.sys 102400 bytes
0xF72FF000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF26BF000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF72B6000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF68EA000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF006F000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF69A1000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF6FB6000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF480C000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF72CD000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF735C000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF68D9000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF2748000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF76CC000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF754C000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF74AC000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF757C000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF6911000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF755C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF76EC000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF0904000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF763C000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF74BC000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF750C000 RapportKELL.sys 57344 bytes (Trusteer Ltd., RapportKE)
0xF76AC000 C:\WINDOWS\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)
0xF74FC000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF770C000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF6941000 C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys 53248 bytes (Trusteer Ltd., RapportCerberus)
0xF758C000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF74DC000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF756C000 C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys 49152 bytes (VIA Technologies, Inc. , NDIS 5.0 miniport driver)
0xF751C000 gagp30kx.sys 49152 bytes (Microsoft Corporation, MS Generic AGPv3.0 Filter for K8/9 Processor Platforms)
0xF75AC000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF6931000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF76BC000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF74CC000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF759C000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF749C000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76FC000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF75CC000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF74EC000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF54EF000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF75BC000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF6961000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEFB38000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF6921000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF775C000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7834000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77E4000 C:\WINDOWS\system32\DRIVERS\strmdisp.sys 32768 bytes (Conexant Systems, Inc., Conexant Stream Dispatcher)
0xF7774000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF778C000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7894000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF771C000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF77CC000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF7764000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF7784000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF777C000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF776C000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7824000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF780C000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF782C000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7724000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF779C000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF77A4000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7794000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF786C000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7930000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
0xF71B6000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF1769000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7988000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF78AC000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF549F000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF71A6000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF0E3D000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF4B02000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF798C000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7968000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF79FA000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF79A2000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7A08000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79F8000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF799C000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79FC000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79BE000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF79FE000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79CE000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79A4000 C:\WINDOWS\System32\Drivers\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF79A0000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF799E000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7BB6000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7ACF000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7AB3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
==============================================
>Stealth
==============================================

aswMBR

aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-21 19:25:12
-----------------------------
19:25:12.718 OS Version: Windows 5.1.2600 Service Pack 3
19:25:12.718 Number of processors: 1 586 0x408
19:25:12.718 ComputerName: USER-EAD4088C65 UserName: User
19:25:16.109 Initialize success
19:25:31.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
19:25:31.281 Disk 0 Vendor: WDC_WD2000BB-00DWA0 15.05R15 Size: 187440MB BusType: 3
19:25:31.296 Disk 0 MBR read successfully
19:25:31.296 Disk 0 MBR scan
19:25:31.296 Disk 0 scanning sectors +383857110
19:25:31.359 Disk 0 scanning C:\WINDOWS\system32\drivers
19:25:40.687 Service scanning
19:25:46.031 Disk 0 trace - called modules:
19:25:46.046 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys
19:25:46.046 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8737fab8]
19:25:46.046 3 CLASSPNP.SYS[f74fcfd7] -> nt!IofCallDriver -> \Device\0000005a[0x87384948]
19:25:46.046 5 ACPI.sys[f7373620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x87378d98]
19:25:46.046 Scan finished successfully

Combofix log

omboFix 11-04-21.01 - User 21/04/2011 18:55:25.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.620 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
.
FILE ::
"c:\program files\rugbmqli"
"c:\windows\system32\MAI1E5.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\MAI1E5.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-19 19:41 . 2011-04-19 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-19 19:41 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-19 19:41 . 2011-04-19 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-19 19:41 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-19 19:20 . 2011-04-19 19:20 -------- d-----w- c:\program files\rugbmqli
2011-04-15 23:36 . 2011-04-19 19:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-04-15 18:45 . 2011-04-20 17:39 -------- d-----w- c:\documents and settings\Administrator
2011-04-12 18:39 . 2011-04-15 22:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2010-03-24 12:23 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2006-02-28 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 16:36 . 2010-04-03 00:04 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2010-04-03 00:04 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-03-24 13:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2010-03-24 12:21 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-03-24 12:21 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-10-29 577536]
"CARPService"="carpserv.exe" [2003-05-21 4608]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 22:04 57144]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/04/2010 17:52 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NORMANDY
*Deregistered* - kgwdqfog
*Deregistered* - Normandy
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 16:52]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 16:52]
.
2011-04-21 c:\windows\Tasks\User_Feed_Synchronization-{09699606-D470-48E7-8842-28A141BABA08}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\6nfveeg0.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-21 19:01
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\User\Start Menu\Programs\Startup\abxqaqrv.exe 172528 bytes executable
c:\documents and settings\User\Start Menu\Programs\Startup\desktop.ini 84 bytes
C:\abxqaqrv.exe 172528 bytes executable
C:\AUTOEXEC.BAT 0 bytes
C:\b23fd430c0941d59f08e00
C:\Boot.bak 211 bytes
C:\boot.ini 327 bytes
C:\cmdcons
C:\cmldr 260272 bytes
C:\ComboFix
C:\CONFIG.SYS 0 bytes
C:\Documents and Settings
C:\hiberfil.sys 1073270784 bytes
C:\IO.SYS 0 bytes
C:\MSDOS.SYS 0 bytes
C:\NTDETECT.COM 47564 bytes
C:\ntldr 250048 bytes
C:\pagefile.sys 1610612736 bytes
C:\Program Files
C:\Qoobox
C:\TDSSKiller.2.4.21.0_17.04.2011_18.18.04_log.txt 36280 bytes
C:\WINDOWS
.
scan completed successfully
hidden files: 22
.
**************************************************************************
.
Completion time: 2011-04-21 19:05:09
ComboFix-quarantined-files.txt 2011-04-21 18:04
ComboFix2.txt 2011-04-19 19:30
ComboFix3.txt 2011-04-18 18:04
.
.
.
- - End Of File - - F539DA01F9E85FB9764394016CB09E08

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 21 April 2011 - 04:19 PM

Hello,

Also as we use Firefox instead of IE, Everytime i open the firefox browser it asks if i want to make it my default browser, again i don't know whether this is part of the infection, so i've pressed ignore.

When this happens again go ahead and press Yes.

Last few times of restarting the computer my firewall has come up asking me if i want to continue to block aspects of Internet Explorer.

Click no and then it should be ok.

1.
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    c:\documents and settings\User\Start Menu\Programs\Startup\abxqaqrv.exe
    C:\abxqaqrv.exe
    
    Folders to delete:
    c:\program files\rugbmqli
  • In the avenger window, click the Paste Script from Clipboard, Posted Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.

2.
Download rustbfix from here and save it to your desktop.
Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed.
But this will happen automatically.
After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt).
Post the content of these logfiles

3.
Please try and run Gmer in Safemode
Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

4.
Go ahead a run Combofix again.


Things to include in your next reply::
Avenger.txt

Rustbfixlogs located at:
C:\Rustbfix\ pelog.txt and C:\Avenger txt

Gmer log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 RachelG

RachelG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 22 April 2011 - 12:45 PM

I am finally posting from the infected PC...YAY! I have been able to complete steps. It was only after running Combofix again that its let me on. But my computer seems to be running fine. Got onto this site first attempt without any redirect or it telling me it couldnt connect
Again thank you so much for taking the time to go through this with me - I have posted the requested logs below.

Avenger

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\documents and settings\User\Start Menu\Programs\Startup\abxqaqrv.exe" deleted successfully.
File "C:\abxqaqrv.exe" deleted successfully.
Folder "c:\program files\rugbmqli" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Rustbfixlog

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
22/04/2011 12:37:32.10

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

GMER log


GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-22 17:59:39
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e WDC_WD2000BB-00DWA0 rev.15.05R15
Running: gmer.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\kgwdqfog.sys


---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwQueryValueKey + 349 80619259 7 Bytes JMP F7BAD5B8
? clexpi.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[224] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\Bonjour\mDNSResponder.exe[228] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\Java\jre6\bin\jqs.exe[356] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe[608] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\WINDOWS\system32\SearchIndexer.exe[616] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\SearchIndexer.exe[616] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\SearchIndexer.exe[616] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\SearchIndexer.exe[616] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[616] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\SearchIndexer.exe[616] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\system32\SearchIndexer.exe[616] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\system32\SearchIndexer.exe[616] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\system32\SearchIndexer.exe[616] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\system32\SearchIndexer.exe[616] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\system32\SearchIndexer.exe[616] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\system32\SearchIndexer.exe[616] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\system32\SearchIndexer.exe[616] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\system32\SearchIndexer.exe[616] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS\System32\smss.exe[656] time/date stamp mismatch;
? C:\WINDOWS\system32\csrss.exe[712] time/date stamp mismatch; unknown module: CSRSRV.dll
.text C:\WINDOWS\system32\csrss.exe[712] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\csrss.exe[712] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\csrss.exe[712] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\csrss.exe[712] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
? C:\WINDOWS\system32\winlogon.exe[736] time/date stamp mismatch; unknown module: WINMM.dllunknown module: MSGINA.dllunknown module: RASAPI32.dllunknown module: MPR.dllunknown module: AUTHZ.dllunknown module: NDdeApi.dllunknown module: PROFMAP.dllunknown module: SETUPAPI.dllunknown module: VERSION.dllunknown module: WINSTA.dllunknown module: WINTRUST.dll
.text C:\WINDOWS\system32\winlogon.exe[736] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\winlogon.exe[736] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\winlogon.exe[736] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\winlogon.exe[736] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\system32\winlogon.exe[736] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS\system32\services.exe[780] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: NCObjAPI.DLLunknown module: SCESRV.dllunknown module: umpnpmgr.dll
.text C:\WINDOWS\system32\services.exe[780] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\services.exe[780] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\services.exe[780] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\services.exe[780] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\system32\services.exe[780] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\WINDOWS\system32\lsass.exe[792] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\lsass.exe[792] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\lsass.exe[792] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\lsass.exe[792] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\system32\lsass.exe[792] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS\system32\svchost.exe[952] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\svchost.exe[952] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\svchost.exe[952] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS\system32\svchost.exe[1028] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\svchost.exe[1028] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\svchost.exe[1028] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS\System32\svchost.exe[1120] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1120] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\System32\svchost.exe[1120] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\System32\svchost.exe[1120] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\System32\svchost.exe[1120] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\System32\svchost.exe[1120] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058
.text C:\WINDOWS\System32\svchost.exe[1120] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012
? C:\WINDOWS\system32\svchost.exe[1168] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe[1196] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS\system32\svchost.exe[1228] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\svchost.exe[1228] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\svchost.exe[1228] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Documents and Settings\User\Desktop\gmer.exe[1300] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\Documents and Settings\User\Desktop\gmer.exe[1300] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\Documents and Settings\User\Desktop\gmer.exe[1300] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2001FDBB
.text C:\Documents and Settings\User\Desktop\gmer.exe[1300] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\WINDOWS\system32\spoolsv.exe[1460] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\spoolsv.exe[1460] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\spoolsv.exe[1460] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\spoolsv.exe[1460] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\spoolsv.exe[1460] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\system32\spoolsv.exe[1460] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\system32\spoolsv.exe[1460] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\system32\spoolsv.exe[1460] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\system32\spoolsv.exe[1460] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\system32\spoolsv.exe[1460] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\system32\spoolsv.exe[1460] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\system32\spoolsv.exe[1460] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\system32\spoolsv.exe[1460] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS\Explorer.EXE[1676] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: BROWSEUI.dllunknown module: OLEAUT32.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
.text C:\WINDOWS\Explorer.EXE[1676] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\Explorer.EXE[1676] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\Explorer.EXE[1676] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\Explorer.EXE[1676] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058
.text C:\WINDOWS\Explorer.EXE[1676] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012
.text C:\WINDOWS\Explorer.EXE[1676] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\Explorer.EXE[1676] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\Explorer.EXE[1676] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\Explorer.EXE[1676] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\Explorer.EXE[1676] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\Explorer.EXE[1676] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\Explorer.EXE[1676] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\Explorer.EXE[1676] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\Explorer.EXE[1676] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\iPod\bin\iPodService.exe[1824] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\iPod\bin\iPodService.exe[1824] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\iPod\bin\iPodService.exe[1824] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\iPod\bin\iPodService.exe[1824] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\SOUNDMAN.EXE[1856] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\SOUNDMAN.EXE[1856] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\SOUNDMAN.EXE[1856] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\SOUNDMAN.EXE[1856] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\carpserv.exe[1864] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\carpserv.exe[1864] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\carpserv.exe[1864] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\carpserv.exe[1864] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1892] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ws2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ws2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ws2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ws2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ws2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[1916] ws2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS\system32\svchost.exe[1924] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\system32\svchost.exe[1924] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\system32\svchost.exe[1924] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058
.text C:\WINDOWS\system32\svchost.exe[1924] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012
.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\system32\svchost.exe[1924] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058
.text C:\Program Files\iTunes\iTunesHelper.exe[1944] WININET.DLL!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058
.text C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe[1960] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2004E7B8
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2004E9BC
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2004E915
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1972] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012
.text C:\WINDOWS\system32\SearchProtocolHost.exe[2072] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS\system32\SearchProtocolHost.exe[2072] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS\system32\SearchProtocolHost.exe[2072] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2001FDBB
.text C:\WINDOWS\system32\SearchProtocolHost.exe[2072] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\WINDOWS\system32\SearchFilterHost.exe[2428] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS\system32\SearchFilterHost.exe[2428] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS\system32\SearchFilterHost.exe[2428] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2001FDBB
.text C:\WINDOWS\system32\SearchFilterHost.exe[2428] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\WINDOWS\System32\alg.exe[2472] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS\System32\alg.exe[2472] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS\System32\alg.exe[2472] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2004FDBB
.text C:\WINDOWS\System32\alg.exe[2472] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS\System32\alg.exe[2472] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2001FDBB
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2001D423
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2001D74D
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2001DA66
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2001D3D5
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2001D8AA
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2001D6DE
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2001D7C2
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2001D985
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2001D833
.text C:\Program Files\Mozilla Firefox\firefox.exe[2956] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 2001FDBB
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2001EAD7
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2001E132
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 2001E7B8
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2001EB92
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2001E0D3
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2001EBBF
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2001E09E
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2001EBEC
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2001E9BC
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 2001E915
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2001E105
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2001EC13
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2001E058
.text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[3072] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2001E012

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\abxqaqrv.exe 172528 bytes executable
File C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini 84 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS02A0D.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS02A0E.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS029FA.log 131072 bytes
File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS02A0C.log 131072 bytes
File C:\Documents and Settings\User\Start Menu\Programs\Startup\abxqaqrv.exe 172528 bytes executable
File C:\Documents and Settings\User\Start Menu\Programs\Startup\desktop.ini 84 bytes
File C:\Program Files\rugbmqli\abxqaqrv.exe 172528 bytes executable

---- EOF - GMER 1.0.15 ----


Combofix log

ComboFix 11-04-21.06 - User 22/04/2011 18:12:32.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.480 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))
.
.
2011-04-22 11:37 . 2011-04-22 11:37 -------- d-----w- C:\Rustbfix
2011-04-22 11:29 . 2011-04-22 11:29 -------- d-----w- c:\program files\rugbmqli
2011-04-21 18:24 . 2011-04-21 18:24 172528 ----a-w- c:\windows\explorermgr.exe
2011-04-19 19:41 . 2011-04-19 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-19 19:41 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-19 19:41 . 2011-04-19 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-19 19:41 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-15 23:36 . 2011-04-19 19:41 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2011-04-15 18:45 . 2011-04-20 17:39 -------- d-----w- c:\documents and settings\Administrator
2011-04-12 18:39 . 2011-04-15 22:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2010-03-24 12:23 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2006-02-28 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 16:36 . 2010-04-03 00:04 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 16:36 . 2010-04-03 00:04 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-03-24 13:16 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2010-03-24 12:21 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2010-03-24 12:21 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-21_18.01.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-22 11:29 . 2011-04-22 11:29 16384 c:\windows\temp\Perflib_Perfdata_164.dat
+ 2010-03-24 12:23 . 2008-04-14 00:12 30208 c:\windows\system32\dllcache\wabmig.exe
+ 2010-03-24 12:23 . 2008-04-14 00:12 85504 c:\windows\system32\dllcache\wabimp.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 32768 c:\windows\system32\dllcache\wabfind.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 73216 c:\windows\system32\dllcache\setup50.exe
+ 2010-03-24 12:23 . 2008-04-14 00:12 61440 c:\windows\system32\dllcache\rrcm.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 65536 c:\windows\system32\dllcache\oledb32r.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 35328 c:\windows\system32\dllcache\oemiglib.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 60416 c:\windows\system32\dllcache\oemig50.exe
+ 2010-03-24 12:23 . 2008-04-14 00:12 77824 c:\windows\system32\dllcache\nmcom.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 81920 c:\windows\system32\dllcache\nmchat.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 28672 c:\windows\system32\dllcache\nmasnt.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 24576 c:\windows\system32\dllcache\msxactps.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 57344 c:\windows\system32\dllcache\mst123.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 60416 c:\windows\system32\dllcache\msimn.exe
+ 2010-03-24 12:23 . 2008-04-14 00:11 36864 c:\windows\system32\dllcache\msdfmap.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 20480 c:\windows\system32\dllcache\msdatt.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 94208 c:\windows\system32\dllcache\msdatl3.dll
+ 2010-03-24 12:23 . 2008-04-13 17:26 16384 c:\windows\system32\dllcache\msdasqlr.dll
+ 2010-03-24 12:23 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msdaremr.dll
+ 2010-03-24 12:23 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msdaprsr.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 77824 c:\windows\system32\dllcache\msdaosp.dll
+ 2010-03-24 12:23 . 2008-04-13 17:24 16384 c:\windows\system32\dllcache\msdaorar.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 57344 c:\windows\system32\dllcache\msadrh15.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 57344 c:\windows\system32\dllcache\msador15.dll
+ 2010-03-24 12:23 . 2008-04-13 17:26 24576 c:\windows\system32\dllcache\msader15.dll
+ 2010-03-24 12:23 . 2008-04-13 17:25 24576 c:\windows\system32\dllcache\msaddsr.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 53248 c:\windows\system32\dllcache\msadcs.dll
+ 2010-03-24 12:23 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msadcor.dll
+ 2010-03-24 12:23 . 2008-04-13 17:25 16384 c:\windows\system32\dllcache\msadcfr.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 61440 c:\windows\system32\dllcache\msadcf.dll
+ 2010-03-24 12:23 . 2008-04-13 17:25 20480 c:\windows\system32\dllcache\msadcer.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 20480 c:\windows\system32\dllcache\inetwiz.exe
+ 2010-03-24 12:23 . 2008-04-14 00:12 18432 c:\windows\system32\dllcache\iedw.exe
+ 2010-03-24 12:23 . 2008-04-14 00:11 49152 c:\windows\system32\dllcache\icwutil.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 24576 c:\windows\system32\dllcache\icwrmind.exe
+ 2010-03-24 12:23 . 2008-04-14 00:11 32768 c:\windows\system32\dllcache\icwdl.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 86016 c:\windows\system32\dllcache\icwconn2.exe
+ 2010-03-24 12:23 . 2008-04-14 00:11 61440 c:\windows\system32\dllcache\icwconn.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 57344 c:\windows\system32\dllcache\h323cc.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 40960 c:\windows\system32\dllcache\dcap32.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 45056 c:\windows\system32\dllcache\confmrsl.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 5632 c:\windows\system32\dllcache\wmm2res2.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 7680 c:\windows\system32\dllcache\wmm2ext.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 4096 c:\windows\system32\dllcache\wmm2eres.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdaurl.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdasc.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdaer.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdaenum.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 4096 c:\windows\system32\dllcache\msdadc.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 325632 c:\windows\system32\dllcache\wmm2fxb.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 502272 c:\windows\system32\dllcache\wmm2fxa.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 402432 c:\windows\system32\dllcache\wmm2filt.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 167936 c:\windows\system32\dllcache\wmm2ae.dll
+ 2010-03-24 12:23 . 2008-04-13 16:21 249856 c:\windows\system32\dllcache\wab32res.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 510976 c:\windows\system32\dllcache\wab32.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 217088 c:\windows\system32\dllcache\sqlxmlx.dll
+ 2010-03-24 11:14 . 2008-04-14 00:12 741376 c:\windows\system32\dllcache\sapi.dll
+ 2010-03-24 12:21 . 2008-04-14 00:12 281088 c:\windows\system32\dllcache\pinball.exe
+ 2010-03-24 12:23 . 2008-04-14 00:12 487424 c:\windows\system32\dllcache\oledb32.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 104448 c:\windows\system32\dllcache\oeimport.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 188416 c:\windows\system32\dllcache\nmwb.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 172032 c:\windows\system32\dllcache\nmoldwb.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 151552 c:\windows\system32\dllcache\nmft.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 229376 c:\windows\system32\dllcache\nmas.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 221184 c:\windows\system32\dllcache\nac.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 274432 c:\windows\system32\dllcache\mst120.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 315392 c:\windows\system32\dllcache\msdasql.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 118784 c:\windows\system32\dllcache\msdarem.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 204800 c:\windows\system32\dllcache\msdaps.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 200704 c:\windows\system32\dllcache\msdaprst.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 233472 c:\windows\system32\dllcache\msdaora.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 155648 c:\windows\system32\dllcache\msadds.dll
+ 2010-03-24 12:23 . 2009-03-08 14:09 638816 c:\windows\system32\dllcache\iexplore.exe
- 2009-03-08 14:09 . 2009-03-08 14:09 638816 c:\windows\system32\dllcache\iexplore.exe
+ 2010-03-24 12:23 . 2008-04-14 00:11 172032 c:\windows\system32\dllcache\icwhelp.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 214528 c:\windows\system32\dllcache\icwconn1.exe
+ 2010-03-24 12:27 . 2008-04-14 00:11 618605 c:\windows\system32\dllcache\fp4autl.dll
+ 2010-03-24 12:21 . 2008-04-14 00:12 539136 c:\windows\system32\dllcache\dialer.exe
+ 2010-03-24 12:23 . 2008-01-19 11:04 554008 c:\windows\system32\dllcache\dao360.dll
+ 2010-03-24 12:23 . 2008-04-14 00:11 385024 c:\windows\system32\dllcache\callcont.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 4256768 c:\windows\system32\dllcache\wmm2res.dll
+ 2010-03-24 12:23 . 2008-04-14 00:12 1032192 c:\windows\system32\dllcache\conf.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-10-29 577536]
"CARPService"="carpserv.exe" [2003-05-21 4608]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 598461]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 299417]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [03/10/2010 23:43 59240]
R1 RapportCerberus_25973;RapportCerberus_25973;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 22:04 57144]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43 169320]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/04/2010 17:52 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - kgwdqfog
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 16:52]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-05 16:52]
.
2011-04-22 c:\windows\Tasks\User_Feed_Synchronization-{09699606-D470-48E7-8842-28A141BABA08}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\6nfveeg0.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-22 18:21
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\User\Start Menu\Programs\Startup\abxqaqrv.exe 172528 bytes executable
c:\documents and settings\User\Start Menu\Programs\Startup\desktop.ini 84 bytes
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1368)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-22 18:25:51
ComboFix-quarantined-files.txt 2011-04-22 17:25
ComboFix2.txt 2011-04-21 18:05
ComboFix3.txt 2011-04-19 19:30
ComboFix4.txt 2011-04-18 18:04
.
Pre-Run: 73,307,713,536 bytes free
Post-Run: 73,280,962,560 bytes free
.
- - End Of File - - 1DC67A3EE855E838E56DFBBA6DCF8BEB

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 22 April 2011 - 03:03 PM

Hello,


1.
Click here to download Kaspersky Virus Removal Tool.
  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop.
  • After that leave what is selected and put a check next to My Computer.
  • Click on the option that says Threat Detection and change it to Disinfect => Do not select, delete if disinfection fails.
  • Then click on Start Scan.
  • Before it is done it may prompt for action regardless of the setting so choose skip if prompted.
  • When the scan is done no log will be produced.
  • Click on the bottom where it says Report to open the report.
  • Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.

Edited by fireman4it, 22 April 2011 - 03:05 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 RachelG

RachelG
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 23 April 2011 - 11:44 AM

Hi - I've had to go back to posting on another PC, after the scan i tried opeinng firefox to post back but it said that firefox had crashed and asked whether i wanted to send a report. I then tried IE, it let me open a browser but when trying to get onto the bleeping computer website it was redirecting again and then after another attempt said it couldnt connect, I ran the scan - however i'm having trouble posting the resultsit, the scan ran for 17 hours and there is a lot of data, i can post it all but it's going to be in about 16 posts. If you would still like me to do this i can but didnt know whether this would be too much?? Thanks in advance.

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:50 AM

Posted 23 April 2011 - 09:17 PM

Hello,

Just give me one post worth of the log. I think I already know whats it going to say.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users