Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent.H - unable to open antivirus sites or update AV


  • This topic is locked This topic is locked
23 replies to this topic

#1 mcroucher

mcroucher

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 09 September 2011 - 04:46 AM

Hi there guys & gals,

I am slightly at my wits end - I'd like to think I'm not a complete computer dunce, but this one is defeating me and I just can't seem to shift it!

The problem began with my browser being diverted when I clicked a link on Google. I realised that something was wrong, and ran malbytesware, which told me my laptop was infected with trojan.agent.H. I asked it to remove it, and then restarted the system when it was complete, and ran a full scan again. From 4 infected files, it now told me I had several hundred. Goody. As I've just shifted ISP to British Telecom, who provide free McAfee, it seemed like a good idea to download this, and while I could sign up for it, I could not access the website when I wanted to download it. I then searched for other antivirus sites, and discovered that I could not access any of them, or even fora such as this which provide antivirus advice. So, I am now reduced to using my netbook, which for a big bloke with fat fingers is rather inconvenient, not least as I use my main computer for work purposes, and it has the software I need for work on it!

Anyway, the log files are attached below, and your help would be most gratefully received! Thanks in advance! :) Mark

DDS file
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mark Croucher at 9:07:39 on 2011-09-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.503.257 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\mark croucher\local settings\application data\gttkrvsa\oalacvcq.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [OalAcvcq] c:\documents and settings\mark croucher\local settings\application data\gttkrvsa\oalacvcq.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [McAfee McItInfo] c:\docume~1\markcr~1\locals~1\temp\mcitinfo_1315552675.exe /itinsfin:c:\docume~1\markcr~1\locals~1\temp\mcininfo_1315552675.ini
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [UIExec] "c:\program files\t-mobile mobile broadband manager\UIExec.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4833D0BA-0AF0-4B10-8324-F7A1E61BAD82} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{989384C5-6B52-41EA-92BE-6979FD8882CC} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mark croucher\application data\mozilla\firefox\profiles\74x07n38.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - component: c:\program files\t-mobile mobile broadband manager\addon\components\bmboc_addon2.dll
FF - component: c:\program files\t-mobile mobile broadband manager\addon\components\bmboc_addon3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-9-8 18816]
R2 UI Assistant Service;UI Assistant Service;c:\program files\t-mobile mobile broadband manager\AssistantServices.exe [2011-3-1 241664]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2006-9-4 176128]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\markcr~1\locals~1\temp\vlmhfsxd.sys --> c:\docume~1\markcr~1\locals~1\temp\vlmhfsxd.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-3-1 9728]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-22 41272]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 odysseyIM2;Odyssey Network Service Miniport;c:\windows\system32\drivers\odysseyIM2.sys [2003-4-29 62273]
S3 VNUWL5B;VIA Networking Technologies USB Wireless LAN Adapter Driver Service;c:\windows\system32\drivers\VNUWL5B.SYS [2006-9-1 134656]
.
=============== Created Last 30 ================
.
2011-09-08 23:04:04 -------- d-----w- c:\documents and settings\all users\application data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-09-08 19:26:02 -------- d-----w- c:\documents and settings\mark croucher\local settings\application data\PackageAware
2011-09-08 17:47:01 -------- d-sha-r- C:\cmdcons
2011-09-08 17:44:25 98816 ----a-w- c:\windows\sed.exe
2011-09-08 17:44:25 518144 ----a-w- c:\windows\SWREG.exe
2011-09-08 17:44:25 256000 ----a-w- c:\windows\PEV.exe
2011-09-08 17:44:25 208896 ----a-w- c:\windows\MBR.exe
2011-09-08 17:41:24 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-09-08 17:00:59 -------- d-----w- c:\program files\Sophos
2011-09-08 15:27:02 -------- d-----w- c:\documents and settings\mark croucher\application data\Lacir
2011-09-08 15:27:01 -------- d-----w- c:\documents and settings\mark croucher\application data\Idiwip
2011-08-26 17:34:31 -------- d-----w- c:\documents and settings\mark croucher\local settings\application data\PCHealth
2011-08-10 13:23:29 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-08-10 13:23:29 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-08-10 13:23:24 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-08-10 13:23:24 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-08-10 11:36:43 -------- d-----w- c:\program files\common files\L&H
.
==================== Find3M ====================
.
2011-08-18 13:15:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 9:09:47.84 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-09 10:40:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541040G9SA00 rev.MB2OC60R
Running: gmer.exe; Driver: C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\vlmhfsxd.sys ZwCreateKey [0xF882C6AC]
SSDT \??\C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\vlmhfsxd.sys ZwOpenKey [0xF882C562]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\vlmhfsxd.sys The system cannot find the file specified. !
? C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\spoolsv.exe[144] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\spoolsv.exe[144] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\system32\svchost.exe[244] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\svchost.exe[244] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\svchost.exe[244] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\System32\svchost.exe[448] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\System32\svchost.exe[448] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\System32\svchost.exe[520] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[520] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\System32\svchost.exe[520] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\System32\svchost.exe[520] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\System32\svchost.exe[520] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\system32\svchost.exe[624] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[624] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\svchost.exe[624] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\svchost.exe[624] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\svchost.exe[624] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe[684] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe[684] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe[684] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe[684] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\WINDOWS\system32\wdfmgr.exe[784] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\wdfmgr.exe[784] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\wdfmgr.exe[784] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\wdfmgr.exe[784] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\system32\services.exe[864] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: NCObjAPI.DLLunknown module: SCESRV.dllunknown module: umpnpmgr.dll
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200A9E20
.text C:\WINDOWS\system32\services.exe[864] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200B5741
.text C:\WINDOWS\system32\services.exe[864] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\system32\services.exe[864] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B11A9
.text C:\WINDOWS\system32\services.exe[864] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B14D3
.text C:\WINDOWS\system32\services.exe[864] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B17EC
.text C:\WINDOWS\system32\services.exe[864] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B115B
.text C:\WINDOWS\system32\services.exe[864] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B1630
.text C:\WINDOWS\system32\services.exe[864] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B1464
.text C:\WINDOWS\system32\services.exe[864] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B1548
.text C:\WINDOWS\system32\services.exe[864] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B170B
.text C:\WINDOWS\system32\services.exe[864] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B15B9
.text C:\WINDOWS\system32\lsass.exe[876] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\system32\lsass.exe[876] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200A9E20
.text C:\WINDOWS\system32\lsass.exe[876] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200B5741
.text C:\WINDOWS\system32\lsass.exe[876] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\system32\lsass.exe[876] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B11A9
.text C:\WINDOWS\system32\lsass.exe[876] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B14D3
.text C:\WINDOWS\system32\lsass.exe[876] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B17EC
.text C:\WINDOWS\system32\lsass.exe[876] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B115B
.text C:\WINDOWS\system32\lsass.exe[876] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B1630
.text C:\WINDOWS\system32\lsass.exe[876] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B1464
.text C:\WINDOWS\system32\lsass.exe[876] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B1548
.text C:\WINDOWS\system32\lsass.exe[876] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B170B
.text C:\WINDOWS\system32\lsass.exe[876] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B15B9
? C:\WINDOWS\system32\svchost.exe[1024] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200A9E20
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200B5741
.text C:\WINDOWS\system32\svchost.exe[1024] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B11A9
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B14D3
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B17EC
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B115B
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B1630
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B1464
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B1548
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B170B
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B15B9
? C:\WINDOWS\system32\svchost.exe[1088] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200A9E20
.text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200B5741
.text C:\WINDOWS\system32\svchost.exe[1088] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B11A9
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B14D3
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B17EC
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B115B
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B1630
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B1464
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B1548
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B170B
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B15B9
? C:\WINDOWS\System32\svchost.exe[1124] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200A9E20
.text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200B5741
.text C:\WINDOWS\System32\svchost.exe[1124] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B11A9
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B14D3
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B17EC
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B115B
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B1630
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B1464
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B1548
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B170B
.text C:\WINDOWS\System32\svchost.exe[1124] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B15B9
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200B2866
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200B1EC1
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 200B2547
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200B2921
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200B1E62
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200B294E
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 200B1E2D
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 200B297B
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 200B274B
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 200B26A4
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 200B1E94
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 200B29A2
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 200B1DE7
.text C:\WINDOWS\System32\svchost.exe[1124] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 200B1DA1
? C:\WINDOWS\system32\svchost.exe[1180] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200A9E20
.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200B5741
.text C:\WINDOWS\system32\svchost.exe[1180] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B11A9
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B14D3
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B17EC
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B115B
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B1630
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B1464
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B1548
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B170B
.text C:\WINDOWS\system32\svchost.exe[1180] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B15B9
? C:\WINDOWS\system32\svchost.exe[1252] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200A9E20
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200B5741
.text C:\WINDOWS\system32\svchost.exe[1252] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200B11A9
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200B14D3
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200B17EC
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200B115B
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200B1630
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200B1464
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200B1548
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200B170B
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200B15B9
.text E:\gmer\gmer.exe[1536] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text E:\gmer\gmer.exe[1536] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text E:\gmer\gmer.exe[1536] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text E:\gmer\gmer.exe[1536] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\Explorer.EXE[1656] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: BROWSEUI.dllunknown module: OLEAUT32.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200B58C5
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 200A9E20
.text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200B5741
.text C:\WINDOWS\Explorer.EXE[1656] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200B05B7
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200B2866
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200B1EC1
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 200B2547
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200B2921
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200B1E62
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200B294E
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 200B1E2D
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 200B297B
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 200B274B
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 200B26A4
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 200B1E94
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 200B29A2
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 200B1DE7
.text C:\WINDOWS\Explorer.EXE[1656] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 200B1DA1
.text C:\WINDOWS\system32\svchost.exe[1664] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200658C5
.text C:\WINDOWS\system32\svchost.exe[1664] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20059E20
.text C:\WINDOWS\system32\svchost.exe[1664] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20065741
.text C:\WINDOWS\system32\svchost.exe[1664] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200605B7
.text C:\WINDOWS\system32\svchost.exe[1664] ws2_32.dll!sendto 71AB2F51 5 Bytes JMP 200611A9
.text C:\WINDOWS\system32\svchost.exe[1664] ws2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200614D3
.text C:\WINDOWS\system32\svchost.exe[1664] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200617EC
.text C:\WINDOWS\system32\svchost.exe[1664] ws2_32.dll!send 71AB4C27 5 Bytes JMP 2006115B
.text C:\WINDOWS\system32\svchost.exe[1664] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20061630
.text C:\WINDOWS\system32\svchost.exe[1664] ws2_32.dll!recv 71AB676F 5 Bytes JMP 20061464
.text C:\WINDOWS\system32\svchost.exe[1664] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20061548
.text C:\WINDOWS\system32\svchost.exe[1664] ws2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2006170B
.text C:\WINDOWS\system32\svchost.exe[1664] ws2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200615B9
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 20022866
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 20021EC1
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 20022547
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 20022921
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 20021E62
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2002294E
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 20021E2D
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2002297B
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2002274B
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 200226A4
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 20021E94
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 200229A2
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 20021DE7
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 20021DA1
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[1872] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\WINDOWS\vsnpstd3.exe[2072] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\vsnpstd3.exe[2072] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\vsnpstd3.exe[2072] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\vsnpstd3.exe[2072] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\WINDOWS\vsnpstd.exe[2100] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\vsnpstd.exe[2100] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\vsnpstd.exe[2100] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\vsnpstd.exe[2100] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\Freecorder\FLVSrvc.exe[2160] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\Program Files\Freecorder\FLVSrvc.exe[2160] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\Program Files\Freecorder\FLVSrvc.exe[2160] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\Program Files\Freecorder\FLVSrvc.exe[2160] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe[2212] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe[2212] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe[2212] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe[2212] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200211A9
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200214D3
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200217EC
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2002115B
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20021630
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20021464
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20021548
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2002170B
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2308] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200215B9
.text C:\WINDOWS\system32\ctfmon.exe[2356] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\ctfmon.exe[2356] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\ctfmon.exe[2356] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\ctfmon.exe[2356] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 20022866
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 20021EC1
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 20022547
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 20022921
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 20021E62
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2002294E
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 20021E2D
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2002297B
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2002274B
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 200226A4
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 20021E94
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 200229A2
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 20021DE7
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 20021DA1
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ws2_32.dll!sendto 71AB2F51 5 Bytes JMP 200211A9
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ws2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200214D3
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200217EC
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ws2_32.dll!send 71AB4C27 5 Bytes JMP 2002115B
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20021630
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ws2_32.dll!recv 71AB676F 5 Bytes JMP 20021464
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20021548
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ws2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2002170B
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2480] ws2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200215B9
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200211A9
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200214D3
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200217EC
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2002115B
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20021630
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20021464
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20021548
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2002170B
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2496] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200215B9
.text C:\WINDOWS\System32\alg.exe[2780] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\System32\alg.exe[2780] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\System32\alg.exe[2780] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\System32\alg.exe[2780] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\WINDOWS\System32\alg.exe[2780] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200211A9
.text C:\WINDOWS\System32\alg.exe[2780] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200214D3
.text C:\WINDOWS\System32\alg.exe[2780] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200217EC
.text C:\WINDOWS\System32\alg.exe[2780] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2002115B
.text C:\WINDOWS\System32\alg.exe[2780] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20021630
.text C:\WINDOWS\System32\alg.exe[2780] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20021464
.text C:\WINDOWS\System32\alg.exe[2780] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20021548
.text C:\WINDOWS\System32\alg.exe[2780] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2002170B
.text C:\WINDOWS\System32\alg.exe[2780] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200215B9
.text C:\WINDOWS\system32\wscntfy.exe[2904] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\wscntfy.exe[2904] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\wscntfy.exe[2904] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\wscntfy.exe[2904] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2948] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200658C5
.text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2948] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20059E20
.text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2948] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20065741
.text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2948] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200605B7

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Mark Croucher\Local Settings\Application Data\gttkrvsa\oalacvcq.exe 114625 bytes executable
File C:\Documents and Settings\Mark Croucher\Start Menu\Programs\Startup\oalacvcq.exe 114625 bytes executable

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 14 September 2011 - 04:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/418179 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 mcroucher

mcroucher
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 15 September 2011 - 06:38 AM

Hi there, yes, still stuck, I'm afraid. I'm not sure that I've even turned the infected computer on since posting the last scan results, but still, here are the new ones - your help would be greatly appreciated! Problem is still as before - redirections, unable to open AV sites etc.

M

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mark Croucher at 10:26:31 on 2011-09-15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.503.238 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\documents and settings\mark croucher\local settings\application data\gttkrvsa\oalacvcq.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [OalAcvcq] c:\documents and settings\mark croucher\local settings\application data\gttkrvsa\oalacvcq.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [McAfee McItInfo] c:\docume~1\markcr~1\locals~1\temp\mcitinfo_1315552675.exe /itinsfin:c:\docume~1\markcr~1\locals~1\temp\mcininfo_1315552675.ini
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [snpstd] c:\windows\vsnpstd.exe
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [UIExec] "c:\program files\t-mobile mobile broadband manager\UIExec.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{4833D0BA-0AF0-4B10-8324-F7A1E61BAD82} : DhcpNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mark croucher\application data\mozilla\firefox\profiles\74x07n38.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - component: c:\program files\t-mobile mobile broadband manager\addon\components\bmboc_addon2.dll
FF - component: c:\program files\t-mobile mobile broadband manager\addon\components\bmboc_addon3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-9-8 18816]
R2 UI Assistant Service;UI Assistant Service;c:\program files\t-mobile mobile broadband manager\AssistantServices.exe [2011-3-1 241664]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2006-9-4 176128]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\markcr~1\locals~1\temp\vlmhfsxd.sys --> c:\docume~1\markcr~1\locals~1\temp\vlmhfsxd.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2011-3-1 9728]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 odysseyIM2;Odyssey Network Service Miniport;c:\windows\system32\drivers\odysseyIM2.sys [2003-4-29 62273]
S3 VNUWL5B;VIA Networking Technologies USB Wireless LAN Adapter Driver Service;c:\windows\system32\drivers\VNUWL5B.SYS [2006-9-1 134656]
.
=============== Created Last 30 ================
.
2011-09-08 23:04:04 -------- d-----w- c:\documents and settings\all users\application data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-09-08 19:26:02 -------- d-----w- c:\documents and settings\mark croucher\local settings\application data\PackageAware
2011-09-08 17:47:01 -------- d-sha-r- C:\cmdcons
2011-09-08 17:44:25 98816 ----a-w- c:\windows\sed.exe
2011-09-08 17:44:25 518144 ----a-w- c:\windows\SWREG.exe
2011-09-08 17:44:25 256000 ----a-w- c:\windows\PEV.exe
2011-09-08 17:44:25 208896 ----a-w- c:\windows\MBR.exe
2011-09-08 17:41:24 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-09-08 17:00:59 -------- d-----w- c:\program files\Sophos
2011-09-08 15:27:02 -------- d-----w- c:\documents and settings\mark croucher\application data\Lacir
2011-09-08 15:27:01 -------- d-----w- c:\documents and settings\mark croucher\application data\Idiwip
2011-08-26 17:34:31 -------- d-----w- c:\documents and settings\mark croucher\local settings\application data\PCHealth
.
==================== Find3M ====================
.
2011-08-18 13:15:30 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 10:28:42.31 ===============



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-15 12:34:49
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541040G9SA00 rev.MB2OC60R
Running: gmer.exe; Driver: C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\vlmhfsxd.sys ZwCreateKey [0xAA1C56AC]
SSDT \??\C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\vlmhfsxd.sys ZwOpenKey [0xAA1C5562]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\vlmhfsxd.sys The system cannot find the file specified. !
? C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[140] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\spoolsv.exe[140] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\spoolsv.exe[140] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\spoolsv.exe[140] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\system32\svchost.exe[332] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\svchost.exe[332] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\svchost.exe[332] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\System32\svchost.exe[448] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\System32\svchost.exe[448] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\System32\svchost.exe[496] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[496] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\System32\svchost.exe[496] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\System32\svchost.exe[496] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\System32\svchost.exe[496] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\system32\svchost.exe[596] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\svchost.exe[596] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\svchost.exe[596] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe[652] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe[652] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe[652] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\Program Files\T-Mobile Mobile Broadband Manager\AssistantServices.exe[652] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\WINDOWS\system32\wdfmgr.exe[692] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\wdfmgr.exe[692] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\wdfmgr.exe[692] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\wdfmgr.exe[692] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
? C:\WINDOWS\system32\services.exe[868] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: NCObjAPI.DLLunknown module: SCESRV.dllunknown module: umpnpmgr.dll
.text C:\WINDOWS\system32\services.exe[868] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200A58C5
.text C:\WINDOWS\system32\services.exe[868] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20099E20
.text C:\WINDOWS\system32\services.exe[868] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200A5741
.text C:\WINDOWS\system32\services.exe[868] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200A05B7
.text C:\WINDOWS\system32\services.exe[868] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200A11A9
.text C:\WINDOWS\system32\services.exe[868] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200A14D3
.text C:\WINDOWS\system32\services.exe[868] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200A17EC
.text C:\WINDOWS\system32\services.exe[868] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200A115B
.text C:\WINDOWS\system32\services.exe[868] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200A1630
.text C:\WINDOWS\system32\services.exe[868] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200A1464
.text C:\WINDOWS\system32\services.exe[868] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200A1548
.text C:\WINDOWS\system32\services.exe[868] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200A170B
.text C:\WINDOWS\system32\services.exe[868] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200A15B9
.text C:\WINDOWS\system32\lsass.exe[880] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200A58C5
.text C:\WINDOWS\system32\lsass.exe[880] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20099E20
.text C:\WINDOWS\system32\lsass.exe[880] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200A5741
.text C:\WINDOWS\system32\lsass.exe[880] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200A05B7
.text C:\WINDOWS\system32\lsass.exe[880] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200A11A9
.text C:\WINDOWS\system32\lsass.exe[880] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200A14D3
.text C:\WINDOWS\system32\lsass.exe[880] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200A17EC
.text C:\WINDOWS\system32\lsass.exe[880] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200A115B
.text C:\WINDOWS\system32\lsass.exe[880] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200A1630
.text C:\WINDOWS\system32\lsass.exe[880] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200A1464
.text C:\WINDOWS\system32\lsass.exe[880] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200A1548
.text C:\WINDOWS\system32\lsass.exe[880] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200A170B
.text C:\WINDOWS\system32\lsass.exe[880] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200A15B9
? C:\WINDOWS\system32\svchost.exe[1024] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200A58C5
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20099E20
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200A5741
.text C:\WINDOWS\system32\svchost.exe[1024] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200A05B7
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200A11A9
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200A14D3
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200A17EC
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200A115B
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200A1630
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200A1464
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200A1548
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200A170B
.text C:\WINDOWS\system32\svchost.exe[1024] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200A15B9
? C:\WINDOWS\system32\svchost.exe[1088] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200A58C5
.text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20099E20
.text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200A5741
.text C:\WINDOWS\system32\svchost.exe[1088] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200A05B7
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200A11A9
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200A14D3
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200A17EC
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200A115B
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200A1630
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200A1464
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200A1548
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200A170B
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200A15B9
? C:\WINDOWS\System32\svchost.exe[1128] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200A58C5
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20099E20
.text C:\WINDOWS\System32\svchost.exe[1128] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200A5741
.text C:\WINDOWS\System32\svchost.exe[1128] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200A05B7
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200A11A9
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200A14D3
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200A17EC
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200A115B
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200A1630
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200A1464
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200A1548
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200A170B
.text C:\WINDOWS\System32\svchost.exe[1128] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200A15B9
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200A2866
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200A1EC1
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 200A2547
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200A2921
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200A1E62
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200A294E
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 200A1E2D
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 200A297B
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 200A274B
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 200A26A4
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 200A1E94
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 200A29A2
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 200A1DE7
.text C:\WINDOWS\System32\svchost.exe[1128] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 200A1DA1
? C:\WINDOWS\system32\svchost.exe[1168] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200A58C5
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20099E20
.text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200A5741
.text C:\WINDOWS\system32\svchost.exe[1168] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200A05B7
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200A11A9
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200A14D3
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200A17EC
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200A115B
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200A1630
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200A1464
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200A1548
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200A170B
.text C:\WINDOWS\system32\svchost.exe[1168] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200A15B9
? C:\WINDOWS\system32\svchost.exe[1224] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200A58C5
.text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20099E20
.text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200A5741
.text C:\WINDOWS\system32\svchost.exe[1224] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200A05B7
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200A11A9
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200A14D3
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200A17EC
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!send 71AB4C27 5 Bytes JMP 200A115B
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 200A1630
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!recv 71AB676F 5 Bytes JMP 200A1464
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 200A1548
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 200A170B
.text C:\WINDOWS\system32\svchost.exe[1224] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200A15B9
? C:\WINDOWS\Explorer.EXE[1512] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: BROWSEUI.dllunknown module: OLEAUT32.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
.text C:\WINDOWS\Explorer.EXE[1512] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200A58C5
.text C:\WINDOWS\Explorer.EXE[1512] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20099E20
.text C:\WINDOWS\Explorer.EXE[1512] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 200A5741
.text C:\WINDOWS\Explorer.EXE[1512] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200A05B7
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 200A2866
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 200A1EC1
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 200A2547
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 200A2921
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 200A1E62
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 200A294E
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 200A1E2D
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 200A297B
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 200A274B
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 200A26A4
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 200A1E94
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 200A29A2
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 200A1DE7
.text C:\WINDOWS\Explorer.EXE[1512] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 200A1DA1
.text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200658C5
.text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20059E20
.text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20065741
.text C:\WINDOWS\system32\svchost.exe[1520] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200605B7
.text C:\WINDOWS\system32\svchost.exe[1520] ws2_32.dll!sendto 71AB2F51 5 Bytes JMP 200611A9
.text C:\WINDOWS\system32\svchost.exe[1520] ws2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200614D3
.text C:\WINDOWS\system32\svchost.exe[1520] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200617EC
.text C:\WINDOWS\system32\svchost.exe[1520] ws2_32.dll!send 71AB4C27 5 Bytes JMP 2006115B
.text C:\WINDOWS\system32\svchost.exe[1520] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20061630
.text C:\WINDOWS\system32\svchost.exe[1520] ws2_32.dll!recv 71AB676F 5 Bytes JMP 20061464
.text C:\WINDOWS\system32\svchost.exe[1520] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20061548
.text C:\WINDOWS\system32\svchost.exe[1520] ws2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2006170B
.text C:\WINDOWS\system32\svchost.exe[1520] ws2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200615B9
.text C:\WINDOWS\System32\alg.exe[2076] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\System32\alg.exe[2076] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\System32\alg.exe[2076] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\System32\alg.exe[2076] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\WINDOWS\System32\alg.exe[2076] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200211A9
.text C:\WINDOWS\System32\alg.exe[2076] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200214D3
.text C:\WINDOWS\System32\alg.exe[2076] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200217EC
.text C:\WINDOWS\System32\alg.exe[2076] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2002115B
.text C:\WINDOWS\System32\alg.exe[2076] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20021630
.text C:\WINDOWS\System32\alg.exe[2076] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20021464
.text C:\WINDOWS\System32\alg.exe[2076] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20021548
.text C:\WINDOWS\System32\alg.exe[2076] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2002170B
.text C:\WINDOWS\System32\alg.exe[2076] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200215B9
.text C:\WINDOWS\system32\wscntfy.exe[2216] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\wscntfy.exe[2216] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\wscntfy.exe[2216] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\wscntfy.exe[2216] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 20022866
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 20021EC1
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 20022547
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 20022921
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 20021E62
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2002294E
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 20021E2D
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2002297B
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2002274B
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 200226A4
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 20021E94
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 200229A2
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 20021DE7
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 20021DA1
.text C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe[2340] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\WINDOWS\vsnpstd3.exe[2364] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\vsnpstd3.exe[2364] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\vsnpstd3.exe[2364] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\vsnpstd3.exe[2364] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\WINDOWS\vsnpstd.exe[2372] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\vsnpstd.exe[2372] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\vsnpstd.exe[2372] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\vsnpstd.exe[2372] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\Freecorder\FLVSrvc.exe[2380] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\Program Files\Freecorder\FLVSrvc.exe[2380] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\Program Files\Freecorder\FLVSrvc.exe[2380] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\Program Files\Freecorder\FLVSrvc.exe[2380] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe[2424] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe[2424] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe[2424] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe[2424] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200211A9
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200214D3
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200217EC
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2002115B
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20021630
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20021464
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20021548
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2002170B
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[2468] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200215B9
.text C:\WINDOWS\system32\ctfmon.exe[2664] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\WINDOWS\system32\ctfmon.exe[2664] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\WINDOWS\system32\ctfmon.exe[2664] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\WINDOWS\system32\ctfmon.exe[2664] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 20022866
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 20021EC1
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 20022547
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 20022921
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 20021E62
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2002294E
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 20021E2D
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2002297B
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!InternetReadFileExW 3D963221 5 Bytes JMP 2002274B
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!InternetReadFileExA 3D963259 5 Bytes JMP 200226A4
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 20021E94
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 200229A2
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 20021DE7
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 20021DA1
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ws2_32.dll!sendto 71AB2F51 5 Bytes JMP 200211A9
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ws2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200214D3
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200217EC
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ws2_32.dll!send 71AB4C27 5 Bytes JMP 2002115B
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20021630
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ws2_32.dll!recv 71AB676F 5 Bytes JMP 20021464
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20021548
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ws2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2002170B
.text C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe[2732] ws2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200215B9
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 200211A9
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 200214D3
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 200217EC
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2002115B
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 20021630
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] WS2_32.dll!recv 71AB676F 5 Bytes JMP 20021464
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 20021548
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2002170B
.text C:\PROGRA~1\MICROS~4\rapimgr.exe[2752] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 200215B9
.text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2916] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200658C5
.text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2916] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20059E20
.text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2916] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20065741
.text C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[2916] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200605B7
.text E:\gmer\gmer.exe[3100] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 200258C5
.text E:\gmer\gmer.exe[3100] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20019E20
.text E:\gmer\gmer.exe[3100] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 20025741
.text E:\gmer\gmer.exe[3100] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 200205B7

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Mark Croucher\Local Settings\Application Data\gttkrvsa\oalacvcq.exe 114625 bytes executable
File C:\Documents and Settings\Mark Croucher\Start Menu\Programs\Startup\oalacvcq.exe 114625 bytes executable

---- EOF - GMER 1.0.15 ----

Attached Files



#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:41 PM

Posted 15 September 2011 - 10:41 AM

Hello mcroucher and welcome to BC. :)


Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).
  • Click on Report to generate a log.
  • Please post that log when you reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 mcroucher

mcroucher
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 15 September 2011 - 10:54 AM

Hello Sempai,

Thanks for the welcome - wish I wasn't here!! - and many thanks to your and your colleagues for taking the time to help idiots like me!

Ran TDSSKiller, it said 'no threats found' - the log file is pasted below!

2011/09/15 16:47:21.0953 1488 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17
2011/09/15 16:47:23.0187 1488 ================================================================================
2011/09/15 16:47:23.0187 1488 SystemInfo:
2011/09/15 16:47:23.0187 1488
2011/09/15 16:47:23.0187 1488 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/15 16:47:23.0187 1488 Product type: Workstation
2011/09/15 16:47:23.0187 1488 ComputerName: MARKC
2011/09/15 16:47:23.0187 1488 UserName: Mark Croucher
2011/09/15 16:47:23.0187 1488 Windows directory: C:\WINDOWS
2011/09/15 16:47:23.0187 1488 System windows directory: C:\WINDOWS
2011/09/15 16:47:23.0187 1488 Processor architecture: Intel x86
2011/09/15 16:47:23.0187 1488 Number of processors: 1
2011/09/15 16:47:23.0187 1488 Page size: 0x1000
2011/09/15 16:47:23.0187 1488 Boot type: Normal boot
2011/09/15 16:47:23.0187 1488 ================================================================================
2011/09/15 16:47:25.0015 1488 Initialize success
2011/09/15 16:47:31.0562 3252 ================================================================================
2011/09/15 16:47:31.0562 3252 Scan started
2011/09/15 16:47:31.0562 3252 Mode: Manual;
2011/09/15 16:47:31.0562 3252 ================================================================================
2011/09/15 16:47:33.0171 3252 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/09/15 16:47:33.0234 3252 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/15 16:47:33.0250 3252 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/09/15 16:47:33.0281 3252 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/09/15 16:47:33.0328 3252 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/15 16:47:33.0406 3252 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/15 16:47:33.0515 3252 AgereSoftModem (ea41579481ae116cffc093872f21fec2) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/09/15 16:47:33.0671 3252 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/09/15 16:47:33.0703 3252 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/09/15 16:47:33.0734 3252 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/09/15 16:47:33.0765 3252 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/09/15 16:47:33.0796 3252 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/09/15 16:47:33.0828 3252 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/09/15 16:47:33.0859 3252 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/09/15 16:47:33.0890 3252 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/09/15 16:47:33.0937 3252 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/09/15 16:47:33.0968 3252 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/09/15 16:47:34.0000 3252 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/09/15 16:47:34.0031 3252 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/09/15 16:47:34.0109 3252 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/15 16:47:34.0171 3252 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/15 16:47:34.0265 3252 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/15 16:47:34.0328 3252 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/15 16:47:34.0359 3252 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/15 16:47:34.0421 3252 BMLoad (d002033c1a37f6af51b5f0ba6d0211bc) C:\WINDOWS\system32\drivers\BMLoad.sys
2011/09/15 16:47:34.0468 3252 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/09/15 16:47:34.0515 3252 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/15 16:47:34.0562 3252 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/15 16:47:34.0609 3252 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/09/15 16:47:34.0625 3252 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/15 16:47:34.0671 3252 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/15 16:47:34.0734 3252 Cdr4_xp (44a3774e1cfc72c71b044be54bec588c) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/09/15 16:47:34.0781 3252 Cdralw2k (e0cf12de9723109b15bd89845e36c8bb) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/09/15 16:47:34.0812 3252 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/15 16:47:34.0890 3252 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/09/15 16:47:34.0921 3252 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/09/15 16:47:34.0953 3252 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/15 16:47:34.0984 3252 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/09/15 16:47:35.0031 3252 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/09/15 16:47:35.0062 3252 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/09/15 16:47:35.0109 3252 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/15 16:47:35.0171 3252 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/15 16:47:35.0359 3252 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/15 16:47:35.0421 3252 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/15 16:47:35.0468 3252 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/15 16:47:35.0500 3252 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/09/15 16:47:35.0546 3252 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/15 16:47:35.0593 3252 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/15 16:47:35.0640 3252 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/15 16:47:35.0703 3252 FINEPIX_PCC (4372398a6ae42586eb1c6533dd3b575d) C:\WINDOWS\system32\Drivers\V4CB0115.SYS
2011/09/15 16:47:35.0734 3252 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/15 16:47:35.0765 3252 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/15 16:47:35.0843 3252 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/15 16:47:35.0890 3252 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/15 16:47:35.0921 3252 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/15 16:47:35.0968 3252 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/15 16:47:36.0046 3252 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
2011/09/15 16:47:36.0125 3252 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/15 16:47:36.0203 3252 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/15 16:47:36.0250 3252 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/09/15 16:47:36.0312 3252 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/09/15 16:47:36.0343 3252 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/09/15 16:47:36.0390 3252 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/09/15 16:47:36.0484 3252 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/15 16:47:36.0546 3252 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/09/15 16:47:36.0593 3252 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/09/15 16:47:36.0640 3252 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/15 16:47:36.0859 3252 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/15 16:47:36.0953 3252 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/15 16:47:37.0000 3252 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/09/15 16:47:37.0218 3252 IntcAzAudAddService (12f4d2aa29745dc2a403ff42e75cf7fa) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/09/15 16:47:37.0515 3252 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/15 16:47:37.0578 3252 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/15 16:47:37.0609 3252 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/15 16:47:37.0671 3252 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/15 16:47:37.0734 3252 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/15 16:47:37.0781 3252 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/15 16:47:37.0843 3252 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/15 16:47:37.0875 3252 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/15 16:47:37.0921 3252 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/15 16:47:37.0953 3252 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/15 16:47:38.0015 3252 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/15 16:47:38.0062 3252 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/15 16:47:38.0125 3252 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/15 16:47:38.0296 3252 massfilter (567d3cbc0ba3332887d091a237d4fd3c) C:\WINDOWS\system32\drivers\massfilter.sys
2011/09/15 16:47:38.0546 3252 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/15 16:47:38.0625 3252 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/15 16:47:38.0671 3252 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/15 16:47:38.0718 3252 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/15 16:47:38.0750 3252 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/15 16:47:38.0781 3252 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/09/15 16:47:38.0812 3252 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/15 16:47:38.0906 3252 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/15 16:47:39.0031 3252 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/15 16:47:39.0062 3252 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/15 16:47:39.0093 3252 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/15 16:47:39.0125 3252 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/15 16:47:39.0171 3252 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/15 16:47:39.0203 3252 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/15 16:47:39.0265 3252 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2011/09/15 16:47:39.0296 3252 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/15 16:47:39.0359 3252 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/15 16:47:39.0406 3252 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/15 16:47:39.0468 3252 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/15 16:47:39.0500 3252 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/15 16:47:39.0531 3252 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/15 16:47:39.0562 3252 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/15 16:47:39.0609 3252 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/15 16:47:39.0640 3252 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/15 16:47:39.0718 3252 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/15 16:47:39.0796 3252 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/15 16:47:39.0859 3252 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/15 16:47:40.0000 3252 NTIDrvr (15a72d5b8f0b6a718207f14bd5ebb8ff) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2011/09/15 16:47:40.0078 3252 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/15 16:47:40.0125 3252 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/15 16:47:40.0156 3252 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/15 16:47:40.0203 3252 odysseyIM2 (18b89941c8f16453b62adddb87997ac7) C:\WINDOWS\system32\DRIVERS\odysseyIM2.sys
2011/09/15 16:47:40.0296 3252 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/15 16:47:40.0343 3252 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/15 16:47:40.0390 3252 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/15 16:47:40.0546 3252 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/15 16:47:40.0625 3252 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/15 16:47:40.0671 3252 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/15 16:47:40.0828 3252 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/09/15 16:47:40.0843 3252 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/09/15 16:47:40.0937 3252 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/15 16:47:40.0984 3252 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/15 16:47:41.0015 3252 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/15 16:47:41.0046 3252 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/09/15 16:47:41.0062 3252 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/09/15 16:47:41.0093 3252 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/09/15 16:47:41.0125 3252 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/09/15 16:47:41.0156 3252 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/09/15 16:47:41.0187 3252 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/15 16:47:41.0218 3252 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/15 16:47:41.0250 3252 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/15 16:47:41.0281 3252 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/15 16:47:41.0328 3252 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/15 16:47:41.0359 3252 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/15 16:47:41.0421 3252 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/15 16:47:41.0484 3252 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/15 16:47:41.0531 3252 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/15 16:47:41.0625 3252 RTL8023xp (d6e1b1bd04fad422af17fc4b810cb9af) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/09/15 16:47:41.0656 3252 RTLWUSB (05552e37b5c0b53b7e4b95a850447e85) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
2011/09/15 16:47:41.0703 3252 SAVRKBootTasks (e5c587c0668f83e799d1c43bc53e5e37) C:\WINDOWS\system32\SAVRKBootTasks.sys
2011/09/15 16:47:41.0937 3252 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/15 16:47:42.0046 3252 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/15 16:47:42.0078 3252 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/15 16:47:42.0171 3252 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/09/15 16:47:42.0265 3252 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/09/15 16:47:42.0296 3252 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/15 16:47:42.0421 3252 snpstd (7452187a8f1ac46ce4f21be616e8d5f3) C:\WINDOWS\system32\DRIVERS\snpstd.sys
2011/09/15 16:47:42.0968 3252 SNPSTD3 (11bb0e11d42cc3a43d741d9b30839be1) C:\WINDOWS\system32\DRIVERS\snpstd3.sys
2011/09/15 16:47:43.0531 3252 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/09/15 16:47:43.0609 3252 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/15 16:47:43.0671 3252 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/15 16:47:43.0796 3252 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/15 16:47:43.0843 3252 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/15 16:47:43.0906 3252 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/15 16:47:43.0968 3252 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/15 16:47:44.0015 3252 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/09/15 16:47:44.0046 3252 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/09/15 16:47:44.0093 3252 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/09/15 16:47:44.0125 3252 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/09/15 16:47:44.0187 3252 SynTP (1b75ec5d1a87a773a7c38855855466ae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/09/15 16:47:44.0218 3252 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/15 16:47:44.0328 3252 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/15 16:47:44.0546 3252 tcpipBM (dcfeb82ca988598ceb8f83148616038e) C:\WINDOWS\system32\drivers\tcpipBM.sys
2011/09/15 16:47:44.0625 3252 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/15 16:47:44.0671 3252 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/15 16:47:44.0718 3252 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/15 16:47:44.0796 3252 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/09/15 16:47:44.0843 3252 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/15 16:47:44.0875 3252 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/09/15 16:47:44.0953 3252 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/15 16:47:45.0109 3252 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/15 16:47:45.0156 3252 usbcm (a31c1f4b2448eeeff7c0d4e4d58bd9b3) C:\WINDOWS\system32\DRIVERS\usbcm.sys
2011/09/15 16:47:45.0203 3252 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/15 16:47:45.0218 3252 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/15 16:47:45.0265 3252 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/15 16:47:45.0312 3252 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/15 16:47:45.0359 3252 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/15 16:47:45.0390 3252 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/15 16:47:45.0468 3252 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2011/09/15 16:47:45.0515 3252 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/15 16:47:45.0640 3252 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/09/15 16:47:45.0671 3252 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/09/15 16:47:45.0718 3252 VNUWL5B (a156963ad8067fc9fa88f1fbb00b5b7f) C:\WINDOWS\system32\DRIVERS\VNUWL5B.SYS
2011/09/15 16:47:45.0750 3252 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/15 16:47:45.0812 3252 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/15 16:47:45.0968 3252 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/15 16:47:46.0109 3252 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/15 16:47:46.0187 3252 ZTEusbmdm6k (c2215c6ada8b1e9feb507cee9b446661) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys
2011/09/15 16:47:46.0250 3252 ZTEusbnmea (f16ce3c7690ab7426dc96520d54a737e) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys
2011/09/15 16:47:46.0281 3252 ZTEusbser6k (c2215c6ada8b1e9feb507cee9b446661) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys
2011/09/15 16:47:46.0375 3252 MBR (0x1B8) (2d572a71bbc779eccd3d2595fc788a35) \Device\Harddisk0\DR0
2011/09/15 16:47:46.0421 3252 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR5
2011/09/15 16:47:47.0734 3252 Boot (0x1200) (fdef44d753b06926eab404ad73665ab9) \Device\Harddisk0\DR0\Partition0
2011/09/15 16:47:47.0859 3252 Boot (0x1200) (221a2bf0247fec9111389906be11201e) \Device\Harddisk1\DR5\Partition0
2011/09/15 16:47:47.0859 3252 ================================================================================
2011/09/15 16:47:47.0859 3252 Scan finished
2011/09/15 16:47:47.0859 3252 ================================================================================
2011/09/15 16:47:47.0875 3788 Detected object count: 0
2011/09/15 16:47:47.0875 3788 Actual detected object count: 0
2011/09/15 16:48:47.0937 3328 ================================================================================
2011/09/15 16:48:47.0937 3328 Scan started
2011/09/15 16:48:47.0937 3328 Mode: Manual;
2011/09/15 16:48:47.0937 3328 ================================================================================
2011/09/15 16:48:48.0593 3328 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/09/15 16:48:48.0656 3328 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/15 16:48:48.0687 3328 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/09/15 16:48:48.0718 3328 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/09/15 16:48:48.0765 3328 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/15 16:48:48.0843 3328 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/15 16:48:48.0937 3328 AgereSoftModem (ea41579481ae116cffc093872f21fec2) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/09/15 16:48:48.0984 3328 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/09/15 16:48:49.0015 3328 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/09/15 16:48:49.0046 3328 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/09/15 16:48:49.0078 3328 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/09/15 16:48:49.0156 3328 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/09/15 16:48:49.0187 3328 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/09/15 16:48:49.0234 3328 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/09/15 16:48:49.0265 3328 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/09/15 16:48:49.0296 3328 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/09/15 16:48:49.0328 3328 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/09/15 16:48:49.0359 3328 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/09/15 16:48:49.0390 3328 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/09/15 16:48:49.0468 3328 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/15 16:48:49.0500 3328 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/15 16:48:49.0562 3328 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/15 16:48:49.0593 3328 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/15 16:48:49.0625 3328 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/15 16:48:49.0718 3328 BMLoad (d002033c1a37f6af51b5f0ba6d0211bc) C:\WINDOWS\system32\drivers\BMLoad.sys
2011/09/15 16:48:49.0765 3328 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/09/15 16:48:49.0796 3328 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/15 16:48:49.0843 3328 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/15 16:48:49.0890 3328 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/09/15 16:48:49.0921 3328 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/15 16:48:49.0937 3328 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/15 16:48:50.0015 3328 Cdr4_xp (44a3774e1cfc72c71b044be54bec588c) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/09/15 16:48:50.0046 3328 Cdralw2k (e0cf12de9723109b15bd89845e36c8bb) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/09/15 16:48:50.0093 3328 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/15 16:48:50.0171 3328 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/09/15 16:48:50.0203 3328 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/09/15 16:48:50.0234 3328 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/15 16:48:50.0296 3328 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/09/15 16:48:50.0343 3328 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/09/15 16:48:50.0421 3328 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/09/15 16:48:50.0546 3328 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/15 16:48:50.0640 3328 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/15 16:48:50.0687 3328 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/15 16:48:50.0750 3328 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/15 16:48:50.0796 3328 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/15 16:48:50.0828 3328 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/09/15 16:48:50.0859 3328 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/15 16:48:50.0921 3328 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/15 16:48:50.0968 3328 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/15 16:48:51.0031 3328 FINEPIX_PCC (4372398a6ae42586eb1c6533dd3b575d) C:\WINDOWS\system32\Drivers\V4CB0115.SYS
2011/09/15 16:48:51.0171 3328 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/15 16:48:51.0203 3328 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/15 16:48:51.0234 3328 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/15 16:48:51.0281 3328 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/15 16:48:51.0296 3328 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/15 16:48:51.0343 3328 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/15 16:48:51.0406 3328 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
2011/09/15 16:48:51.0437 3328 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/15 16:48:51.0484 3328 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/15 16:48:51.0531 3328 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/09/15 16:48:51.0593 3328 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/09/15 16:48:51.0656 3328 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/09/15 16:48:51.0687 3328 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/09/15 16:48:51.0781 3328 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/15 16:48:52.0031 3328 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/09/15 16:48:52.0062 3328 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/09/15 16:48:52.0093 3328 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/15 16:48:52.0187 3328 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/15 16:48:52.0234 3328 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/15 16:48:52.0296 3328 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/09/15 16:48:52.0562 3328 IntcAzAudAddService (12f4d2aa29745dc2a403ff42e75cf7fa) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/09/15 16:48:52.0703 3328 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/15 16:48:52.0781 3328 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/15 16:48:52.0828 3328 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/15 16:48:52.0890 3328 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/15 16:48:52.0921 3328 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/15 16:48:52.0968 3328 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/15 16:48:53.0000 3328 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/15 16:48:53.0046 3328 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/15 16:48:53.0078 3328 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/15 16:48:53.0109 3328 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/15 16:48:53.0156 3328 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/15 16:48:53.0203 3328 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/15 16:48:53.0250 3328 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/15 16:48:53.0406 3328 massfilter (567d3cbc0ba3332887d091a237d4fd3c) C:\WINDOWS\system32\drivers\massfilter.sys
2011/09/15 16:48:53.0609 3328 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/15 16:48:53.0687 3328 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/15 16:48:53.0718 3328 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/15 16:48:53.0781 3328 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/15 16:48:53.0812 3328 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/15 16:48:53.0890 3328 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/09/15 16:48:53.0921 3328 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/15 16:48:54.0015 3328 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/15 16:48:54.0062 3328 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/15 16:48:54.0109 3328 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/15 16:48:54.0140 3328 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/15 16:48:54.0171 3328 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/15 16:48:54.0234 3328 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/15 16:48:54.0281 3328 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/15 16:48:54.0343 3328 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2011/09/15 16:48:54.0421 3328 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/15 16:48:54.0484 3328 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/15 16:48:54.0531 3328 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/15 16:48:54.0578 3328 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/15 16:48:54.0609 3328 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/15 16:48:54.0640 3328 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/15 16:48:54.0671 3328 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/15 16:48:54.0718 3328 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/15 16:48:54.0765 3328 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/15 16:48:54.0812 3328 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/15 16:48:54.0875 3328 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/15 16:48:54.0937 3328 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/15 16:48:54.0984 3328 NTIDrvr (15a72d5b8f0b6a718207f14bd5ebb8ff) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2011/09/15 16:48:55.0062 3328 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/15 16:48:55.0140 3328 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/15 16:48:55.0187 3328 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/15 16:48:55.0234 3328 odysseyIM2 (18b89941c8f16453b62adddb87997ac7) C:\WINDOWS\system32\DRIVERS\odysseyIM2.sys
2011/09/15 16:48:55.0312 3328 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/15 16:48:55.0328 3328 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/15 16:48:55.0390 3328 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/15 16:48:55.0421 3328 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/15 16:48:55.0484 3328 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/15 16:48:55.0515 3328 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/15 16:48:55.0656 3328 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/09/15 16:48:55.0687 3328 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/09/15 16:48:55.0765 3328 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/15 16:48:55.0828 3328 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/15 16:48:55.0859 3328 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/15 16:48:55.0890 3328 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/09/15 16:48:55.0921 3328 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/09/15 16:48:55.0953 3328 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/09/15 16:48:55.0984 3328 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/09/15 16:48:56.0015 3328 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/09/15 16:48:56.0046 3328 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/15 16:48:56.0125 3328 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/15 16:48:56.0171 3328 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/15 16:48:56.0203 3328 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/15 16:48:56.0265 3328 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/15 16:48:56.0343 3328 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/15 16:48:56.0421 3328 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/15 16:48:56.0515 3328 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/15 16:48:56.0593 3328 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/15 16:48:56.0687 3328 RTL8023xp (d6e1b1bd04fad422af17fc4b810cb9af) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/09/15 16:48:56.0734 3328 RTLWUSB (05552e37b5c0b53b7e4b95a850447e85) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
2011/09/15 16:48:56.0765 3328 SAVRKBootTasks (e5c587c0668f83e799d1c43bc53e5e37) C:\WINDOWS\system32\SAVRKBootTasks.sys
2011/09/15 16:48:56.0843 3328 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/15 16:48:56.0906 3328 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/15 16:48:56.0937 3328 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/15 16:48:57.0000 3328 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/09/15 16:48:57.0156 3328 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/09/15 16:48:57.0203 3328 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/15 16:48:57.0296 3328 snpstd (7452187a8f1ac46ce4f21be616e8d5f3) C:\WINDOWS\system32\DRIVERS\snpstd.sys
2011/09/15 16:48:57.0765 3328 SNPSTD3 (11bb0e11d42cc3a43d741d9b30839be1) C:\WINDOWS\system32\DRIVERS\snpstd3.sys
2011/09/15 16:48:58.0031 3328 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/09/15 16:48:58.0093 3328 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/15 16:48:58.0125 3328 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/15 16:48:58.0218 3328 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/15 16:48:58.0281 3328 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/15 16:48:58.0312 3328 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/15 16:48:58.0343 3328 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/15 16:48:58.0390 3328 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/09/15 16:48:58.0421 3328 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/09/15 16:48:58.0453 3328 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/09/15 16:48:58.0468 3328 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/09/15 16:48:58.0531 3328 SynTP (1b75ec5d1a87a773a7c38855855466ae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/09/15 16:48:58.0562 3328 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/15 16:48:58.0656 3328 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/15 16:48:58.0703 3328 tcpipBM (dcfeb82ca988598ceb8f83148616038e) C:\WINDOWS\system32\drivers\tcpipBM.sys
2011/09/15 16:48:58.0843 3328 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/15 16:48:58.0875 3328 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/15 16:48:58.0921 3328 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/15 16:48:58.0984 3328 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/09/15 16:48:59.0031 3328 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/15 16:48:59.0062 3328 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/09/15 16:48:59.0140 3328 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/15 16:48:59.0203 3328 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/15 16:48:59.0250 3328 usbcm (a31c1f4b2448eeeff7c0d4e4d58bd9b3) C:\WINDOWS\system32\DRIVERS\usbcm.sys
2011/09/15 16:48:59.0312 3328 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/15 16:48:59.0343 3328 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/15 16:48:59.0390 3328 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/15 16:48:59.0421 3328 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/15 16:48:59.0468 3328 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/15 16:48:59.0578 3328 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/15 16:48:59.0640 3328 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2011/09/15 16:48:59.0687 3328 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/15 16:48:59.0718 3328 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/09/15 16:48:59.0750 3328 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/09/15 16:48:59.0812 3328 VNUWL5B (a156963ad8067fc9fa88f1fbb00b5b7f) C:\WINDOWS\system32\DRIVERS\VNUWL5B.SYS
2011/09/15 16:48:59.0843 3328 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/15 16:48:59.0906 3328 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/15 16:48:59.0968 3328 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/15 16:49:00.0078 3328 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/15 16:49:00.0171 3328 ZTEusbmdm6k (c2215c6ada8b1e9feb507cee9b446661) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys
2011/09/15 16:49:00.0218 3328 ZTEusbnmea (f16ce3c7690ab7426dc96520d54a737e) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys
2011/09/15 16:49:00.0250 3328 ZTEusbser6k (c2215c6ada8b1e9feb507cee9b446661) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys
2011/09/15 16:49:00.0328 3328 MBR (0x1B8) (2d572a71bbc779eccd3d2595fc788a35) \Device\Harddisk0\DR0
2011/09/15 16:49:00.0343 3328 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR5
2011/09/15 16:49:01.0515 3328 Boot (0x1200) (fdef44d753b06926eab404ad73665ab9) \Device\Harddisk0\DR0\Partition0
2011/09/15 16:49:01.0531 3328 Boot (0x1200) (221a2bf0247fec9111389906be11201e) \Device\Harddisk1\DR5\Partition0
2011/09/15 16:49:01.0546 3328 ================================================================================
2011/09/15 16:49:01.0546 3328 Scan finished
2011/09/15 16:49:01.0546 3328 ================================================================================
2011/09/15 16:49:01.0562 0464 Detected object count: 0
2011/09/15 16:49:01.0562 0464 Actual detected object count: 0

Best regards,

Mark :)

#6 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:41 PM

Posted 15 September 2011 - 11:47 AM

Hi Mark,

Did you previously run Combofix? On your own?

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.


===================================


Please follow the instructions in order of my post.


:step1: Backup Your Registry with ERUNT
  • Please download ERUNT.
  • Follow the detailed instructions HERE on how to install and run ERUNT.
  • Make sure that you have successfully installed and ran ERUNT before proceeding with the next instruction.



:step2: Launch Notepad, and copy-paste the contents of the codebox below into a new text file. Save it on your Desktop as fixme.reg. For the "save as type" choose all files

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

  • Locate fixme.reg on your Desktop and double-click on it.
  • You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
  • Answer "Yes" and wait for a message to appear similar to "Merged Successfully".



:step3: Download Combofix (by Subs) from any of the links below, make sure that you save it to your desktop.

Link 1
Link 2

  • It's important to temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. See HERE
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

*It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.

  • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. If you did not have it installed, you will see the prompt below. Choose YES.

Posted Image


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Important notes:

  • Leave your computer alone while ComboFix is running.
  • ComboFix will restart your computer if malware is found; allow it to do so.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Please do not mouseclick combofix's window while its running because it may call it to stall.
  • ComboFix SHOULD NOT be used unless requested by a forum helper. See HERE.


Edited by sempai, 15 September 2011 - 11:50 AM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#7 mcroucher

mcroucher
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 15 September 2011 - 01:48 PM

Hi Semp,

Attached below is the Combofix log generated - it's a fair cop, I ran combofix unassisted when it was first infected - I followed the instructions from another thread on here which closely mirrored my own. Sorry! I stopped there, if I recall correctly, as it still showed errors when I rescanned...

Also, my apologies, but without thinking I double clicked it and ran it on this occasion from the flash drive - distracted by kids when the explorer window was open.... didn't want to halt it once it had started running...

Mark :)


ComboFix 11-09-15.05 - Mark Croucher 15/09/2011 19:10:59.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.503.173 [GMT 1:00]
Running from: E:\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\System Recovery
c:\documents and settings\All Users\Start Menu\Programs\System Recovery\Recovery Media Creator.lnk
c:\documents and settings\All Users\Start Menu\Programs\System Recovery\System Recovery.lnk
c:\documents and settings\Mark Croucher\Local Settings\Application Data\cqmswksd.log
c:\documents and settings\Mark Croucher\Local Settings\Application Data\ejdpjjwg.log
c:\documents and settings\Mark Croucher\Local Settings\Application Data\gttkrvsa\oalacvcq.exe
c:\documents and settings\Mark Croucher\Local Settings\Application Data\ixvfoste.log
c:\documents and settings\Mark Croucher\Local Settings\Application Data\qrsfyuom.log
c:\documents and settings\Mark Croucher\Local Settings\Application Data\roiuwcrg.log
c:\documents and settings\Mark Croucher\Local Settings\Application Data\ukgmfmpi.log
c:\windows\system32\d3d9caps.dat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-08-15 to 2011-09-15 )))))))))))))))))))))))))))))))
.
.
2011-09-15 18:04 . 2011-09-15 18:04 -------- d-----w- c:\program files\ERUNT
2011-09-08 23:04 . 2011-09-08 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-09-08 22:18 . 2011-09-08 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-09-08 19:26 . 2011-09-08 19:26 -------- d-----w- c:\documents and settings\Mark Croucher\Local Settings\Application Data\PackageAware
2011-09-08 17:41 . 2011-05-12 13:05 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-09-08 17:00 . 2011-09-08 17:00 -------- d-----w- c:\program files\Sophos
2011-09-08 15:27 . 2011-09-08 15:28 -------- d-----w- c:\documents and settings\Mark Croucher\Application Data\Lacir
2011-09-08 15:27 . 2011-09-08 15:59 -------- d-----w- c:\documents and settings\Mark Croucher\Application Data\Idiwip
2011-08-26 17:34 . 2011-08-26 17:34 -------- d-----w- c:\documents and settings\Mark Croucher\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-18 13:15 . 2011-06-13 08:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 16:22 . 2011-07-22 16:22 505842 ----a-r- c:\documents and settings\Mark Croucher\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 18:52 . 2011-07-22 17:46 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2011-07-22 17:46 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-11-28 19:31 . 2008-01-19 22:29 67696 ------w- c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:31 . 2008-01-19 22:29 54376 ------w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:31 . 2008-01-19 22:29 34952 ------w- c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:31 . 2008-01-19 22:29 46720 ------w- c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:31 . 2008-01-19 22:29 172144 ------w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-08_18.07.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-15 18:26 . 2011-09-15 18:26 188416 c:\windows\ERDNT\AutoBackup\15-09-2011\Users\00000002\UsrClass.dat
+ 2011-09-15 18:26 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\15-09-2011\ERDNT.EXE
+ 2011-09-15 18:05 . 2011-09-15 18:05 188416 c:\windows\ERDNT\15-09-2011\Users\00000002\UsrClass.dat
+ 2011-09-15 18:05 . 2005-10-20 11:02 163328 c:\windows\ERDNT\15-09-2011\ERDNT.EXE
+ 2011-09-15 18:26 . 2011-09-15 18:26 5275648 c:\windows\ERDNT\AutoBackup\15-09-2011\Users\00000001\NTUSER.DAT
+ 2011-09-15 18:05 . 2011-09-15 18:05 5275648 c:\windows\ERDNT\15-09-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-01-17 14:54 175912 ------w- c:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ------w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"OalAcvcq"="c:\documents and settings\Mark Croucher\Local Settings\Application Data\gttkrvsa\oalacvcq.exe" [2011-09-15 114625]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2006-11-29 262144]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"snpstd"="c:\windows\vsnpstd.exe" [2003-12-31 40960]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 285627]
"UIExec"="c:\program files\T-Mobile Mobile Broadband Manager\UIExec.exe" [2009-07-16 250380]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Mark Croucher\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
oalacvcq.exe [2011-9-15 114625]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Mark Croucher\Local Settings\Application Data\gttkrvsa\oalacvcq.exe"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-09-09 03:20 88203 ----a-r- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL_Demo]
2005-12-01 17:03 177178 ----a-w- c:\applications\Tool\AOL Demo\DSGDemo.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveIcons]
2005-12-09 18:39 775164 ----a-w- c:\program files\Realtek Semiconductor Corp\Card Reader Software\DriveIcon\DriveIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 16:07 61952 ----a-w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-23 11:13 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-23 11:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-23 11:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 22:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 22:32 172552 ----a-w- c:\program files\REGSHAVE\Regshave.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-07-21 23:56 16261632 ----a-r- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-r- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-07-08 03:05 729178 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2006-12-01 04:21 4687352 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [08/09/2011 18:41 18816]
R2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe [01/03/2011 19:03 241664]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [04/09/2006 11:46 176128]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [01/03/2011 19:03 9728]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 odysseyIM2;Odyssey Network Service Miniport;c:\windows\system32\drivers\odysseyIM2.sys [29/04/2003 01:08 62273]
S3 VNUWL5B;VIA Networking Technologies USB Wireless LAN Adapter Driver Service;c:\windows\system32\drivers\VNUWL5B.SYS [01/09/2006 09:39 134656]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
*Deregistered* - BMLoad
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
FF - ProfilePath - c:\documents and settings\Mark Croucher\Application Data\Mozilla\Firefox\Profiles\74x07n38.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-15 19:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2004)
c:\windows\system32\WININET.dll
c:\documents and settings\Mark Croucher\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-09-15 19:31:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-15 18:31
ComboFix2.txt 2011-09-08 23:24
ComboFix3.txt 2011-09-08 22:51
ComboFix4.txt 2011-09-08 18:15
.
Pre-Run: 13,085,982,720 bytes free
Post-Run: 13,023,608,832 bytes free
.
- - End Of File - - 2815889414726B601CFBE3B0736EFFCE

#8 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:41 PM

Posted 16 September 2011 - 07:38 AM

Hi,

Please make sure that you save Combofix in your desktop before running the combofix script below.


We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy-paste the text in the code box below into it:

KillAll::

DDS::
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
uRun: [OalAcvcq] c:\documents and settings\mark croucher\local settings\application data\gttkrvsa\oalacvcq.exe
uRun: [McAfee McItInfo] c:\docume~1\markcr~1\locals~1\temp\mcitinfo_1315552675.exe /itinsfin:c:\docume~1\markcr~1\locals~1\temp\mcininfo_1315552675.ini 

File::
C:\DOCUME~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe
c:\docume~1\markcr~1\locals~1\temp\vlmhfsxd.sys
c:\windows\system32\5.tmp
c:\documents and settings\Mark Croucher\Start Menu\Programs\Startup\oalacvcq.exe

Folder::
c:\documents and settings\mark croucher\local settings\application data\gttkrvsa
c:\documents and settings\Mark Croucher\Application Data\Lacir
c:\documents and settings\Mark Croucher\Application Data\Idiwip

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OalAcvcq"=- 

Driver::
MEMSWEEP2
Micorsoft Windows Service

DirLook::
c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

4. Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#9 mcroucher

mcroucher
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 16 September 2011 - 08:15 AM

Good afternoon :)

Script added and Combofix run again, the log file is below. Tricky little bugger, isn't it? :(

ComboFix 11-09-15.05 - Mark Croucher 16/09/2011 13:52:48.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.503.256 [GMT 1:00]
Running from: c:\documents and settings\Mark Croucher\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark Croucher\Desktop\cfscript.txt
.
FILE ::
"c:\docume~1\MARKCR~1\LOCALS~1\Temp\mcitinfo_1315552675.exe"
"c:\docume~1\markcr~1\locals~1\temp\vlmhfsxd.sys"
"c:\documents and settings\Mark Croucher\Start Menu\Programs\Startup\oalacvcq.exe"
"c:\windows\system32\5.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Mark Croucher\Application Data\Idiwip
c:\documents and settings\Mark Croucher\Application Data\Lacir
c:\documents and settings\Mark Croucher\Application Data\Lacir\myuxna.qev
c:\documents and settings\Mark Croucher\Application Data\Lacir\myuxna.tmp
c:\documents and settings\mark croucher\local settings\application data\gttkrvsa
c:\documents and settings\mark croucher\local settings\application data\gttkrvsa\oalacvcq.exe
c:\documents and settings\Mark Croucher\Start Menu\Programs\Startup\oalacvcq.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MEMSWEEP2
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2011-08-16 to 2011-09-16 )))))))))))))))))))))))))))))))
.
.
2011-09-16 13:05 . 2011-09-16 13:05 -------- d-----w- c:\documents and settings\Mark Croucher\Local Settings\Application Data\gttkrvsa
2011-09-15 18:04 . 2011-09-15 18:04 -------- d-----w- c:\program files\ERUNT
2011-09-08 23:04 . 2011-09-08 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-09-08 22:18 . 2011-09-08 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2011-09-08 19:26 . 2011-09-08 19:26 -------- d-----w- c:\documents and settings\Mark Croucher\Local Settings\Application Data\PackageAware
2011-09-08 17:41 . 2011-05-12 13:05 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-09-08 17:00 . 2011-09-08 17:00 -------- d-----w- c:\program files\Sophos
2011-08-26 17:34 . 2011-08-26 17:34 -------- d-----w- c:\documents and settings\Mark Croucher\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-18 13:15 . 2011-06-13 08:06 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 16:22 . 2011-07-22 16:22 505842 ----a-r- c:\documents and settings\Mark Croucher\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-06 18:52 . 2011-07-22 17:46 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52 . 2011-07-22 17:46 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2007-11-28 19:31 . 2008-01-19 22:29 67696 ------w- c:\program files\mozilla firefox\components\jar50.dll
2007-11-28 19:31 . 2008-01-19 22:29 54376 ------w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-11-28 19:31 . 2008-01-19 22:29 34952 ------w- c:\program files\mozilla firefox\components\myspell.dll
2007-11-28 19:31 . 2008-01-19 22:29 46720 ------w- c:\program files\mozilla firefox\components\spellchk.dll
2007-11-28 19:31 . 2008-01-19 22:29 172144 ------w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42} ----
.
2011-09-08 23:04 . 2011-09-08 23:04 693 ----a-w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA}.native.bitness.log
2011-09-08 23:04 . 2011-09-08 23:04 586 ----a-w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA}.native.weight.log
2011-09-08 23:04 . 2011-09-08 23:04 8093 ----a-w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA}.native.data.log
2011-09-08 23:04 . 2011-09-08 23:04 1367 ----a-w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA}.native.elements.log
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-08_18.07.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-16 13:05 . 2011-09-16 13:05 188416 c:\windows\ERDNT\AutoBackup\16-09-2011\Users\00000002\UsrClass.dat
+ 2011-09-16 13:05 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\16-09-2011\ERDNT.EXE
+ 2011-09-15 18:26 . 2011-09-15 18:26 188416 c:\windows\ERDNT\AutoBackup\15-09-2011\Users\00000002\UsrClass.dat
+ 2011-09-15 18:26 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\15-09-2011\ERDNT.EXE
+ 2011-09-15 18:05 . 2011-09-15 18:05 188416 c:\windows\ERDNT\15-09-2011\Users\00000002\UsrClass.dat
+ 2011-09-15 18:05 . 2005-10-20 11:02 163328 c:\windows\ERDNT\15-09-2011\ERDNT.EXE
+ 2011-09-16 13:05 . 2011-09-16 13:05 5275648 c:\windows\ERDNT\AutoBackup\16-09-2011\Users\00000001\NTUSER.DAT
+ 2011-09-15 18:26 . 2011-09-15 18:26 5275648 c:\windows\ERDNT\AutoBackup\15-09-2011\Users\00000001\NTUSER.DAT
+ 2011-09-15 18:05 . 2011-09-15 18:05 5275648 c:\windows\ERDNT\15-09-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2011-01-17 14:54 175912 ------w- c:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ------w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"OalAcvcq"="c:\documents and settings\Mark Croucher\Local Settings\Application Data\gttkrvsa\oalacvcq.exe" [2011-09-16 114625]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2006-11-29 262144]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"snpstd"="c:\windows\vsnpstd.exe" [2003-12-31 40960]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2010-06-26 285627]
"UIExec"="c:\program files\T-Mobile Mobile Broadband Manager\UIExec.exe" [2009-07-16 250380]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Mark Croucher\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
oalacvcq.exe [2011-9-16 114625]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\Mark Croucher\Local Settings\Application Data\gttkrvsa\oalacvcq.exe"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-09-09 03:20 88203 ----a-r- c:\windows\AGRSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-r- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL_Demo]
2005-12-01 17:03 177178 ----a-w- c:\applications\Tool\AOL Demo\DSGDemo.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveIcons]
2005-12-09 18:39 775164 ----a-w- c:\program files\Realtek Semiconductor Corp\Card Reader Software\DriveIcon\DriveIcon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-07 16:07 61952 ----a-w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-03-23 11:13 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-03-23 11:17 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-23 11:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-13 22:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-04 22:32 172552 ----a-w- c:\program files\REGSHAVE\Regshave.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-07-21 23:56 16261632 ----a-r- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-r- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-07-08 03:05 729178 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2006-12-01 04:21 4687352 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [08/09/2011 18:41 18816]
R2 UI Assistant Service;UI Assistant Service;c:\program files\T-Mobile Mobile Broadband Manager\AssistantServices.exe [01/03/2011 19:03 241664]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [04/09/2006 11:46 176128]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\MARKCR~1\LOCALS~1\Temp\vlmhfsxd.sys --> c:\docume~1\MARKCR~1\LOCALS~1\Temp\vlmhfsxd.sys [?]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [01/03/2011 19:03 9728]
S3 odysseyIM2;Odyssey Network Service Miniport;c:\windows\system32\drivers\odysseyIM2.sys [29/04/2003 01:08 62273]
S3 VNUWL5B;VIA Networking Technologies USB Wireless LAN Adapter Driver Service;c:\windows\system32\drivers\VNUWL5B.SYS [01/09/2006 09:39 134656]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
*Deregistered* - BMLoad
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
FF - ProfilePath - c:\documents and settings\Mark Croucher\Application Data\Mozilla\Firefox\Profiles\74x07n38.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-16 14:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3852)
c:\windows\system32\WININET.dll
c:\documents and settings\Mark Croucher\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2011-09-16 14:10:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-16 13:10
ComboFix2.txt 2011-09-15 18:31
ComboFix3.txt 2011-09-08 23:24
ComboFix4.txt 2011-09-08 22:51
ComboFix5.txt 2011-09-16 12:51
.
Pre-Run: 13,029,572,608 bytes free
Post-Run: 12,965,564,416 bytes free
.
- - End Of File - - 463510D319B2168D8623591935DAEFF3

Best regards,

Mark

#10 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:41 PM

Posted 16 September 2011 - 09:18 AM

Mark, this looks like a file infector to me but let's make sure. If we're dealing with a file infector then our only option here is to wipe everything reinstall the OS and start from scratch.



:step1: Can you please post the latest log of MBAM.



:step2: ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, but make sure you copy the logfile first.
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#11 mcroucher

mcroucher
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 16 September 2011 - 11:05 AM

Yes, I'm rather afraid you're right.... although my computer knowledge is a few years out of date, I tried everything I could think of, but ended up back at this same point :( I'll play with it some more, but I still can't access anti-virus sites, meaning I can not run the online scanner as requested :(

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7727

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/09/2011 16:57:36
mbam-log-2011-09-16 (16-57-22).txt

Scan type: Quick scan
Objects scanned: 156361
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OalAcvcq (Trojan.Agent.H) -> Value: OalAcvcq -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\mark croucher\local settings\application data\gttkrvsa\oalacvcq.exe (Trojan.Agent.H) -> No action taken.
c:\documents and settings\mark croucher\start menu\programs\startup\oalacvcq.exe (Trojan.Agent.H) -> No action taken.
c:\documents and settings\mark croucher\local settings\temp\gfjuexewshgansbn.exe (Trojan.Agent.H) -> No action taken.

Best regards,

Mark

#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:41 PM

Posted 16 September 2011 - 11:12 AM

Can you also post the MBAM log where it found hundreds of infection, I think it's Win32/Ramnit.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 mcroucher

mcroucher
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 16 September 2011 - 11:41 AM

Can you also post the MBAM log where it found hundreds of infection, I think it's Win32/Ramnit.


I suspect that is the infection... I've had a look, and now can't find the one where it said I had 787 infected files, unfortunately - it is possible I may not have saved the log file, as it was before I gave up in disgust at my own stupidity and posted my plea for help on here.... I have a feeling it was a full scan result, and when I saw how it had apparently multiplied, I switched off and posted here.... I'll run another MBAM full scan and see if I get the same....

Is there no hope for Win32/Ramnit? For some reason, it now won't let me write to my CD drive - I'm trying to copy my files before I FDisk it - although as my laptop is geriatric, it may well be the drive itself.... Naturally, although I know better, I haven't backed up anything before, so there's 6 years worth of files, plus all the software I can't find the disks for :(

I'll just nip out the back and shoot myself...... :)

With thanks for your time and patience....

Mark

#14 mcroucher

mcroucher
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 16 September 2011 - 12:35 PM

OK, re-done the full scan, and the results are below.....

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7727

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

16/09/2011 18:34:07
mbam-log-2011-09-16 (18-33-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 225150
Time elapsed: 51 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OalAcvcq (Trojan.Agent.H) -> Value: OalAcvcq -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\mark croucher\local settings\application data\gttkrvsa\oalacvcq.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP658\A0283744.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP658\A0284429.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP658\A0284549.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP658\A0285530.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP658\A0285531.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP658\A0285532.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP658\A0285534.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP658\A0285640.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP658\A0285641.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP658\A0285642.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP659\A0285838.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP659\A0285839.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP659\A0285840.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP659\A0286891.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP659\A0287401.exe (Trojan.Agent.H) -> No action taken.
c:\system volume information\_restore{3645f337-2eb4-4d2c-81fb-5451d08365b1}\RP659\A0287802.exe (Trojan.Agent.H) -> No action taken.
c:\program files\t-mobile mobile broadband manager\uiexecmgr.exe (Trojan.Agent.H) -> No action taken.
c:\program files\Yahoo!\messenger\yahoom~1mgr.exe (Trojan.Agent.H) -> No action taken.
c:\program files\freecorder\flvsrvcmgr.exe (Trojan.Agent.H) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\mark croucher\local settings\application data\gttkrvsa\oalacvcq.exe.vir (Trojan.Agent.H) -> No action taken.
c:\Qoobox\quarantine\C\documents and settings\mark croucher\start menu\Programs\Startup\oalacvcq.exe.vir (Trojan.Agent.H) -> No action taken.
c:\documents and settings\mark croucher\local settings\temp\gfjuexewshgansbn.exe (Trojan.Agent.H) -> No action taken.
c:\documents and settings\mark croucher\start menu\programs\startup\oalacvcq.exe (Trojan.Agent.H) -> No action taken.


Best regards,

Mark

#15 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:41 PM

Posted 17 September 2011 - 07:21 AM

Please go to http://virscan.org/
  • Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

    c:\program files\t-mobile mobile broadband manager\uiexecmgr.exe
    c:\program files\Yahoo!\messenger\yahoom~1mgr.exe
    c:\program files\freecorder\flvsrvcmgr.exe

  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users