Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus... can't update malware... connection issues?


  • This topic is locked This topic is locked
22 replies to this topic

#1 Mick Mc

Mick Mc

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 09 May 2012 - 02:39 AM

Windows XP machine


Started out as the black screen 'hard disk failure' virus.
I unhid the files and extensions.
Fixed the black screen.
I have internet access (explorer)
I ran Malware and it found two problems (trojan I think)
Next day, Avast won't run or update.
Malware wont run or update
A vpn connection won't connect.

Down loaded and ran DDS, but it would not do anything (run)



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-09 01:10:00
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD5000AAKX-001CA0 rev.15.01H15
Running: zsbhujvk.exe; Driver: C:\Users\owner\AppData\Local\Temp\kxldypoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8B786374]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x90C232B8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8B788996]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8B7889EE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8B788B04]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8B7888EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8B788A3E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8B788940]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8B788AB2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8B786398]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x90C23368]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8B786162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8B7863BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8B788EFC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8B786E54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8B7889C6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8B788A16]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8B788B2E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8B788918]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8B788A7E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8B78896E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8B788ADC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x90C23400]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8B786D1A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8B7863E0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8B786404]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8B7861BC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8B7862F8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8B7862D4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8B78631C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8B786428]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A555D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7A092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 244 82A81884 4 Bytes [74, 63, 78, 8B] {JZ 0x65; JS 0xffffffffffffff8f}
.text ntkrnlpa.exe!RtlSidHashLookup + 26C 82A818AC 4 Bytes [B8, 32, C2, 90]
.text ntkrnlpa.exe!RtlSidHashLookup + 320 82A81960 8 Bytes [96, 89, 78, 8B, EE, 89, 78, ...] {XCHG ESI, EAX; MOV [EAX-0x75], EDI; OUT DX, AL ; MOV [EAX-0x75], EDI}
.text ntkrnlpa.exe!RtlSidHashLookup + 32C 82A8196C 4 Bytes [04, 8B, 78, 8B] {ADD AL, 0x8b; JS 0xffffffffffffff8f}
.text ntkrnlpa.exe!RtlSidHashLookup + 348 82A81988 4 Bytes [EC, 88, 78, 8B] {IN AL, DX ; MOV [EAX-0x75], BH}
.text ...
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C7F72A 4 Bytes CALL 8B7874C5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C8783B 4 Bytes CALL 8B7874DB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMultiByteToUnicodeN + 7220 98EA9869 5 Bytes JMP 8B7894BC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngIsSemaphoreOwned + 8A1B 98EC08B4 5 Bytes JMP 8B7895E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngEraseSurface + C184 98EE1F5C 5 Bytes JMP 8B789FB2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XFORMOBJ_iGetXform + 3330 98EF5E5D 5 Bytes JMP 8B7890DA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XFORMOBJ_iGetXform + 4035 98EF6B62 5 Bytes JMP 8B789D7E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCTGetGammaTable + 18AB 98EFC826 5 Bytes JMP 8B7894CC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bEnum + 79B0 98F18D80 5 Bytes JMP 8B78914A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bEnum + 8697 98F19A67 5 Bytes JMP 8B788FFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bEnum + 9287 98F1A657 5 Bytes JMP 8B789326 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateSemaphore + A5E8 98F3546C 5 Bytes JMP 8B789D0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreateSemaphore + C99D 98F37821 5 Bytes JMP 8B788F32 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngBitBlt + 56E 98F40E5D 5 Bytes JMP 8B789D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngBitBlt + 5230 98F45B1F 5 Bytes JMP 8B78A1BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngLpkInstalled + 6129 98F58E7A 5 Bytes JMP 8B789016 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngLpkInstalled + 1AED6 98F6DC27 5 Bytes JMP 8B789D96 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!STROBJ_bEnum + 99C0 98F8135C 5 Bytes JMP 8B78928E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 26C1 98F8943A 5 Bytes JMP 8B78A070 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_bPolyBezierTo + F8 98F9CEC0 5 Bytes JMP 8B789254 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngAcquireSemaphoreSharedNoWait + 1F5A 98FAD228 5 Bytes JMP 8B78A118 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!PATHOBJ_vGetBounds + EB5 98FD710B 5 Bytes JMP 8B7891AE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCTGetCurrentGamma + 1C88 98FDB136 5 Bytes JMP 8B7891E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetPointerShape + C86 98FDDDEC 5 Bytes JMP 8B789EFA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!CLIPOBJ_cEnumStart + 6D82 98FE6B65 5 Bytes JMP 8B789096 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[428] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000503FC
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000501F8
.text C:\Program Files\Internet Explorer\iexplore.exe[428] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ADVAPI32.dll!ReportEventA 774B86E4 5 Bytes JMP 001F0804
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ADVAPI32.dll!ReportEventW 774BCB0A 5 Bytes JMP 001F0A08
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ADVAPI32.dll!LookupAccountNameW 774BE86E 5 Bytes JMP 001F0C0C
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ADVAPI32.dll!RegisterEventSourceW 774C38D9 5 Bytes JMP 001F03FC
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ADVAPI32.dll!RegisterEventSourceA 774C767C 5 Bytes JMP 001F01F8
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ADVAPI32.dll!DeregisterEventSource 774C93A5 5 Bytes JMP 001F0600
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ADVAPI32.dll!RegConnectRegistryW 774DDDC7 5 Bytes JMP 001F0E10
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ADVAPI32.dll!RegConnectRegistryExW 774DDDE5 5 Bytes JMP 001F1014
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CreateDialogIndirectParamAorW 776F9BC3 5 Bytes JMP 00213054
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CreateDialogParamW 776F9BFF 5 Bytes JMP 00212A48
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!SetWindowLongA 776FB1E3 5 Bytes JMP 0021243C
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!GetWindowLongA 776FC899 5 Bytes JMP 00212034
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 6D3D8362 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CallNextHookEx 776FCC8F 5 Bytes JMP 6D3B9D40 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 002103FC
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CreateWindowExA 776FE18A 5 Bytes JMP 00211C2C
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CreateWindowExW 77700E51 5 Bytes JMP 6D3C812F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 6D37461B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 002101F8
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!SetWindowLongW 77706614 5 Bytes JMP 00212640
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!GetPropW 77707829 5 Bytes JMP 00211218
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!RemovePropW 77707A0E 5 Bytes JMP 00211A28
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!SetPropW 77707A64 5 Bytes JMP 00211620
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!GetWindowLongW 777083A9 5 Bytes JMP 00212238
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!LockWorkStation 77710FAD 5 Bytes JMP 00210E10
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CreateDialogParamA 77713E79 5 Bytes JMP 00212844
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CreateDialogIndirectParamA 77719110 5 Bytes JMP 00212C4C
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!CreateDialogIndirectParamW 777208AD 5 Bytes JMP 00212E50
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!RemovePropA 77723DE1 5 Bytes JMP 00211824
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!SetPropA 77723E3D 5 Bytes JMP 0021141C
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!GetPropA 777241AC 5 Bytes JMP 00211014
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxIndirectParamW 77724AA7 5 Bytes JMP 6D4F01A0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxIndirectParamAorW 7772551D 5 Bytes JMP 00213A68
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxParamW 7772564A 5 Bytes JMP 6D2E4B87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00210600
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxParamA 7773CF6A 5 Bytes JMP 6D4F013D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!DialogBoxIndirectParamA 7773D29C 5 Bytes JMP 6D4F0203 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!ExitWindowsEx 777406EF 5 Bytes JMP 00210C0C
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxIndirectA 7774E8C9 5 Bytes JMP 6D4F00D2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxIndirectW 7774E9C3 5 Bytes JMP 6D4F0067 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxExA 7774EA29 5 Bytes JMP 6D4F0005 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USER32.dll!MessageBoxExW 7774EA4D 5 Bytes JMP 6D4EFFA3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ole32.dll!OleLoadFromStream 77355BF6 5 Bytes JMP 6D4F04FE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ole32.dll!CoCreateInstance 773A590C 5 Bytes JMP 6D3C8C1D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ws2_32.DLL!connect 779148BE 5 Bytes JMP 020401F8
.text C:\Program Files\Internet Explorer\iexplore.exe[428] ws2_32.DLL!listen 7791A6EA 5 Bytes JMP 020403FC
.text C:\Program Files\Internet Explorer\iexplore.exe[428] iphlpapi.DLL!IcmpSendEcho2Ex 73D5561D 5 Bytes JMP 02030600
.text C:\Program Files\Internet Explorer\iexplore.exe[428] iphlpapi.DLL!CancelMibChangeNotify2 73D566A1 5 Bytes JMP 02030A08
.text C:\Program Files\Internet Explorer\iexplore.exe[428] iphlpapi.DLL!IcmpSendEcho 73D567C3 5 Bytes JMP 020301F8
.text C:\Program Files\Internet Explorer\iexplore.exe[428] iphlpapi.DLL!IcmpSendEcho2 73D567F3 5 Bytes JMP 020303FC
.text C:\Program Files\Internet Explorer\iexplore.exe[428] iphlpapi.DLL!NotifyRouteChange2 73D57A1F 5 Bytes JMP 02030804
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USERENV.dll!RegisterGPNotification 751E272B 5 Bytes JMP 022901F8
.text C:\Program Files\Internet Explorer\iexplore.exe[428] USERENV.dll!UnregisterGPNotification 751E274A 5 Bytes JMP 022903FC
.text C:\Windows\system32\svchost.exe[436] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[436] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[436] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[436] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00370A08
.text C:\Windows\system32\svchost.exe[436] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 003703FC
.text C:\Windows\system32\svchost.exe[436] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00370804
.text C:\Windows\system32\svchost.exe[436] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 003701F8
.text C:\Windows\system32\svchost.exe[436] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00370600
.text C:\Windows\System32\spoolsv.exe[452] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\System32\spoolsv.exe[452] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\System32\spoolsv.exe[452] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[452] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00100A08
.text C:\Windows\System32\spoolsv.exe[452] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 001003FC
.text C:\Windows\System32\spoolsv.exe[452] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00100804
.text C:\Windows\System32\spoolsv.exe[452] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 001001F8
.text C:\Windows\System32\spoolsv.exe[452] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00100600
.text C:\Windows\System32\svchost.exe[476] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000A03FC
.text C:\Windows\System32\svchost.exe[476] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000A01F8
.text C:\Windows\System32\svchost.exe[476] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\csrss.exe[664] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[680] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 001603FC
.text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[680] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 001601F8
.text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[680] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[680] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00200A08
.text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[680] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 002003FC
.text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[680] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00200804
.text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[680] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 002001F8
.text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[680] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00200600
.text C:\Windows\system32\csrss.exe[736] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\wininit.exe[744] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[744] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[744] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\wininit.exe[744] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 000C0A08
.text C:\Windows\system32\wininit.exe[744] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 000C03FC
.text C:\Windows\system32\wininit.exe[744] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 000C0804
.text C:\Windows\system32\wininit.exe[744] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 000C01F8
.text C:\Windows\system32\wininit.exe[744] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 000C0600
.text C:\Windows\system32\services.exe[784] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\services.exe[784] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\services.exe[784] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\lsass.exe[804] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsass.exe[804] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsass.exe[804] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\lsass.exe[804] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 000C0A08
.text C:\Windows\system32\lsass.exe[804] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 000C03FC
.text C:\Windows\system32\lsass.exe[804] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 000C0804
.text C:\Windows\system32\lsass.exe[804] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 000C01F8
.text C:\Windows\system32\lsass.exe[804] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 000C0600
.text C:\Windows\system32\lsm.exe[816] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsm.exe[816] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsm.exe[816] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[892] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[892] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[892] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[892] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 001C0A08
.text C:\Windows\system32\winlogon.exe[892] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 001C03FC
.text C:\Windows\system32\winlogon.exe[892] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 001C0804
.text C:\Windows\system32\winlogon.exe[892] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 001C01F8
.text C:\Windows\system32\winlogon.exe[892] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 001C0600
.text C:\Users\owner\Desktop\zsbhujvk.exe[912] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 001603FC
.text C:\Users\owner\Desktop\zsbhujvk.exe[912] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 001601F8
.text C:\Users\owner\Desktop\zsbhujvk.exe[912] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Users\owner\Desktop\zsbhujvk.exe[912] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00210A08
.text C:\Users\owner\Desktop\zsbhujvk.exe[912] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 002103FC
.text C:\Users\owner\Desktop\zsbhujvk.exe[912] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00210804
.text C:\Users\owner\Desktop\zsbhujvk.exe[912] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 002101F8
.text C:\Users\owner\Desktop\zsbhujvk.exe[912] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00210600
.text C:\Windows\system32\svchost.exe[972] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[972] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[972] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[972] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00250A08
.text C:\Windows\system32\svchost.exe[972] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 002503FC
.text C:\Windows\system32\svchost.exe[972] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00250804
.text C:\Windows\system32\svchost.exe[972] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 002501F8
.text C:\Windows\system32\svchost.exe[972] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00250600
.text C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe[1028] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 001503FC
.text C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe[1028] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 001501F8
.text C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe[1028] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe[1028] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00170A08
.text C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe[1028] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 001703FC
.text C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe[1028] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00170804
.text C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe[1028] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 001701F8
.text C:\Program Files\IObit\Advanced SystemCare 5\ASCService.exe[1028] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00170600
.text C:\Windows\system32\nvvsvc.exe[1084] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 001603FC
.text C:\Windows\system32\nvvsvc.exe[1084] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 001601F8
.text C:\Windows\system32\nvvsvc.exe[1084] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\nvvsvc.exe[1084] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 001F0A08
.text C:\Windows\system32\nvvsvc.exe[1084] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 001F03FC
.text C:\Windows\system32\nvvsvc.exe[1084] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 001F0804
.text C:\Windows\system32\nvvsvc.exe[1084] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 001F01F8
.text C:\Windows\system32\nvvsvc.exe[1084] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 001F0600
.text C:\Windows\system32\svchost.exe[1124] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[1124] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[1124] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1124] user32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00300A08
.text C:\Windows\system32\svchost.exe[1124] user32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 003003FC
.text C:\Windows\system32\svchost.exe[1124] user32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00300804
.text C:\Windows\system32\svchost.exe[1124] user32.dll!SetWinEventHook 7770507E 5 Bytes JMP 003001F8
.text C:\Windows\system32\svchost.exe[1124] user32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00300600
.text C:\Windows\System32\svchost.exe[1220] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[1220] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1220] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00370A08
.text C:\Windows\System32\svchost.exe[1220] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 003703FC
.text C:\Windows\System32\svchost.exe[1220] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00370804
.text C:\Windows\System32\svchost.exe[1220] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 003701F8
.text C:\Windows\System32\svchost.exe[1220] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00370600
.text C:\Windows\System32\svchost.exe[1260] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[1260] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[1260] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1260] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00310A08
.text C:\Windows\System32\svchost.exe[1260] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 003103FC
.text C:\Windows\System32\svchost.exe[1260] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00310804
.text C:\Windows\System32\svchost.exe[1260] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 003101F8
.text C:\Windows\System32\svchost.exe[1260] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00310600
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1296] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00B30A08
.text C:\Windows\system32\svchost.exe[1296] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 00B303FC
.text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00B30804
.text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 00B301F8
.text C:\Windows\system32\svchost.exe[1296] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00B30600
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1368] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1368] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1368] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1368] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00180A08
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1368] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 001803FC
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1368] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00180804
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1368] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 001801F8
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1368] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00180600
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000503FC
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000501F8
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ADVAPI32.dll!ReportEventA 774B86E4 5 Bytes JMP 000F0804
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ADVAPI32.dll!ReportEventW 774BCB0A 5 Bytes JMP 000F0A08
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ADVAPI32.dll!LookupAccountNameW 774BE86E 5 Bytes JMP 000F0C0C
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ADVAPI32.dll!RegisterEventSourceW 774C38D9 5 Bytes JMP 000F03FC
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ADVAPI32.dll!RegisterEventSourceA 774C767C 5 Bytes JMP 000F01F8
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ADVAPI32.dll!DeregisterEventSource 774C93A5 5 Bytes JMP 000F0600
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ADVAPI32.dll!RegConnectRegistryW 774DDDC7 5 Bytes JMP 000F0E10
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ADVAPI32.dll!RegConnectRegistryExW 774DDDE5 5 Bytes JMP 000F1014
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!CreateDialogIndirectParamAorW 776F9BC3 5 Bytes JMP 00113054
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!CreateDialogParamW 776F9BFF 5 Bytes JMP 00112A48
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!SetWindowLongA 776FB1E3 5 Bytes JMP 0011243C
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!GetWindowLongA 776FC899 5 Bytes JMP 00112034
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00110A08
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 001103FC
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!CreateWindowExA 776FE18A 5 Bytes JMP 00111C2C
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!CreateWindowExW 77700E51 5 Bytes JMP 6D3C812F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00110804
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 001101F8
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!SetWindowLongW 77706614 5 Bytes JMP 00112640
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!GetPropW 77707829 5 Bytes JMP 00111218
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!RemovePropW 77707A0E 5 Bytes JMP 00111A28
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!SetPropW 77707A64 5 Bytes JMP 00111620
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!GetWindowLongW 777083A9 5 Bytes JMP 00112238
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!LockWorkStation 77710FAD 5 Bytes JMP 00110E10
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!CreateDialogParamA 77713E79 5 Bytes JMP 00112844
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!CreateDialogIndirectParamA 77719110 5 Bytes JMP 00112C4C
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!CreateDialogIndirectParamW 777208AD 5 Bytes JMP 00112E50
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!RemovePropA 77723DE1 5 Bytes JMP 00111824
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!SetPropA 77723E3D 5 Bytes JMP 0011141C
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!GetPropA 777241AC 5 Bytes JMP 00111014
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!DialogBoxIndirectParamW 77724AA7 5 Bytes JMP 6D4F01A0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!DialogBoxIndirectParamAorW 7772551D 5 Bytes JMP 00113A68
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!DialogBoxParamW 7772564A 5 Bytes JMP 6D2E4B87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00110600
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!DialogBoxParamA 7773CF6A 5 Bytes JMP 6D4F013D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!DialogBoxIndirectParamA 7773D29C 5 Bytes JMP 6D4F0203 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!ExitWindowsEx 777406EF 5 Bytes JMP 00110C0C
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!MessageBoxIndirectA 7774E8C9 5 Bytes JMP 6D4F00D2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!MessageBoxIndirectW 7774E9C3 5 Bytes JMP 6D4F0067 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!MessageBoxExA 7774EA29 5 Bytes JMP 6D4F0005 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] USER32.dll!MessageBoxExW 7774EA4D 5 Bytes JMP 6D4EFFA3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ws2_32.DLL!connect 779148BE 5 Bytes JMP 01C801F8
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] ws2_32.DLL!listen 7791A6EA 5 Bytes JMP 01C803FC
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] iphlpapi.DLL!IcmpSendEcho2Ex 73D5561D 5 Bytes JMP 01C10600
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] iphlpapi.DLL!CancelMibChangeNotify2 73D566A1 5 Bytes JMP 01C10A08
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] iphlpapi.DLL!IcmpSendEcho 73D567C3 5 Bytes JMP 01C101F8
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] iphlpapi.DLL!IcmpSendEcho2 73D567F3 5 Bytes JMP 01C103FC
.text C:\Program Files\Internet Explorer\iexplore.exe[1396] iphlpapi.DLL!NotifyRouteChange2 73D57A1F 5 Bytes JMP 01C10804
.text C:\Windows\system32\svchost.exe[1444] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1444] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1444] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1444] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00A60A08
.text C:\Windows\system32\svchost.exe[1444] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 00A603FC
.text C:\Windows\system32\svchost.exe[1444] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00A60804
.text C:\Windows\system32\svchost.exe[1444] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 00A601F8
.text C:\Windows\system32\svchost.exe[1444] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00A60600
.text C:\Windows\system32\nvvsvc.exe[1480] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 001603FC
.text C:\Windows\system32\nvvsvc.exe[1480] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 001601F8
.text C:\Windows\system32\nvvsvc.exe[1480] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\nvvsvc.exe[1480] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 001F0A08
.text C:\Windows\system32\nvvsvc.exe[1480] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 001F03FC
.text C:\Windows\system32\nvvsvc.exe[1480] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 001F0804
.text C:\Windows\system32\nvvsvc.exe[1480] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 001F01F8
.text C:\Windows\system32\nvvsvc.exe[1480] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 001F0600
.text C:\Windows\system32\svchost.exe[1548] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000A03FC
.text C:\Windows\system32\svchost.exe[1548] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000A01F8
.text C:\Windows\system32\svchost.exe[1548] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1548] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00B10A08
.text C:\Windows\system32\svchost.exe[1548] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 00B103FC
.text C:\Windows\system32\svchost.exe[1548] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00B10804
.text C:\Windows\system32\svchost.exe[1548] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 00B101F8
.text C:\Windows\system32\svchost.exe[1548] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00B10600
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 6D3D8362 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!CallNextHookEx 776FCC8F 5 Bytes JMP 6D3B9D40 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!CreateWindowExW 77700E51 5 Bytes JMP 6D3C812F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 6D37461B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!DialogBoxIndirectParamW 77724AA7 5 Bytes JMP 6D4F01A0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!DialogBoxParamW 7772564A 5 Bytes JMP 6D2E4B87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!DialogBoxParamA 7773CF6A 5 Bytes JMP 6D4F013D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!DialogBoxIndirectParamA 7773D29C 5 Bytes JMP 6D4F0203 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!MessageBoxIndirectA 7774E8C9 5 Bytes JMP 6D4F00D2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!MessageBoxIndirectW 7774E9C3 5 Bytes JMP 6D4F0067 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!MessageBoxExA 7774EA29 5 Bytes JMP 6D4F0005 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] USER32.dll!MessageBoxExW 7774EA4D 5 Bytes JMP 6D4EFFA3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] ole32.dll!OleLoadFromStream 77355BF6 5 Bytes JMP 6D4F04FE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1608] ole32.dll!CoCreateInstance 773A590C 5 Bytes JMP 6D3C8C1D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1716] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 001503FC
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1716] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 001501F8
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1716] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1716] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 00200A08
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1716] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 002003FC
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1716] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 00200804
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1716] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 002001F8
.text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1716] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 00200600
.text C:\Windows\System32\svchost.exe[1732] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000A03FC
.text C:\Windows\System32\svchost.exe[1732] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000A01F8
.text C:\Windows\System32\svchost.exe[1732] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[1824] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 000603FC
.text C:\Windows\system32\Dwm.exe[1824] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 000601F8
.text C:\Windows\system32\Dwm.exe[1824] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[1824] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 000F0A08
.text C:\Windows\system32\Dwm.exe[1824] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 000F03FC
.text C:\Windows\system32\Dwm.exe[1824] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 000F0804
.text C:\Windows\system32\Dwm.exe[1824] USER32.dll!SetWinEventHook 7770507E 5 Bytes JMP 000F01F8
.text C:\Windows\system32\Dwm.exe[1824] USER32.dll!SetWindowsHookExA 77726DFA 5 Bytes JMP 000F0600
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1844] ntdll.dll!LdrUnloadDll 77ACBD1F 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1844] ntdll.dll!LdrLoadDll 77ACF425 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1844] kernel32.dll!GetBinaryTypeW + 70 771B78FC 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1844] USER32.dll!UnhookWindowsHookEx 776FCC7B 5 Bytes JMP 001E0A08
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1844] USER32.dll!UnhookWinEvent 776FD924 5 Bytes JMP 001E03FC
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1844] USER32.dll!SetWindowsHookExW 7770210A 5 Bytes JMP 001E0804
.text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1844] USER32.dll!SetWinEventHook 7770507E

Thank you

Mick


I'm new here I hope I did this right...

Attached Files

  • Attached File  ark.zip   37.89KB   1 downloads


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:45 PM

Posted 11 May 2012 - 09:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Disable the CD emulators....

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed. Or when this computer is clean.

HOW TO: Enable the CD Emulators... <- to be enable when all is well....

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

Let me know what problem persists.

#3 Mick Mc

Mick Mc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 14 May 2012 - 03:09 PM

First problem...seems like this always pops up 'access denied'


Mick


I tried to attatch a screen shot but 'error you aren't permitted to upload this kind of file'

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:45 PM

Posted 15 May 2012 - 07:56 AM

I think you have a copy or TDSSKiller and MBAM.

Execute the rest of the instructions from step 3.

Step 1. Download TDSSKiller.exe
http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Step 2. Place TDSSKiller.exe in Malwarebytes Chameleon folder.
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon

Step 3. Install the Chameleon driver by doing the following:
Press the Windows key + R and in the Run box, copy and paste the following command then press Enter.

"C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\mbam-chameleon.exe" /o <- include the quotes.

A black DOS prompt will appear with a prompt to press any key to continue, please do.

Step 4. Execute TDSSKiller.exe by doubleclicking on it.
On a Windows Vista or 7 Right click the .exe and run as an Administrator.
Press Start Scan
If Malicious objects are found, ensure Cure is selected (it should be by default)
Click Continue then click Reboot now
Once complete, a log will be produced at the root drive which is typically C:\
For example, C:\TDSSKiller.version_date_time_log.txt

Attach that log, please.

#5 Mick Mc

Mick Mc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 15 May 2012 - 04:10 PM

After the black DOS prompt I hit OK.
It tried to update Malwarebytes
'An error has occurred. Please repot this issue to our support team
Program error updating (1812,0,Configuration access denied)
Teh specified image dile did not contain a resource section'

"configuration access denied" is a common theme so far.


Mick

#6 Mick Mc

Mick Mc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 15 May 2012 - 04:18 PM

Could not run tdsskiller from desktop, link broken...
Reloaded tdsskiller from link to desktop
Run program
"windows cannot open the folder
Access to the compressed (zipped) folder 'C:\Users\owners\Desktop\tdsskiller.zip' is denied."



Mick

#7 Mick Mc

Mick Mc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 15 May 2012 - 04:23 PM

Tried to just run tdsskiller

"Windows cannot oopen the folder.

Access to the Compressed (zipped) Folder
'C:\Users\owner\AppData\Local\Microsoft\Windows\Temporary Internet
Files\Content.IE5\32950ILN\tdskiller[1].zip' is denied."

Mick

#8 Mick Mc

Mick Mc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 15 May 2012 - 04:52 PM

I tried to run aswMBR.exe
"Scan error"


Mick

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:45 PM

Posted 16 May 2012 - 06:47 AM

Do you get access denied on all applications?

Run this tool and post the log if you can.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

#10 Mick Mc

Mick Mc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 16 May 2012 - 02:30 PM

Saved Combofix to desktop, double clicked

"Windows cannot find 'C:\Users\owner\Desktop\Combofix.exe'. Make sure you typed the name correctly, and try again."


Mick

#11 Mick Mc

Mick Mc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 16 May 2012 - 03:29 PM

I just tried to download Combofix again and it says it already exists.
I use the search box and type in combofix, 'no file found'


Mick

#12 Mick Mc

Mick Mc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 16 May 2012 - 03:32 PM

Downloading combofix
I say yes replace file
Combofix starts
"Error opening file for writing:
C:\32788R22FWJFW\023.dat"


Mick

#13 Mick Mc

Mick Mc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 16 May 2012 - 03:34 PM

Aborted error message

inside Combofix black box
"Can't write: C:\32788R22FWJFW\AWF.cmd"


Mick

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:45 PM

Posted 17 May 2012 - 06:54 AM

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Do not restart the computer.

Run ComboFix and post the log if you can.

#15 Mick Mc

Mick Mc
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:45 PM

Posted 17 May 2012 - 11:17 AM

It seems... I down loaded rkill, it ran. It didn't seem to do much than 'Process terminated by Rkill or while it was running'

Mick




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users