Mourning the loss of our friend, WhitPhil.
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
access audio black screen blue screen boot bsod connection crash desktop driver drivers dvd email error excel firefox hard drive hardware hijackthis internet keyboard laptop malware monitor motherboard network networking outlook problem processor ram recovery registry cleaner router safe mode screen slow sound spyware trojan upgrade video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
HP Recovery (In Progress)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Page 2 of 4 1 2 34
 
Thread Tools
flavallee's Avatar
Computer Specs
Trusted Advisor with 23,509 posts.
  
Join Date: May 2002
Location: Hillsborough county, Florida
Experience: Advanced
24-Oct-2009, 05:22 PM #16
SUPERAntiSpyware detected a few adware tracking cookies - which is normal for it to do.

Yes, it's fine to leave your HijackThis log visible in your thread. It's a troubleshooting tool that's used to assist you, so don't delete it.

I'm going to report your thread to the malware section and request a malware expert look at your HijackThis look and read your comments about C:\WINDOWS\System32\ - - -.

-----------------------------------------------------------------
Register for free to hide this ad!
Cookiegal's Avatar
Administrator with 63,642 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
24-Oct-2009, 05:54 PM #17
Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.
__________________
Microsoft MVP - Consumer Security
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
25-Oct-2009, 08:39 AM #18
I took your advice and downloaded Combofix to my desktop saved as puppy.exe

Then following Combofix instructions I turned off all firewalls and antivirus/spyware programs. Then closed all windows.

When I clicked on the Combfix icon I got the message "Windows Explorer has encountered a problem and needs to close........"

I ignored that and clicked on "Run".

Then message "Windows cannot find '32788R22FWJFW\hidec.exe make sure you typed the name correctly and then try again.

Then message "Windows cannot find '32788R22FWJFW\n.pif make sure you typed the name correctly and then try again.

Then message "Dr.Watson postmortem debugger has encountered a problem etc........."

Screen was now frozen so I used task manager to force a re-start. I have switched on my firewalls and antivirus again and await your instructions.
Cookiegal's Avatar
Administrator with 63,642 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
26-Oct-2009, 07:10 PM #19
It sounds like one of your security programs interfered.

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
__________________
Microsoft MVP - Consumer Security
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
27-Oct-2009, 05:18 AM #20
I have already installed Malwarebytes as per Flavallee's suggestion above and posted the log.

Each time I run Malwarebytes it picks up this "stolen.data" and deletes it along with the windows\system32\xmldm folder, but it re-appears with every reboot.

There is also another folder in system32 called c*ck (where *= o) which is ignored by all security searches. Manually renaming or deleting it has made no difference.

I have downloaded the trial version of Scanspyware and it has picked up on my rogue system32 folders. I have posted the log below. I will have to buy their full version for removal. What do you think?

Here is the most recent Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 3027
Windows 5.1.2600 Service Pack 3
26/10/2009 19:57:27
mbam-log-2009-10-26 (19-57-27).txt
Scan type: Quick Scan
Objects scanned: 112764
Time elapsed: 8 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\xmldm (Stolen.Data) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\xmldm\netbanke_2009.10.26.073140_my_name@ad.yieldmanage r[1].txt (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xmldm\netbanke_2009.10.26.073140_my_name@content.yieldm anager[1].txt (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xmldm\netbanke_2009.10.26.073140_my_name@revsci[1].txt (Stolen.Data) -> Quarantined and deleted


ScanSpyware log:

ScanSpyware 3.9 (Build 1.9)
===========================
Scan Log created at: October 27, 2009 [10:13:43 AM] (GMT-00:00)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (5.1.2600)
MSIE: Internet Explorer 6.0.2900
Unique App Id: 74FB733E-12FB0965-E2968BDD-8DD7DCE8
Last Updated: October 27, 2009 (10:10:16 AM)

Preferences
~~~~~~~~~~~
[X] Quick Scan
(Fast yet Powerfull)
[ ] Deep Scan
(Recommended)
[ ] Custom Scan
(Be Selective)
[ ] Remove threats automatically after every scan.
[X] Create a 'Restore Point' before removing threats.
[X] Always send found threats to quarantine.
[X] Create a log-file automatically after every scan.
[ ] Launch app at Windows startup
[ ] Start scan when app starts
[ ] Scan in silent mode
[ ] Close app after completing scan

Scan Summary
~~~~~~~~~~~~
Processes scanned: 36
Processes detected: 0
Cookies scanned: 18
Cookies detected: 0
Directories scanned: 9717
Directories detected: 3
Files scanned: 102083
Files detected: 15
Registry entries scanned: 162150
Registry entries detected: 3
Total objects scanned: 274004
Total objects detected: 21
Total objects removed: 0
Elapsed Time: 00:01:46

Scan Report
~~~~~~~~~~~

[Object Type : Directory]
-------------------------
C:\WINDOWS\system32\**** - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\xmldm - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\UAs - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
[Object Type : File]
--------------------
D:\AUTORUN.INF - (8aba234578aff1b6ccb8c245503e03f1) - (Action to be taken : Quarantine) - belongs to "Cekar.D"
D:\folder.htt - (e0ba1af2184e62b8f1a79ca581aa6184) - (Action to be taken : Quarantine) - belongs to "Feldor.A"
C:\WINDOWS\system32\krncode.dat - (d5caf824f05536b5de5bd0cc8d7fa911) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\ldshyf1.old - (fe3f60c5456b71155c10381dc24595b7) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\nsysk.ini - (0efeb8cc84a425f1872707e637030354) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\nsysp.ini - (c577ec4f3f2b4608e66339b0d92265d6) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\nsysw.ini - (5de146941eff2c5962d75fbd97257a13) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\osysk.dat - (b921fb870c9ac0d509b2ccabbbbe95f3) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\osysw.dat - (cf0a5fe05bf614c24950d8faec1bc309) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\osysp.dat - (50a166237a0fa771261275a405646cc0) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\pwrcode.dat - (6811fd9c16dbd120fb095e6978bb2f84) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\sysk.tmp - (0efeb8cc84a425f1872707e637030354) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\sysp.tmp - (fe948c3d08bd99a9e85be797b731ec90) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\sysw.tmp - (5de146941eff2c5962d75fbd97257a13) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\wincode.dat - (a473381869339e0a4298d15dfc1d51d0) - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
[Object Type : Registry Key]
----------------------------
HKEY_CLASSES_ROOT\CLSID\{6C3A97D1-5E00-4409-B8E9-3F9BC103AC2D} - (Action to be taken : Quarantine) - belongs to "Nadebanker"
HKEY_LOCAL_MACHINE\software\classes\CLSID\{6C3A97D1-5E00-4409-B8E9-3F9BC103AC2D} - (Action to be taken : Quarantine) - belongs to "Nadebanker"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\prh - (Action to be taken : Quarantine) - belongs to "Trojan.Bankpatch.A"
------------------------- End Of File -------------------------
Last edited by Tacpot : 27-Oct-2009 06:21 AM.
Cookiegal's Avatar
Administrator with 63,642 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
27-Oct-2009, 07:47 PM #21
Please do not download programs when not asked to. You've downloaded yourself more malware as ScanSpyware is a rogue program.

Download GMER from: http://gmer.net/index.php

Save it on your desktop and unzip it.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click Copy. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.
__________________
Microsoft MVP - Consumer Security
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
28-Oct-2009, 05:27 AM #22
I have to admit to desperation influencing my decision to pay for and download ScanSpyware - it took two attempts to clean, but it worked.

Subsequent scans with Malwarebytes shows my system as clean and three folders (c*ck, UAs and xmlmd ) have been permanently removed from windows\system32.

Here are the two logs from ScanSpyware:


ScanSpyware 3.9 (Build 1.9)
===========================
Scan Log created at: October 27, 2009 [08:14:05 PM] (GMT-00:00)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (5.1.2600)
MSIE: Internet Explorer 6.0.2900
Unique App Id: 74FB733E-12FB0965-E2968BDD-8DD7DCE8
Last Updated: October 27, 2009 (10:10:16 AM)

Preferences
~~~~~~~~~~~
[X] Quick Scan
(Fast yet Powerfull)
[ ] Deep Scan
(Recommended)
[ ] Custom Scan
(Be Selective)
[ ] Remove threats automatically after every scan.
[X] Create a 'Restore Point' before removing threats.
[X] Always send found threats to quarantine.
[X] Create a log-file automatically after every scan.
[ ] Launch app at Windows startup
[ ] Start scan when app starts
[ ] Scan in silent mode
[ ] Close app after completing scan

Scan Summary
~~~~~~~~~~~~
Processes scanned: 37
Processes detected: 0
Cookies scanned: 75
Cookies detected: 0
Directories scanned: 9717
Directories detected: 3
Files scanned: 100574
Files detected: 12
Registry entries scanned: 162150
Registry entries detected: 3
Total objects scanned: 272553
Total objects detected: 18
Total objects removed: 19
Elapsed Time: 00:02:18

Scan Report
~~~~~~~~~~~

[Object Type : Directory]
-------------------------
C:\WINDOWS\system32\**** - (Action status : Pending) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\xmldm - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\UAs - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
[Object Type : File]
--------------------
D:\AUTORUN.INF - (8aba234578aff1b6ccb8c245503e03f1) - (Action taken : Quarantined) - belongs to "Cekar.D"
D:\folder.htt - (e0ba1af2184e62b8f1a79ca581aa6184) - (Action taken : Quarantined) - belongs to "Feldor.A"
C:\WINDOWS\system32\krncode.dat - (d5caf824f05536b5de5bd0cc8d7fa911) - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\ldshyf1.old - (fe3f60c5456b71155c10381dc24595b7) - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\nsysk.ini - (0efeb8cc84a425f1872707e637030354) - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\nsysp.ini - (4478bba6b370a8a4e09f8b946510eff9) - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\nsysw.ini - (5de146941eff2c5962d75fbd97257a13) - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\osysk.dat - (b921fb870c9ac0d509b2ccabbbbe95f3) - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\osysw.dat - (cf0a5fe05bf614c24950d8faec1bc309) - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\osysp.dat - (50a166237a0fa771261275a405646cc0) - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\pwrcode.dat - (6811fd9c16dbd120fb095e6978bb2f84) - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
C:\WINDOWS\system32\wincode.dat - (a473381869339e0a4298d15dfc1d51d0) - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
[Object Type : Registry Key]
----------------------------
HKEY_CLASSES_ROOT\CLSID\{6C3A97D1-5E00-4409-B8E9-3F9BC103AC2D} - (Action taken : Quarantined) - belongs to "Nadebanker"
HKEY_LOCAL_MACHINE\software\classes\CLSID\{6C3A97D1-5E00-4409-B8E9-3F9BC103AC2D} - (Action taken : Quarantined) - belongs to "Nadebanker"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\prh - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
------------------------- End Of File -------------------------


ScanSpyware 3.9 (Build 1.9)
===========================
Scan Log created at: October 27, 2009 [08:18:25 PM] (GMT-00:00)
Platform: Microsoft Windows XP Home Edition Service Pack 3 (5.1.2600)
MSIE: Internet Explorer 6.0.2900
Unique App Id: 74FB733E-12FB0965-E2968BDD-8DD7DCE8
Last Updated: October 27, 2009 (10:10:16 AM)

Preferences
~~~~~~~~~~~
[X] Quick Scan
(Fast yet Powerfull)
[ ] Deep Scan
(Recommended)
[ ] Custom Scan
(Be Selective)
[ ] Remove threats automatically after every scan.
[X] Create a 'Restore Point' before removing threats.
[X] Always send found threats to quarantine.
[X] Create a log-file automatically after every scan.
[ ] Launch app at Windows startup
[ ] Start scan when app starts
[ ] Scan in silent mode
[ ] Close app after completing scan

Scan Summary
~~~~~~~~~~~~
Processes scanned: 43
Processes detected: 0
Cookies scanned: 78
Cookies detected: 0
Directories scanned: 9717
Directories detected: 1
Files scanned: 100575
Files detected: 0
Registry entries scanned: 162150
Registry entries detected: 0
Total objects scanned: 272563
Total objects detected: 1
Total objects removed: 1
Elapsed Time: 00:02:40

Scan Report
~~~~~~~~~~~

[Object Type : Directory]
-------------------------
C:\WINDOWS\system32\**** - (Action taken : Quarantined) - belongs to "Trojan.Bankpatch.A"
------------------------- End Of File -------------------------
Cookiegal's Avatar
Administrator with 63,642 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
28-Oct-2009, 06:37 PM #23
Please drag the ComboFix exe to the recycle bin and download the latest version and run the scan as per the instructions in my earlier post.
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
29-Oct-2009, 04:11 PM #24
A big thank you to Flavallee and Cookiegal for all your advice.
Cookiegal's Avatar
Administrator with 63,642 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
29-Oct-2009, 07:35 PM #25
So I take it you don't wish to continue?
flavallee's Avatar
Computer Specs
Trusted Advisor with 23,509 posts.
  
Join Date: May 2002
Location: Hillsborough county, Florida
Experience: Advanced
29-Oct-2009, 07:46 PM #26
Quote:
Originally Posted by Cookiegal View Post
So I take it you don't wish to continue?
I was wondering about that too.
----------------------------------------------------------------
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
30-Oct-2009, 05:32 AM #27
Now I'm confused!

My original problem of programs "encountering problems etc.." has been fixed. It seemed for a while that the more I poked at it the worse it got but ScanSpyware has removed it.

Subsequent scans with MalwareBytes confirm that the culprit has been removed.

Flavallee had previously guided me through some overdue housekeeping tasks for which I am grateful and now my laptop is running sweetly.

Have I overlooked something?
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
30-Oct-2009, 10:17 PM #28
I followed your instructions with GMER.exe and here is the log:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-31 02:13:32
Windows 5.1.2600 Service Pack 3
Running: cuddly.exe; Driver: C:\DOCUME~1\RONWOO~1\LOCALS~1\Temp\uxtdapow.sys

---- System - GMER 1.0.15 ----
SSDT 8A277060 ZwAlertResumeThread
SSDT 89E816C8 ZwAlertThread
SSDT 89E301A8 ZwAllocateVirtualMemory
SSDT 8A410138 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xED6A7020]
SSDT 8A08D728 ZwCreateMutant
SSDT 89E93620 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xED6A72A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xED6A7800]
SSDT 8A0F9600 ZwFreeVirtualMemory
SSDT 8A1A18A8 ZwImpersonateAnonymousToken
SSDT 89E1F870 ZwImpersonateThread
SSDT 8A03B628 ZwMapViewOfSection
SSDT 8A1AB230 ZwOpenEvent
SSDT 8A1B2C40 ZwOpenProcessToken
SSDT 8A0F6478 ZwOpenThreadToken
SSDT 8A0FD770 ZwResumeThread
SSDT 89E8B710 ZwSetContextThread
SSDT 8A0F6548 ZwSetInformationProcess
SSDT 8A0D12F0 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xED6A7A50]
SSDT 8A1AA2D8 ZwSuspendProcess
SSDT 8A1B35F8 ZwSuspendThread
SSDT 8A0FCBC0 ZwTerminateProcess
SSDT 8A0C7280 ZwTerminateThread
SSDT 8A0F4A00 ZwUnmapViewOfSection
SSDT 8A0F96D0 ZwWriteVirtualMemory
---- User code sections - GMER 1.0.15 ----
.reloc C:\WINDOWS\system32\svchost.exe[180] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[180] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.reloc C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[212] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[284] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[384] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe[396] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[512] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe[548] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\csrss.exe[788] C:\WINDOWS\system32\KERNEL32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\winlogon.exe[816] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\services.exe[860] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\lsass.exe[872] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[876] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[876] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[1028] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[1096] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\System32\svchost.exe[1136] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\System32\svchost.exe[1136] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[1344] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\svchost.exe[1388] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.text C:\WINDOWS\system32\SearchIndexer.exe[1472] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.reloc C:\WINDOWS\system32\SearchIndexer.exe[1472] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1588] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe[1588] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.reloc C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[1652] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Windows Live\Toolbar\wltuser.exe[1856] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Windows Live\Toolbar\wltuser.exe[1856] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.reloc C:\WINDOWS\system32\spoolsv.exe[2008] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\System32\alg.exe[2180] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Documents and Settings\Ron Woods\Desktop\cuddly.exe[2360] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\notepad.exe[2648] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\Explorer.EXE[3476] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\Explorer.EXE[3476] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.reloc C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.reloc C:\Program Files\Internet Explorer\IEXPLORE.EXE[3780] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.reloc C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3880] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.reloc C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] ws2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 46CAE71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 46CAEEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] ws2_32.dll!socket 71AB4211 5 Bytes JMP 46CAE59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 46CAE62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] ws2_32.dll!send 71AB4C27 5 Bytes JMP 46CAE9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] ws2_32.dll!recv 71AB676F 5 Bytes JMP 46CAF1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.reloc C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[3896] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[3896] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.reloc C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe[3920] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3936] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Common Files\Symantec Shared\ccApp.exe[3936] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.reloc C:\WINDOWS\system32\wbem\wmiprvse.exe[3976] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\WINDOWS\system32\ctfmon.exe[3984] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.reloc C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] C:\WINDOWS\system32\kernel32.dll section is executable [0x7C8F0000, 0x6C84, 0xE2000040]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.reloc C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] C:\WINDOWS\system32\WININET.dll section is executable [0x3DA0F000, 0x77C4, 0xE2000040]
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] ws2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 46CAE71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 46CAEEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] ws2_32.dll!socket 71AB4211 5 Bytes JMP 46CAE59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 46CAE62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] ws2_32.dll!send 71AB4C27 5 Bytes JMP 46CAE9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] ws2_32.dll!recv 71AB676F 5 Bytes JMP 46CAF1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3888] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[4072] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
Cookiegal's Avatar
Administrator with 63,642 posts.
  
Join Date: Aug 2003
Location: Quebec, Canada
31-Oct-2009, 02:25 PM #29
OK, thanks. Now please follow the instructions in my post no. 23.
Tacpot's Avatar
Computer Specs
Member with 33 posts.
  
Join Date: Oct 2009
Experience: Intermediate
31-Oct-2009, 03:46 PM #30
Done done and done.............thanks for all your time on this.

ComboFix 09-10-30.01 - My Name 31/10/2009 19:20.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.1406.777 [GMT 0:00]
Running from: c:\documents and settings\My Name\Desktop\purple.exe
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\INSTALL.LOG
c:\recycler\S-1-5-21-1386387506-4140864413-4240894001-1003
c:\recycler\S-1-5-21-2707862942-183699304-3338115684-500
c:\recycler\S-1-5-21-2843092905-2553061452-2265837823-1003
c:\windows\system32\install.exe
c:\windows\system32\oem73.inf
Infected copy of c:\windows\system32\powrprof.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP23\A0003299.dll
Infected copy of c:\windows\system32\wininet.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP23\A0003300.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-31 )))))))))))))))))))))))))))))))
.
2009-10-31 18:12 . 2009-10-31 18:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-27 19:35 . 2009-10-27 19:42 25 ----a-w- c:\windows\system32\urhtps.dat
2009-10-27 17:32 . 2009-10-27 17:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-27 17:31 . 2009-10-27 17:31 -------- d-----w- c:\documents and settings\My Name\Local Settings\Application Data\Threat Expert
2009-10-27 10:07 . 2009-10-27 10:07 -------- d-----w- c:\documents and settings\My Name\Application Data\ScanSpyware
2009-10-27 10:07 . 2008-09-07 17:22 8704 ----a-w- c:\windows\system32\ssbtsr.exe
2009-10-27 10:07 . 2009-10-27 10:07 -------- d-----w- c:\program files\ScanSpyware
2009-10-21 18:07 . 2009-10-21 18:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-21 18:07 . 2009-10-31 18:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-21 18:07 . 2009-10-31 18:13 -------- d-----w- c:\documents and settings\My Name\Application Data\SUPERAntiSpyware.com
2009-10-20 14:19 . 2009-10-20 14:19 -------- d-----w- c:\documents and settings\My Name\Application Data\Malwarebytes
2009-10-20 14:19 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 14:19 . 2009-10-20 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-20 14:19 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 14:19 . 2009-10-22 08:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 08:35 . 2009-10-16 08:35 -------- d-----w- c:\program files\Trend Micro
2009-10-15 23:34 . 2008-04-14 04:41 81920 ------w- c:\windows\system32\ieencode.dll
2009-10-15 21:37 . 2009-10-15 21:37 -------- d-----w- c:\documents and settings\My Name\Application Data\Windows Search
2009-10-15 18:56 . 2009-10-15 18:56 -------- d-----w- c:\documents and settings\My Name\Application Data\Nero
2009-10-15 18:52 . 2009-10-15 18:53 -------- d-----w- c:\program files\Nero
2009-10-15 18:51 . 2009-10-15 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-10-15 18:51 . 2009-10-15 18:55 -------- d-----w- c:\program files\Common Files\Nero
2009-10-15 17:13 . 2009-10-15 17:13 -------- d-----w- c:\documents and settings\My Name\Tracing
2009-10-15 17:11 . 2009-08-05 21:48 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-10-15 17:11 . 2009-10-15 17:11 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-10-15 17:10 . 2006-11-29 12:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-10-15 17:10 . 2009-10-15 17:10 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-15 17:08 . 2009-10-15 17:08 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-10-15 17:07 . 2009-10-15 17:11 -------- d-----w- c:\program files\Windows Live
2009-10-15 16:18 . 2009-10-15 16:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-10-15 16:15 . 2009-10-15 16:15 -------- d-----w- c:\program files\Common Files\Windows Live
2009-10-15 16:14 . 2009-10-15 17:08 -------- d-----w- c:\program files\Microsoft
2009-10-15 16:12 . 2009-10-15 16:12 -------- d-----w- c:\documents and settings\My Name\Application Data\Windows Desktop Search
2009-10-15 16:11 . 2009-10-16 08:11 -------- d-----w- c:\program files\Windows Desktop Search
2009-10-15 16:11 . 2009-10-15 16:11 -------- d-----w- c:\windows\system32\GroupPolicy
2009-10-15 16:10 . 2008-03-07 17:02 29696 ------w- c:\windows\system32\dllcache\mimefilt.dll
2009-10-15 16:10 . 2008-03-07 17:02 98304 ------w- c:\windows\system32\dllcache\nlhtml.dll
2009-10-15 16:10 . 2008-03-07 17:02 192000 ------w- c:\windows\system32\dllcache\offfilt.dll
2009-10-15 09:25 . 2009-10-15 09:25 -------- d-----w- C:\temp
2009-10-15 09:24 . 2001-08-17 11:19 36992 ----a-w- c:\windows\system32\dllcache\aztw2320.sys
2009-10-15 09:22 . 2001-08-17 12:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2009-10-15 09:22 . 2001-08-17 11:11 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2009-10-15 09:22 . 2001-08-17 13:07 56960 ----a-w- c:\windows\system32\dllcache\aic78xx.sys
2009-10-15 09:22 . 2001-08-17 13:07 55168 ----a-w- c:\windows\system32\dllcache\aic78u2.sys
2009-10-15 09:22 . 2001-08-17 12:52 12800 ----a-w- c:\windows\system32\dllcache\aha154x.sys
2009-10-15 09:20 . 2001-08-17 13:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-10-13 15:29 . 2009-10-13 15:29 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-13 14:26 . 2009-08-29 08:08 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-10-13 14:26 . 2009-08-29 08:08 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-13 09:12 . 2009-10-13 09:12 -------- d-sh--w- c:\documents and settings\My Name\IECompatCache
2009-10-13 09:11 . 2009-10-13 09:11 -------- d-sh--w- c:\documents and settings\My Name\PrivacIE
2009-10-13 09:07 . 2009-10-13 09:07 -------- d-sh--w- c:\documents and settings\My Name\IETldCache
2009-10-13 09:05 . 2009-10-13 14:43 -------- d-----w- c:\windows\ie8updates
2009-10-13 09:04 . 2009-08-07 08:48 100352 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-10-13 09:01 . 2009-10-13 09:04 -------- dc-h--w- c:\windows\ie8
2009-10-08 20:19 . 2009-10-08 20:19 -------- d-----w- c:\documents and settings\My Name\Application Data\Elluminate
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 19:29 . 2006-02-19 20:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-31 18:58 . 2006-02-19 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-27 21:14 . 2008-01-25 13:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-27 21:14 . 2008-01-25 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-27 21:07 . 2008-01-25 12:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-27 11:13 . 2006-08-14 12:08 119224 -c--a-w- c:\documents and settings\My Name\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-25 13:08 . 2009-05-19 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 08:55 . 2006-02-19 19:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-21 08:54 . 2006-12-07 21:08 -------- d-----w- c:\program files\TreeDraw
2009-10-16 00:58 . 2006-02-19 20:23 -------- d-----w- c:\program files\Microsoft Works
2009-10-12 09:23 . 2007-07-08 14:42 -------- d-----w- c:\program files\Sony
2009-10-12 09:23 . 2007-07-08 14:41 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-10-07 09:57 . 2009-05-12 08:57 -------- d-----w- c:\program files\SPICERlinkweb Ireland V2.0
2009-09-11 14:18 . 2004-08-04 08:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 07:19 . 2008-08-06 20:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-06 15:27 . 2009-09-06 15:27 -------- d-----w- c:\documents and settings\My Name\Application Data\Roxio
2009-09-06 15:18 . 2009-09-06 15:04 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-09-06 15:17 . 2009-09-06 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-09-06 15:04 . 2009-09-06 15:04 -------- d-----w- c:\program files\Roxio
2009-09-06 15:04 . 2009-09-06 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-09-04 21:03 . 2004-08-04 08:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 08:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 18:24 . 2004-08-04 08:00 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 18:24 . 2004-08-04 08:00 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 18:24 . 2005-05-26 03:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 18:24 . 2004-08-04 08:00 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 18:24 . 2004-08-04 08:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 18:24 . 2004-08-04 08:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 18:23 . 2004-08-04 08:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 18:23 . 2006-12-20 13:20 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 18:23 . 2005-05-26 04:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 18:23 . 2004-08-04 08:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 19:44 . 2004-08-04 08:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 08:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2003-08-27 13:19 . 2009-09-06 15:18 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2006-09-15 10:58 . 2006-09-15 10:58 22 -csha-w- c:\windows\SMINST\HPCD.sys
2007-06-28 11:49 . 1602-07-12 21:55 1031 -csh--w- c:\windows\system\ws32ntfg.dat
2002-04-16 09:27 . 2002-04-16 09:27 5 -csha-w- c:\windows\system32\CdI5T.drv
.
------- Sigcheck -------
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\s p3gdr\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\s p3qfe\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[-] 2009-10-27 . 0EFEB8CC84A425F1872707E637030354 . 993792 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-12 2000112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-07-18 116072]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin 802.11g Wireless Card Utility.lnk - c:\program files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe [2006-6-15 630872]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=c:\windows\pss\Status Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\My Name\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\documents and settings\My Name\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^My Name^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\My Name\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/10/2009 21:24 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/10/2009 21:24 74480]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [15/10/2009 17:11 54752]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 10:38 92008]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [30/03/2009 15:28 1533808]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [15/06/2006 18:16 17149]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [23/10/2007 08:35 112688]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [22/08/2005 09:06 231424]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/10/2009 21:24 7408]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 21:48 704864]
S3 grmn0200;grmn0200.Sys Garmin USB DCP driver (install);c:\windows\system32\drivers\grmn0200.sys [02/11/2007 20:10 23208]
S3 grmn1200;grmn0200.Sys Garmin USB DCP driver;c:\windows\system32\drivers\grmn1200.sys [02/11/2007 20:10 17448]
S3 NTPASp50;NTPASp50 NDIS Protocol Driver;c:\windows\system32\drivers\NtpaSp50.sys [03/02/2007 12:10 17536]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - COMHOST
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://g.msn.ie/0SEENIE/SAOS01?FORM=TOOLBR
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: {E35DB90B-3ABB-407E-B6DA-F4B1F698467E} = 159.134.237.6,159.134.248.17
DPF: ibb_cust - hxxps://ibusinessbanking1.aib.ie/ibb_cust.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file:///E:/SuperCD/IntraLaunch.CAB
FF - ProfilePath - c:\documents and settings\My Name\Application Data\Mozilla\Firefox\Profiles\uo0ag0k4.default\
FF - plugin: c:\program files\Sony\Reader\Data\bin\npebldetectmoz.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
AddRemove-Adobe Digital Editions - c:\documents and settings\My Name\application data\macromedia\flash player\http://www.macromedia.com\bin\digita...ditions1x5.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-31 19:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(820)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2800)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-10-31 19:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-31 19:36
Pre-Run: 27,019,079,680 bytes free
Post-Run: 27,030,872,064 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - BCDC1C90BC8D035D47C0C1C74DEC5767
Reply Bookmark and Share
Page 2 of 4 1 2 34

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 06:06 AM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.