1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijack log - Whitesmoke trojan/malware

Discussion in 'Virus & Other Malware Removal' started by ohiobowtech, Jan 13, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. ohiobowtech

    ohiobowtech Thread Starter

    Joined:
    Jan 13, 2011
    Messages:
    14
    Hello...I have the Whitesmoke trojan/malware. Thanks for the help!!!!!

    Hijack log
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:37:53 PM, on 1/13/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\DISC\DiscStreamHub.exe
    C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8075
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: C:\WINDOWS\system32\gyy2vn.dll - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\gyy2vn.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
    O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
    O4 - HKLM\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
    O4 - HKLM\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKLM\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
    O4 - HKLM\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
    O4 - HKLM\..\Run: [MKfre] C:\WINDOWS\wininst.exe
    O4 - HKLM\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
    O4 - HKLM\..\Run: [MKZe] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
    O4 - HKLM\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
    O4 - HKLM\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
    O4 - HKLM\..\Run: [Gruyaq] rundll32.exe "C:\WINDOWS\uvosodamapesepe.dll",Startup
    O4 - HKLM\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKLM\..\Run: [MKfPc] C:\WINDOWS\win32.exe
    O4 - HKLM\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
    O4 - HKLM\..\Run: [MKevc] C:\WINDOWS\setup.exe
    O4 - HKLM\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
    O4 - HKLM\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
    O4 - HKLM\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
    O4 - HKLM\..\Run: [MKcrc] C:\WINDOWS\login.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
    O4 - HKCU\..\Run: [gionnovn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ssmmxvwrn\hjjojjvusbs.exe
    O4 - HKCU\..\Run: [Wyoqiquyiwifapoy] rundll32.exe "C:\WINDOWS\rherat.dll",Startup
    O4 - HKCU\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
    O4 - HKCU\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
    O4 - HKCU\..\Run: [rfjpkegn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\luvlyixey\hyavubfusbs.exe
    O4 - HKCU\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKCU\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
    O4 - HKCU\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
    O4 - HKCU\..\Run: [MKfre] C:\WINDOWS\wininst.exe
    O4 - HKCU\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
    O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
    O4 - HKCU\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
    O4 - HKCU\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
    O4 - HKCU\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
    O4 - HKCU\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
    O4 - HKCU\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
    O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
    O4 - HKCU\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
    O4 - HKCU\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
    O4 - HKCU\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
    O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Launch Whitesmoke Translator.lnk = C:\Program Files\Whitesmoke Translator\WSTrayDictMode.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O20 - Winlogon Notify: mpstreg - mpstreg.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: iwuiahf87sfy8ushfijsjgfgf - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\gyy2vn.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

    --
    End of file - 12885 bytes



    DDS log

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by HP_Administrator at 16:48:25.42 on Thu 01/13/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.643 [GMT -5:00]

    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\ehome\mcrdsvc.exe
    c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\DISC\DiscStreamHub.exe
    C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:8075
    mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: c:\windows\system32\gyy2vn.dll: {b2b220c1-a503-59bd-f413-01b53a2c8953} - c:\windows\system32\gyy2vn.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
    uRun: [gionnovn] c:\docume~1\hp_adm~1\locals~1\temp\ssmmxvwrn\hjjojjvusbs.exe
    uRun: [Wyoqiquyiwifapoy] rundll32.exe "c:\windows\rherat.dll",Startup
    uRun: [uPc+MV0NdNaGuo] rundll32.exe c:\windows\system32\uk82if6.dll, SystemServer
    uRun: [HNUOQOXRotgc] c:\docume~1\hp_adm~1\locals~1\temp\gitqfus5e.exe
    uRun: [rfjpkegn] c:\docume~1\hp_adm~1\locals~1\temp\luvlyixey\hyavubfusbs.exe
    uRun: [HNUOQOXRota] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
    uRun: [HNUOQOXRprc] c:\docume~1\hp_adm~1\locals~1\temp\login.exe
    uRun: [HNUOQOXRpuc] c:\docume~1\hp_adm~1\locals~1\temp\lsass.exe
    uRun: [MKfre] c:\windows\wininst.exe
    uRun: [MKdw+] c:\windows\nvsvc32.exe
    uRun: [MKZe] c:\windows\avp.exe
    uRun: [MKaZ] c:\windows\cmd.exe
    uRun: [HNUOQOXRrrb] c:\docume~1\hp_adm~1\locals~1\temp\taskmgr.exe
    uRun: [MKetc] c:\windows\sysedit.exe
    uRun: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
    uRun: [MKfPc] c:\windows\win32.exe
    uRun: [HNUOQOXRotc] c:\docume~1\hp_adm~1\locals~1\temp\hexdump.exe
    uRun: [MKevc] c:\windows\setup.exe
    uRun: [HNUOQOXRnoc] c:\docume~1\hp_adm~1\locals~1\temp\debug.exe
    uRun: [MKerb] c:\windows\taskmgr.exe
    uRun: [HNUOQOXRnsc] c:\docume~1\hp_adm~1\locals~1\temp\drweb.exe
    uRun: [MKcrc] c:\windows\login.exe
    uRun: [MKcrc] c:\windows\login.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
    mRun: [DISCover] c:\program files\disc\DISCover.exe
    mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
    mRun: [PCDrProfiler]
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
    mRun: [<NO NAME>]
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [uPc+MV0NdNaGuo] rundll32.exe c:\windows\system32\uk82if6.dll, SystemServer
    mRun: [HNUOQOXRotgc] c:\docume~1\hp_adm~1\locals~1\temp\gitqfus5e.exe
    mRun: [HNUOQOXRota] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
    mRun: [HNUOQOXRprc] c:\docume~1\hp_adm~1\locals~1\temp\login.exe
    mRun: [HNUOQOXRpuc] c:\docume~1\hp_adm~1\locals~1\temp\lsass.exe
    mRun: [MKfre] c:\windows\wininst.exe
    mRun: [MKdw+] c:\windows\nvsvc32.exe
    mRun: [MKZe] c:\windows\avp.exe
    mRun: [MKaZ] c:\windows\cmd.exe
    mRun: [HNUOQOXRrrb] c:\docume~1\hp_adm~1\locals~1\temp\taskmgr.exe
    mRun: [MKetc] c:\windows\sysedit.exe
    mRun: [Gruyaq] rundll32.exe "c:\windows\uvosodamapesepe.dll",Startup
    mRun: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
    mRun: [MKfPc] c:\windows\win32.exe
    mRun: [HNUOQOXRotc] c:\docume~1\hp_adm~1\locals~1\temp\hexdump.exe
    mRun: [MKevc] c:\windows\setup.exe
    mRun: [HNUOQOXRnoc] c:\docume~1\hp_adm~1\locals~1\temp\debug.exe
    mRun: [MKerb] c:\windows\taskmgr.exe
    mRun: [HNUOQOXRnsc] c:\docume~1\hp_adm~1\locals~1\temp\drweb.exe
    mRun: [MKcrc] c:\windows\login.exe
    dRun: [Ÿ]
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    uPolicies-explorer: NoFolderOptions = 1 (0x1)
    uPolicies-system: DisableRegistryTools = 1 (0x1)
    IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    Trusted Zone: trymedia.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: mpstreg - mpstreg.dll
    STS: c:\windows\system32\gyy2vn.dll: {b2b220c1-a503-59bd-f413-01b53a2c8953} - c:\windows\system32\gyy2vn.dll

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-16 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-16 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-16 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-18 308136]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-12-23 468768]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

    =============== Created Last 30 ================

    2011-01-13 21:34:13 3017 ----a-w- c:\windows\ocihigafekutege.dll
    2011-01-13 20:58:45 3017 ----a-w- c:\windows\icihubimudutibo.dll
    2011-01-13 20:54:11 3017 ----a-w- c:\windows\iwivupil.dll
    2011-01-13 20:44:16 3017 ----a-w- c:\windows\avupidura.dll
    2011-01-13 20:39:31 3017 ----a-w- c:\windows\asoqeluwe.dll
    2011-01-12 22:31:24 3017 ----a-w- c:\windows\ohojivuluyetof.dll
    2011-01-12 22:00:42 3017 ----a-w- c:\windows\adufovav.dll
    2011-01-12 21:56:39 3017 ----a-w- c:\windows\uhacalolacihir.dll
    2011-01-12 21:39:38 10752 ----a-w- c:\windows\system32\mpstreg.dll
    2011-01-12 21:37:55 3017 ----a-w- c:\windows\uwoyutezezuq.dll
    2011-01-12 21:21:39 -------- d-----w- c:\windows\system32\%APPDATA%
    2011-01-12 21:19:44 3017 ----a-w- c:\windows\edoleriw.dll
    2011-01-12 15:07:28 3017 ----a-w- c:\windows\apejuger.dll
    2011-01-12 13:00:15 0 ----a-w- c:\windows\Xpepupewad.bin
    2011-01-12 13:00:14 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}
    2011-01-12 12:58:36 -------- d-----w- c:\program files\Yontoo Layers Client
    2011-01-12 12:58:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
    2011-01-12 12:58:29 30000 ----a-w- c:\windows\system32\uk82if6.dll
    2010-12-27 16:00:08 -------- d-----w- c:\program files\iPod
    2010-12-27 16:00:02 -------- d-----w- c:\program files\iTunes
    2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
    2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
    2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\drivers\avc.sys
    2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
    2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\drivers\61883.sys
    2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
    2010-12-15 12:36:15 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2010-12-15 12:35:37 45568 ------w- c:\windows\system32\dllcache\wab.exe

    ==================== Find3M ====================

    2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 16:50:56.75 ===============


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-13 18:29:26
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SP2504C rev.VT100-38
    Running: b7s52e9n.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxyafod.sys



    GMER log


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text C:\WINDOWS\Explorer.EXE[124] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text C:\WINDOWS\Explorer.EXE[124] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text C:\WINDOWS\Explorer.EXE[124] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
    .text C:\WINDOWS\Explorer.EXE[124] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
    .text C:\WINDOWS\Explorer.EXE[124] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
    .text C:\WINDOWS\Explorer.EXE[124] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
    .text C:\WINDOWS\Explorer.EXE[124] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
    .text C:\WINDOWS\Explorer.EXE[124] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\ehome\ehtray.exe[292] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\ehome\ehtray.exe[292] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\ehome\ehtray.exe[292] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\ehome\ehtray.exe[292] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\ctfmon.exe[540] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\ctfmon.exe[540] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\ctfmon.exe[540] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\ctfmon.exe[540] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\winlogon.exe[696] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\winlogon.exe[696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\lsass.exe[752] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\lsass.exe[752] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\svchost.exe[944] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\svchost.exe[1004] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\svchost.exe[1004] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\System32\svchost.exe[1096] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\System32\svchost.exe[1096] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\System32\svchost.exe[1096] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text C:\WINDOWS\system32\rundll32.exe[1140] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text C:\WINDOWS\system32\rundll32.exe[1140] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text C:\WINDOWS\system32\rundll32.exe[1140] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
    .text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
    .text C:\WINDOWS\system32\rundll32.exe[1140] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
    .text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\svchost.exe[1196] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\svchost.exe[1196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\svchost.exe[1196] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\svchost.exe[1240] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\system32\spoolsv.exe[1600] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\system32\spoolsv.exe[1600] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\system32\spoolsv.exe[1600] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text K:\b7s52e9n.exe[2780] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text K:\b7s52e9n.exe[2780] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text K:\b7s52e9n.exe[2780] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text K:\b7s52e9n.exe[2780] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text K:\b7s52e9n.exe[2780] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text K:\b7s52e9n.exe[2780] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
    .text K:\b7s52e9n.exe[2780] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
    .text K:\b7s52e9n.exe[2780] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
    .text K:\b7s52e9n.exe[2780] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
    .text K:\b7s52e9n.exe[2780] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
    .text K:\b7s52e9n.exe[2780] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
    .text K:\b7s52e9n.exe[2780] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
    .text K:\b7s52e9n.exe[2780] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
    .text K:\b7s52e9n.exe[2780] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
    .text K:\b7s52e9n.exe[2780] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
    .text K:\b7s52e9n.exe[2780] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text K:\b7s52e9n.exe[2780] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text K:\b7s52e9n.exe[2780] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text K:\b7s52e9n.exe[2780] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
    .text C:\WINDOWS\eHome\ehmsas.exe[4340] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
    .text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
    .text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
    .text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
    .text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
    .text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
    .text C:\WINDOWS\system32\notepad.exe[5916] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
    .text C:\WINDOWS\system32\notepad.exe[5916] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
    .text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
    .text C:\WINDOWS\system32\notepad.exe[5916] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
    .text C:\WINDOWS\system32\notepad.exe[5916] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] 0xE2 0x63 0x26 0xF1 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] 0x6A 0x9C 0xD6 0x61 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] 0x25 0xDA 0xEC 0x7E ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] 0x3E 0x1E 0x9E 0xE0 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] 0xF5 0x1D 0x4D 0x73 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] 0xB0 0x18 0xED 0xA7 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] 0x97 0x20 0x4E 0x9A ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] 0xAA 0x52 0xC6 0x00 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] 0x51 0xFA 0x6E 0x91 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] 0x3D 0xCE 0xEA 0x26 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] 0xF8 0x31 0x0F 0xA9 ...
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] C:\WINDOWS\system32\OLE32.DLL
    Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] 0xFA 0xEA 0x66 0x7F ...
    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\[email protected] C:\usxxxxxxxx.exe\usxxxxxxxx.exe

    ---- Files - GMER 1.0.15 ----

    File C:\usxxxxxxxx.exe 0 bytes
    File C:\usxxxxxxxx.exe\config.bin 140940 bytes
    File C:\usxxxxxxxx.exe\usxxxxxxxx.exe 526566 bytes executable

    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. ohiobowtech

    ohiobowtech Thread Starter

    Joined:
    Jan 13, 2011
    Messages:
    14
    Bumperooo
     
  3. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya ohiobowtech,

    I'm kevinf80 and I will be helping with any malware issues you may have with your system.
    • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
    • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
    • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
    • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
    • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

    Proceed as follows please :-

    Step 1

    Please re-open HiJackThis and scan only.**Check the boxes next to all the entries listed below. Make sure you only check what i`ve listed.

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8075
    O4 - HKLM\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
    O4 - HKLM\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
    O4 - HKLM\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKLM\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
    O4 - HKLM\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
    O4 - HKLM\..\Run: [MKfre] C:\WINDOWS\wininst.exe
    O4 - HKLM\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
    O4 - HKLM\..\Run: [MKZe] C:\WINDOWS\avp.exe
    O4 - HKLM\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
    O4 - HKLM\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
    O4 - HKLM\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
    O4 - HKLM\..\Run: [Gruyaq] rundll32.exe "C:\WINDOWS\uvosodamapesepe.dll",Startup
    O4 - HKLM\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKLM\..\Run: [MKfPc] C:\WINDOWS\win32.exe
    O4 - HKLM\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
    O4 - HKLM\..\Run: [MKevc] C:\WINDOWS\setup.exe
    O4 - HKLM\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
    O4 - HKLM\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
    O4 - HKLM\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
    O4 - HKLM\..\Run: [MKcrc] C:\WINDOWS\login.exe
    O4 - HKCU\..\Run: [gionnovn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ssmmxvwrn\hjjojjvusbs.exe
    O4 - HKCU\..\Run: [Wyoqiquyiwifapoy] rundll32.exe "C:\WINDOWS\rherat.dll",Startup
    O4 - HKCU\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
    O4 - HKCU\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
    O4 - HKCU\..\Run: [rfjpkegn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\luvlyixey\hyavubfusbs.exe
    O4 - HKCU\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKCU\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
    O4 - HKCU\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
    O4 - HKCU\..\Run: [MKfre] C:\WINDOWS\wininst.exe
    O4 - HKCU\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
    O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
    O4 - HKCU\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
    O4 - HKCU\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
    O4 - HKCU\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
    O4 - HKCU\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
    O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
    O4 - HKCU\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
    O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
    O4 - HKCU\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
    O4 - HKCU\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
    O4 - HKCU\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
    O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O20 - Winlogon Notify: mpstreg - mpstreg.dll (file missing)
    O22 - SharedTaskScheduler: iwuiahf87sfy8ushfijsjgfgf - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\gyy2vn.dll (file missing)


    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot.

    Step 2

    Please download OTM by OldTimer.
    Alternative Mirror
    Save it to your desktop.
    Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
    • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      -------------------------------------------------------------------

      :Files
      ipconfig /flushdns /c
      C:\WINDOWS\system32\uk82if6.dll
      C:\WINDOWS\wininst.exe
      C:\WINDOWS\nvsvc32.exe
      C:\WINDOWS\avp.exe
      C:\WINDOWS\cmd.exe
      C:\WINDOWS\uvosodamapesepe.dll
      C:\WINDOWS\win32.exe
      C:\WINDOWS\setup.exe
      C:\WINDOWS\taskmgr.exe
      C:\WINDOWS\login.exe
      C:\WINDOWS\rherat.dll
      C:\WINDOWS\system32\uk82if6.dll
      :Commands
      [EmptyTemp]
      [EmptyFlash
      [Purity]
      [ResetHosts]

      ---------------------------------------------------------------------
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

    Step 3

    [​IMG] Please download Malwarebytes Anti-Malware and save it to your desktop.
    Alernative D/L mirror
    Alternative D/L mirror

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Step 4

    Download Security Check by screen317 from HERE or HERE.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    What i`d like in your reply :-

    • Log from OTM
    • Log from Malwarebytes
    • Log from Security Checks
    • Fresh set of DDS logs

    Kevin
     
  4. ohiobowtech

    ohiobowtech Thread Starter

    Joined:
    Jan 13, 2011
    Messages:
    14
    Hey Kevin.....thanks a lot for helping me out.

    I am a huge football fan, although Sunderland is not one of my favorite teams. (hate to say it but I am a Fulham fan).

    Thanks again for the help!!!!


    OTM log

    All processes killed
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    K:\cmd.bat deleted successfully.
    K:\cmd.txt deleted successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\uk82if6.dll
    C:\WINDOWS\system32\uk82if6.dll moved successfully.
    File/Folder C:\WINDOWS\wininst.exe not found.
    File/Folder C:\WINDOWS\nvsvc32.exe not found.
    File/Folder C:\WINDOWS\avp.exe not found.
    File/Folder C:\WINDOWS\cmd.exe not found.
    DllUnregisterServer procedure not found in C:\WINDOWS\uvosodamapesepe.dll
    C:\WINDOWS\uvosodamapesepe.dll moved successfully.
    File/Folder C:\WINDOWS\win32.exe not found.
    File/Folder C:\WINDOWS\setup.exe not found.
    File/Folder C:\WINDOWS\taskmgr.exe not found.
    File/Folder C:\WINDOWS\login.exe not found.
    DllUnregisterServer procedure not found in C:\WINDOWS\rherat.dll
    C:\WINDOWS\rherat.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\uk82if6.dll
    C:\WINDOWS\system32\uk82if6.dll moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 31254 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->FireFox cache emptied: 4433930 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 31242 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: HP_Administrator
    ->Temp folder emptied: 918901756 bytes
    ->Temporary Internet Files folder emptied: 5370063 bytes
    ->Java cache emptied: 2812885 bytes
    ->FireFox cache emptied: 62825580 bytes
    ->Flash cache emptied: 3508233 bytes

    User: LocalService
    ->Temp folder emptied: 65984 bytes
    ->Temporary Internet Files folder emptied: 36891414 bytes
    ->Flash cache emptied: 42164 bytes

    User: NetworkService
    ->Temp folder emptied: 66016 bytes
    ->Temporary Internet Files folder emptied: 14311807 bytes
    ->Java cache emptied: 18756 bytes
    ->Flash cache emptied: 14283 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 203889 bytes
    %systemroot%\System32 .tmp files removed: 307729 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 56010935 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 26560610 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 51915938 bytes

    Total Files Cleaned = 1,130.00 mb

    C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    OTM by OldTimer - Version 3.1.17.2 log created on 01162011_164059

    Files moved on Reboot...
    C:\WINDOWS\temp\Perflib_Perfdata_f8c.dat moved successfully.

    Registry entries deleted on Reboot...



    MALWARE BYTES LOG

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5533

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/16/2011 5:17:29 PM
    mbam-log-2011-01-16 (17-17-29).txt

    Scan type: Quick scan
    Objects scanned: 160110
    Time elapsed: 5 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 3
    Registry Values Infected: 9
    Registry Data Items Infected: 2
    Folders Infected: 2
    Files Infected: 14

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    c:\WINDOWS\system32\uk82if6.dll (Trojan.FakeAlert) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2B220C1-A503-59BD-F413-01B53A2C8953} (Trojan.ErtFor) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2B220C1-A503-59BD-F413-01B53A2C8953} (Trojan.ErtFor) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\yr87fk3d2dnszapq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uPc+MV0NdNaGuo (Trojan.FakeAlert) -> Value: uPc+MV0NdNaGuo -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uPc+MV0NdNaGuo (Trojan.FakeAlert) -> Value: uPc+MV0NdNaGuo -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gruyaq (Adware.Agent) -> Value: Gruyaq -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usxxxxxxxx.exe (Spyware.Passwords) -> Value: usxxxxxxxx.exe -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usxxxxxxxx.exe (Spyware.Passwords) -> Value: usxxxxxxxx.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wyoqiquyiwifapoy (Trojan.TDSS) -> Value: Wyoqiquyiwifapoy -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Value: WINID -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Value: idstrf -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Value: NoFolderOptions -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    c:\usxxxxxxxx.exe (Trojan.SpyEye) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

    Files Infected:
    c:\WINDOWS\system32\uk82if6.dll (Trojan.FakeAlert) -> Delete on reboot.
    c:\WINDOWS\uvosodamapesepe.dll (Adware.Agent) -> Quarantined and deleted successfully.
    c:\usxxxxxxxx.exe\usxxxxxxxx.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
    c:\WINDOWS\rherat.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
    c:\documents and settings\hp_administrator\my documents\downloads\IWON(2).exe (Adware.Iwon) -> Quarantined and deleted successfully.
    c:\documents and settings\hp_administrator\my documents\downloads\IWON(3).exe (Adware.Iwon) -> Quarantined and deleted successfully.
    c:\documents and settings\hp_administrator\my documents\downloads\IWON.exe (Adware.Iwon) -> Quarantined and deleted successfully.
    c:\documents and settings\hp_administrator\my documents\downloads\retrogamer(2).exe (Adware.Iwon) -> Quarantined and deleted successfully.
    c:\documents and settings\hp_administrator\my documents\downloads\retrogamer.exe (Adware.Iwon) -> Quarantined and deleted successfully.
    c:\usxxxxxxxx.exe\config.bin (Trojan.SpyEye) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
    c:\documents and settings\networkservice\application data\whitesmoketoolbar\setupCfg.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.


    SECURITY CHECK LOG
    Results of screen317's Security Check version 0.99.8
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    AVG Free 9.0
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 21
    Out of date Java installed!
    Adobe Flash Player 10.0.45.2
    Adobe Reader 7.0
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.13)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    AVG avgwdsvc.exe
    AVG avgtray.exe
    AVG avgrsx.exe
    AVG avgnsx.exe
    AVG avgemc.exe
    ``````````End of Log````````````



    DDS LOG

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by HP_Administrator at 19:21:53.07 on Sun 01/16/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.333 [GMT -5:00]

    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\DISC\DISCover.exe
    C:\Program Files\DISC\DiscUpdateMgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\DISC\DiscGui.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\TechSmith\Jing\Jing.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\DISC\DiscStreamHub.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    c:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG9\avgupd.exe
    C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Settings,ProxyOverride = <local>
    mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
    mRun: [DISCover] c:\program files\disc\DISCover.exe
    mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
    mRun: [PCDrProfiler]
    mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
    mRun: [<NO NAME>]
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    Trusted Zone: trymedia.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: avgrsstarter - avgrsstx.dll

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-16 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-16 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-16 243024]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-18 308136]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-12-23 468768]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

    =============== Created Last 30 ================

    2011-01-16 22:09:27 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
    2011-01-16 22:09:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-16 22:09:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-01-16 22:09:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-16 22:09:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-16 21:23:26 3017 ----a-w- c:\windows\opivesazuyufom.dll
    2011-01-13 21:34:13 3017 ----a-w- c:\windows\ocihigafekutege.dll
    2011-01-13 20:58:45 3017 ----a-w- c:\windows\icihubimudutibo.dll
    2011-01-13 20:54:11 3017 ----a-w- c:\windows\iwivupil.dll
    2011-01-13 20:44:16 3017 ----a-w- c:\windows\avupidura.dll
    2011-01-13 20:39:31 3017 ----a-w- c:\windows\asoqeluwe.dll
    2011-01-12 22:31:24 3017 ----a-w- c:\windows\ohojivuluyetof.dll
    2011-01-12 22:00:42 3017 ----a-w- c:\windows\adufovav.dll
    2011-01-12 21:56:39 3017 ----a-w- c:\windows\uhacalolacihir.dll
    2011-01-12 21:39:38 10752 ----a-w- c:\windows\system32\mpstreg.dll
    2011-01-12 21:37:55 3017 ----a-w- c:\windows\uwoyutezezuq.dll
    2011-01-12 21:21:39 -------- d-----w- c:\windows\system32\%APPDATA%
    2011-01-12 21:19:44 3017 ----a-w- c:\windows\edoleriw.dll
    2011-01-12 15:07:28 3017 ----a-w- c:\windows\apejuger.dll
    2011-01-12 13:00:15 0 ----a-w- c:\windows\Xpepupewad.bin
    2011-01-12 13:00:14 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}
    2011-01-12 12:58:36 -------- d-----w- c:\program files\Yontoo Layers Client
    2011-01-12 12:58:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
    2010-12-27 16:00:08 -------- d-----w- c:\program files\iPod
    2010-12-27 16:00:02 -------- d-----w- c:\program files\iTunes
    2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
    2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
    2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\drivers\avc.sys
    2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
    2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\drivers\61883.sys
    2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\dllcache\61883.sys

    ==================== Find3M ====================

    2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    ============= FINISH: 19:22:54.93 ===============
     
  5. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya ohiobowtech,

    Fulham, struggling a bit just now. I like your new(ish) manager Mark Hughs, be interesting to see how long he lasts. You must have some great derby games......

    There is still a lot of malware on your system, lets try a bigger stick. Proceed as follows please :-

    We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    Combofix

    Don`t forget Combofix must be saved to your desktop. <--Very important

    Before saving Combofix to your Desktop re-name to Gotcha.exe as below:

    [​IMG]

    Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

    Please include the C:\ComboFix.txt in your next reply for further review.

    Examples of how to disable realtime protection available at the following link :-

    Disable realtime protection

    Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in your reply,

    Kevin..
     
  6. ohiobowtech

    ohiobowtech Thread Starter

    Joined:
    Jan 13, 2011
    Messages:
    14
    Hello Kevin,
    Thanks for the quick reply. I really started to get bummed about Fulham when Brian McBride (the American) left. He was a huge favorite .... even of the Brits. Might have to find another team if they get relegated. Great game between the U.S. and England this summer.....we really blew the rest of the tournament, though.
    Thanks!



    Here is the ComboFix log:

    ComboFix 11-01-16.04 - HP_Administrator 01/17/2011 8:58.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.390 [GMT -5:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\Gotcha.exe.exe
    AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\HP_Administrator\Local Settings\Application Data\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}\chrome.manifest
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}\chrome\content\_cfg.js
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}\chrome\content\overlay.xul
    c:\documents and settings\HP_Administrator\Local Settings\Application Data\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}\install.rdf
    c:\documents and settings\HP_Administrator\Recent\North Carolina three skills test.pdf
    c:\windows\adufovav.dll
    c:\windows\apejuger.dll
    c:\windows\asoqeluwe.dll
    c:\windows\avupidura.dll
    c:\windows\edoleriw.dll
    c:\windows\icihubimudutibo.dll
    c:\windows\iwivupil.dll
    c:\windows\ocihigafekutege.dll
    c:\windows\ohojivuluyetof.dll
    c:\windows\opivesazuyufom.dll
    c:\windows\system32\mpstreg.dll
    c:\windows\system32\ps2.bat
    c:\windows\uhacalolacihir.dll
    c:\windows\uwoyutezezuq.dll

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))
    .

    2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
    2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-16 22:09 . 2011-01-17 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-12 22:56 . 2011-01-12 22:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
    2011-01-12 22:54 . 2011-01-12 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2011-01-12 22:52 . 2011-01-12 22:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2011-01-12 21:21 . 2011-01-12 21:21 -------- d-----w- c:\windows\system32\%APPDATA%
    2011-01-12 13:00 . 2011-01-16 21:22 0 ----a-w- c:\windows\Xpepupewad.bin
    2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\program files\Yontoo Layers Client
    2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
    2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iPod
    2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iTunes
    2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
    2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
    2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\drivers\avc.sys
    2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
    2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\drivers\61883.sys
    2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-06 00:26 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-08-10 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-08-10 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-08-10 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
    "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
    "DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
    "DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
    Launch Whitesmoke Translator.lnk - c:\program files\Whitesmoke Translator\WSTrayDictMode.exe [N/A]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-23 27136]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\DISC\\DISCover.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\DISC\\myFTP.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
    "c:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [12/23/2005 5:25 PM 468768]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Settings,ProxyOverride = <local>
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    Trusted Zone: trymedia.com
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-PCDrProfiler - (no file)
    Notify-avgrsstarter - avgrsstx.dll
    AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-17 09:01
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(676)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2011-01-17 09:03:58
    ComboFix-quarantined-files.txt 2011-01-17 14:03

    Pre-Run: 13,827,125,248 bytes free
    Post-Run: 13,822,537,728 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - 97E1A070A2305EC55232E93A9F520BF5
     
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya ohiobowtech,

    Yep know what you mean, sometimes football just drives you crazy. Some great tributes to Brian McBride on YouTube, have a google for them. I dont think Fulham will go down, they`re good enough to stay up...

    Proceed as follows please :-

    Step 1

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    KillAll::
    File::
    c:\windows\Xpepupewad.bin
    DirLook::
    c:\windows\system32\%APPDATA%
    DDS::
    Trusted Zone: trymedia.com
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    Reglock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_Ac tiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Step 2

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check [​IMG]
    • Click the [​IMG] button.
    • Accept any security warnings from your browser.
    • Check [​IMG]
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the [​IMG] button.
    • Push [​IMG]
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here Please read them before running the scan.

    Also be aware this scan can take between one and several hours to complete depending on the size of your system.

    What i`d like in your reply :-

    • Log from Combofix
    • Log from ESET
    • System review, improvements? any remaining issues?

    Kevin
     
  8. ohiobowtech

    ohiobowtech Thread Starter

    Joined:
    Jan 13, 2011
    Messages:
    14
    Combo Fix Log

    ComboFix 11-01-16.04 - HP_Administrator 01/17/2011 15:36:37.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.497 [GMT -5:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\Gotcha.exe.exe
    Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt.txt
    AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    FILE ::
    "c:\windows\Xpepupewad.bin"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Xpepupewad.bin

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))
    .

    2011-01-17 13:14 . 2011-01-17 13:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AVG9
    2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
    2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-16 22:09 . 2011-01-17 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-12 22:56 . 2011-01-12 22:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
    2011-01-12 22:54 . 2011-01-12 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2011-01-12 22:52 . 2011-01-12 22:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2011-01-12 21:21 . 2011-01-12 21:21 -------- d-----w- c:\windows\system32\%APPDATA%
    2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\program files\Yontoo Layers Client
    2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
    2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iPod
    2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iTunes
    2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
    2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
    2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\drivers\avc.sys
    2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
    2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\drivers\61883.sys
    2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-06 00:26 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-08-10 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-08-10 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-08-10 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\windows\system32\%APPDATA% ----

    2011-01-12 21:21 . 2011-01-12 21:21 86 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log
    2011-01-12 21:21 . 2010-06-14 15:06 165 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.iss
    2011-01-12 21:21 . 2010-07-07 09:45 31743 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr
    2011-01-12 21:21 . 2010-07-07 09:44 234304 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx
    2011-01-12 21:21 . 2009-06-10 11:57 550192 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.ocx
    2011-01-12 21:21 . 2010-07-07 09:45 581440 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\ISSetup.dll
    2011-01-12 21:21 . 2009-05-21 12:53 21494 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\0x0409.ini
    2011-01-12 21:21 . 2010-06-14 15:32 152 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt
    2011-01-12 21:21 . 2010-07-07 09:45 473 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin
    2011-01-12 21:21 . 2010-07-07 09:45 807744 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.exe
    2011-01-12 21:21 . 2010-07-07 09:44 1178 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.ini
    2011-01-12 21:21 . 2010-07-07 09:45 3525401 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab
    2011-01-12 21:21 . 2010-07-07 09:45 567840 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab


    ((((((((((((((((((((((((((((( [email protected]_14.01.44 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-17 20:43 . 2011-01-17 20:43 16384 c:\windows\temp\Perflib_Perfdata_d24.dat
    + 2011-01-17 20:42 . 2011-01-17 20:42 16384 c:\windows\temp\Perflib_Perfdata_8d4.dat
    + 2011-01-17 20:42 . 2011-01-17 20:42 16384 c:\windows\temp\Perflib_Perfdata_444.dat
    + 2011-01-17 20:42 . 2011-01-17 20:42 49152 c:\windows\temp\CompiledAdapter.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
    "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
    "DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
    "DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
    Launch Whitesmoke Translator.lnk - c:\program files\Whitesmoke Translator\WSTrayDictMode.exe [N/A]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-23 27136]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\DISC\\DISCover.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\DISC\\myFTP.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
    "c:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [12/23/2005 5:25 PM 468768]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Settings,ProxyOverride = <local>
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-17 15:43
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(672)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(1176)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\arservice.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\eHome\ehmsas.exe
    c:\program files\DISC\DiscStreamHub.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-17 15:45:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-17 20:45
    ComboFix2.txt 2011-01-17 14:03

    Pre-Run: 13,800,304,640 bytes free
    Post-Run: 13,787,979,776 bytes free

    - - End Of File - - 483871808D42B71B753A79E8150760E3



    ESET log

    C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Setup_FreeConverter.exe Win32/Adware.Toolbar.Dealio application
    C:\Qoobox\Quarantine\C\WINDOWS\adufovav.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\apejuger.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\asoqeluwe.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\avupidura.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\edoleriw.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\icihubimudutibo.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\iwivupil.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\ocihigafekutege.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\ohojivuluyetof.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\opivesazuyufom.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\uhacalolacihir.dll.vir Win32/Adware.SpywareProtect2009 application
    C:\Qoobox\Quarantine\C\WINDOWS\uwoyutezezuq.dll.vir Win32/Adware.SpywareProtect2009 application



    System report
    1. seems to be running well. Whitesmoke is still my default homepage for Mozilla Firefox.
    2. Whitesmoke Translator shows up as a program that is still installed in my computer.

    Any suggestions for virus and malware/adware protection?

    Thanks Kevin!!!
     
  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya ohiobowtech,

    Proceed as follows :-

    Step 1

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    KillAll::
    
    Folder::
    c:\windows\system32\%APPDATA%
    c:\program files\Whitesmoke Translator
    
    File::
    C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Setup_FreeConverter.exe
    
    Save this as CFScript.txt, in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Step 2

    The easiest way to change the Home page in Firefox, open FF > open a new tab > add your favorite bookmark, eg Google > left click on that tab and hold the button down > drag the tab to the Home icon (top left of page) and drop it in. You will get an alert asking if you want that as your Home page, accept it.
    You can also open FF > Select > tools > options > general tab, change it there.

    Post the new log from Combofix, let me know if any issues remain. We should be able to clean up after this....

    Regarding Security - My set up is :-

    Windows own Firewall, Microsoft Security Essentials, Malwarebytes (paid for) $30 for lifetime license, also gives realtime protection and auto updates.

    Kevin
     
  10. ohiobowtech

    ohiobowtech Thread Starter

    Joined:
    Jan 13, 2011
    Messages:
    14
    Hello Kevin,

    Here is the ComboFix log:

    ComboFix 11-01-17.01 - HP_Administrator 01/17/2011 18:54:48.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.504 [GMT -5:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\Gotcha.exe.exe
    Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    FILE ::
    "c:\documents and settings\HP_Administrator\My Documents\Downloads\Setup_FreeConverter.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\HP_Administrator\My Documents\Downloads\Setup_FreeConverter.exe
    C:\Gotcha.exe
    c:\gotcha.exe\pev.exe
    c:\windows\system32\%APPDATA%

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
    .

    2011-01-17 20:56 . 2011-01-17 20:56 -------- d-----w- c:\program files\ESET
    2011-01-17 13:14 . 2011-01-17 13:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AVG9
    2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
    2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-16 22:09 . 2011-01-17 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-12 22:56 . 2011-01-12 22:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
    2011-01-12 22:54 . 2011-01-12 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2011-01-12 22:52 . 2011-01-12 22:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\program files\Yontoo Layers Client
    2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
    2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iPod
    2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iTunes
    2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
    2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
    2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\drivers\avc.sys
    2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
    2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\drivers\61883.sys
    2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-18 18:12 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-06 00:26 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-08-10 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-08-10 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-08-10 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    .

    ((((((((((((((((((((((((((((( [email protected]_14.01.44 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-18 00:01 . 2011-01-18 00:01 16384 c:\windows\temp\Perflib_Perfdata_f1c.dat
    + 2011-01-18 00:00 . 2011-01-18 00:00 16384 c:\windows\temp\Perflib_Perfdata_908.dat
    + 2011-01-18 00:00 . 2011-01-18 00:00 16384 c:\windows\temp\Perflib_Perfdata_638.dat
    + 2011-01-18 00:00 . 2011-01-18 00:00 49152 c:\windows\temp\CompiledAdapter.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
    "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
    "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
    "DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
    "DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
    Launch Whitesmoke Translator.lnk - c:\program files\Whitesmoke Translator\WSTrayDictMode.exe [N/A]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\DISC\\DISCover.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\DISC\\myFTP.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
    "c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
    "c:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [12/23/2005 5:25 PM 468768]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
    uInternet Settings,ProxyOverride = <local>
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-17 19:01
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(672)
    c:\windows\system32\Ati2evxx.dll

    - - - - - - - > 'explorer.exe'(4060)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\arservice.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\windows\eHome\ehRecvr.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\eHome\ehmsas.exe
    c:\program files\DISC\DiscStreamHub.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-17 19:03:55 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-18 00:03
    ComboFix2.txt 2011-01-17 20:45
    ComboFix3.txt 2011-01-17 14:03

    Pre-Run: 13,626,634,240 bytes free
    Post-Run: 13,617,491,968 bytes free

    - - End Of File - - 061DD1E64E54BC6F24F676DA0990F98C
     
  11. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    How is system now? any issues. Did you change Homepage on FF ok?
     
  12. ohiobowtech

    ohiobowtech Thread Starter

    Joined:
    Jan 13, 2011
    Messages:
    14
    Hi Kevin.....pulling a late one tonight, eh? Got the Jameson out? :)

    Watched a great game today.....Man. City vs. Wolves. 5+ goals!

    Everything seems good. Running ok. The only thing I see that it didn't used to do on start up is a black screen shows quickly with the options of the operating system to run and it always chooses Windows XP Media Center edition (which is fine).

    How do things look to you? Any idea where this came from?

    Cheers,
    Chad
     
  13. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya Chad,

    The black screen you refer to gives the option to boot your OS or the Recovery Console (we installed that) the default is to boot your OS. The recovery console is well worth keeping, it can be used for many different repairs should your system ever have problems.

    Been drinking Macallans, very nice single malt. Yep its nearly 1am for me, nearly sleepy time. I dont mind stopping up if I can complete a log, I also work logs at SpywareHammer and Dell community Forum so have been busy there also. Calling time now... zzzzzzzz

    Proceed as follows to clean up :-

    Step 1

    Remove Combofix now that we're done with it
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
    The above procedure will delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.

    Step 2

    • Download OTC by OldTimer and save it to your desktop. Alternative mirror
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7, please right-click and choose run as administrator
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
    • Restart your computer when prompted.

    Step 3

    Remove the ESET Online Scanner components from your computer, start the Add or Remove Programs applet via Start > Control Panel, select the ESET Online Scanner entry and click Remove. This will happen very quickly, only reboot if requested

    Whilst in Add/Remove Programs also remove :-

    Adobe Reader 7.0

    Step 4

    You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version.
    For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system.
    The most current version of Sun Java is: Java Runtime Environment Version 6 Update 23.

    • Go to Sun Java
    • Select Windows 7/XP/Vista/2000/2003/2008
    • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
    • Reboot your computer

    Step 5

    Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

    Please go to the link below to update.

    Adobe Reader Untick the Free McAfee® Security Scan Plus (optional)

    Step 6

    Download and scan with CCleaner

    1. Use either one of the two free links below the Premium version.
    2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 24 hours"
    3. Then select the items you wish to clean up.

    In the Windows Tab:

    • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section.
    • Clean all entries in the "Advanced" section.
    • Clean any others that you choose.


    In the Applications Tab:
    • Clean all except cookies in the Firefox/Mozilla section if you use it.
    • Clean all in the Opera section if you use it.
    • Clean Sun Java in the Internet Section.
    • Clean any others that you choose.

    4. Click the "Run Cleaner" button.
    5. A pop up box will appear advising this process will permanently delete files from your system.
    6. Click "OK" and it will scan and clean your system.
    7. Click "exit" when done.

    Let me know if the above steps completed OK, especially the Combofix /Uninstall command. If for any reason CF does not uninstall correctly OTC will clean it up, you`ll then have to manually flush the system restore cache and create a new restore point, Only do this if you do not get the Combofix uninstalled successfully alert:

    We now need to reset your system restore points and create a new clean one. To do this “Turn off” System restore > Left click start > Right click My Computer > Left click Properties > Select System restore tab > put tick in Turn off System Restore box > apply > ok. To reverse as previous but remove the tick from Turn off System Restore > apply ok.

    Create the new restore point > Start > all programs > accessories > system tools > system restore > create a restore point > In the Restore point description box give it a name for reference eg. Clean 1. The time and date are added automatically > then select create and follow the wizard out.

    Kevin
     
  14. ohiobowtech

    ohiobowtech Thread Starter

    Joined:
    Jan 13, 2011
    Messages:
    14
    Good Evening Kevin,

    I did everything you asked, including the new system restore point.

    Thanks so much for your help....you made everything so easy to understand.

    Your help is very much appreciated! I cannot thank you enough.

    Karma is definitely on your side!

    Much respect and thanks!
     
  15. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya Chad,

    Thankyou for the kind words, replies like yours make it all worthwhile. Here are some tips to reduce the potential for malware infection in the future:

    Make proper use of your antivirus and firewall

    Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

    You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

    Install and use WinPatrol This will inform you of any attempted unauthorized changes to your system.

    WinPatrol features explained Here

    You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing.... [​IMG]
    ...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

    Use a safer web browser

    Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

    Firefox,

    Opera, and

    Chrome.

    All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

    These browser add-ons will help to make your browser safer:

    Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

    Available for Firefox and Internet Explorer.

    Green to go,
    Yellow for caution, and
    Red to stop.


    Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

    These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

    Here a couple of links by two security experts that will give some excellent tips and advice.

    So how did I get infected in the first place by Tony Klein

    How to prevent Malware by Miekiemoes

    Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

    Let me know if you have any remaining issues or questions, if not hit the Mark Solved tab at thetop of the thread.

    Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

    Its been a pleasure working with you,

    take care,

    Kevin
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/974546

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice