Hijack log - Whitesmoke trojan/malware

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ohiobowtech

Thread Starter
Joined
Jan 13, 2011
Messages
14
Hello...I have the Whitesmoke trojan/malware. Thanks for the help!!!!!

Hijack log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:37:53 PM, on 1/13/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8075
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: C:\WINDOWS\system32\gyy2vn.dll - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\gyy2vn.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
O4 - HKLM\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
O4 - HKLM\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKLM\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
O4 - HKLM\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
O4 - HKLM\..\Run: [MKfre] C:\WINDOWS\wininst.exe
O4 - HKLM\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKLM\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
O4 - HKLM\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
O4 - HKLM\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
O4 - HKLM\..\Run: [Gruyaq] rundll32.exe "C:\WINDOWS\uvosodamapesepe.dll",Startup
O4 - HKLM\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKLM\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
O4 - HKLM\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKLM\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
O4 - HKLM\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
O4 - HKLM\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
O4 - HKLM\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
O4 - HKCU\..\Run: [gionnovn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ssmmxvwrn\hjjojjvusbs.exe
O4 - HKCU\..\Run: [Wyoqiquyiwifapoy] rundll32.exe "C:\WINDOWS\rherat.dll",Startup
O4 - HKCU\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
O4 - HKCU\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
O4 - HKCU\..\Run: [rfjpkegn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\luvlyixey\hyavubfusbs.exe
O4 - HKCU\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
O4 - HKCU\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
O4 - HKCU\..\Run: [MKfre] C:\WINDOWS\wininst.exe
O4 - HKCU\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
O4 - HKCU\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
O4 - HKCU\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
O4 - HKCU\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKCU\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
O4 - HKCU\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
O4 - HKCU\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Launch Whitesmoke Translator.lnk = C:\Program Files\Whitesmoke Translator\WSTrayDictMode.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: mpstreg - mpstreg.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: iwuiahf87sfy8ushfijsjgfgf - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\gyy2vn.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

--
End of file - 12885 bytes



DDS log

DDS (Ver_10-12-12.02) - NTFSx86
Run by HP_Administrator at 16:48:25.42 on Thu 01/13/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.643 [GMT -5:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\DISC\DiscStreamHub.exe
C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:8075
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: c:\windows\system32\gyy2vn.dll: {b2b220c1-a503-59bd-f413-01b53a2c8953} - c:\windows\system32\gyy2vn.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
uRun: [gionnovn] c:\docume~1\hp_adm~1\locals~1\temp\ssmmxvwrn\hjjojjvusbs.exe
uRun: [Wyoqiquyiwifapoy] rundll32.exe "c:\windows\rherat.dll",Startup
uRun: [uPc+MV0NdNaGuo] rundll32.exe c:\windows\system32\uk82if6.dll, SystemServer
uRun: [HNUOQOXRotgc] c:\docume~1\hp_adm~1\locals~1\temp\gitqfus5e.exe
uRun: [rfjpkegn] c:\docume~1\hp_adm~1\locals~1\temp\luvlyixey\hyavubfusbs.exe
uRun: [HNUOQOXRota] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
uRun: [HNUOQOXRprc] c:\docume~1\hp_adm~1\locals~1\temp\login.exe
uRun: [HNUOQOXRpuc] c:\docume~1\hp_adm~1\locals~1\temp\lsass.exe
uRun: [MKfre] c:\windows\wininst.exe
uRun: [MKdw+] c:\windows\nvsvc32.exe
uRun: [MKZe] c:\windows\avp.exe
uRun: [MKaZ] c:\windows\cmd.exe
uRun: [HNUOQOXRrrb] c:\docume~1\hp_adm~1\locals~1\temp\taskmgr.exe
uRun: [MKetc] c:\windows\sysedit.exe
uRun: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
uRun: [MKfPc] c:\windows\win32.exe
uRun: [HNUOQOXRotc] c:\docume~1\hp_adm~1\locals~1\temp\hexdump.exe
uRun: [MKevc] c:\windows\setup.exe
uRun: [HNUOQOXRnoc] c:\docume~1\hp_adm~1\locals~1\temp\debug.exe
uRun: [MKerb] c:\windows\taskmgr.exe
uRun: [HNUOQOXRnsc] c:\docume~1\hp_adm~1\locals~1\temp\drweb.exe
uRun: [MKcrc] c:\windows\login.exe
uRun: [MKcrc] c:\windows\login.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [uPc+MV0NdNaGuo] rundll32.exe c:\windows\system32\uk82if6.dll, SystemServer
mRun: [HNUOQOXRotgc] c:\docume~1\hp_adm~1\locals~1\temp\gitqfus5e.exe
mRun: [HNUOQOXRota] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
mRun: [HNUOQOXRprc] c:\docume~1\hp_adm~1\locals~1\temp\login.exe
mRun: [HNUOQOXRpuc] c:\docume~1\hp_adm~1\locals~1\temp\lsass.exe
mRun: [MKfre] c:\windows\wininst.exe
mRun: [MKdw+] c:\windows\nvsvc32.exe
mRun: [MKZe] c:\windows\avp.exe
mRun: [MKaZ] c:\windows\cmd.exe
mRun: [HNUOQOXRrrb] c:\docume~1\hp_adm~1\locals~1\temp\taskmgr.exe
mRun: [MKetc] c:\windows\sysedit.exe
mRun: [Gruyaq] rundll32.exe "c:\windows\uvosodamapesepe.dll",Startup
mRun: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] c:\docume~1\hp_adm~1\locals~1\temp\install.exe
mRun: [MKfPc] c:\windows\win32.exe
mRun: [HNUOQOXRotc] c:\docume~1\hp_adm~1\locals~1\temp\hexdump.exe
mRun: [MKevc] c:\windows\setup.exe
mRun: [HNUOQOXRnoc] c:\docume~1\hp_adm~1\locals~1\temp\debug.exe
mRun: [MKerb] c:\windows\taskmgr.exe
mRun: [HNUOQOXRnsc] c:\docume~1\hp_adm~1\locals~1\temp\drweb.exe
mRun: [MKcrc] c:\windows\login.exe
dRun: [Ÿ]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: mpstreg - mpstreg.dll
STS: c:\windows\system32\gyy2vn.dll: {b2b220c1-a503-59bd-f413-01b53a2c8953} - c:\windows\system32\gyy2vn.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-16 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-16 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-18 308136]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-12-23 468768]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

=============== Created Last 30 ================

2011-01-13 21:34:13 3017 ----a-w- c:\windows\ocihigafekutege.dll
2011-01-13 20:58:45 3017 ----a-w- c:\windows\icihubimudutibo.dll
2011-01-13 20:54:11 3017 ----a-w- c:\windows\iwivupil.dll
2011-01-13 20:44:16 3017 ----a-w- c:\windows\avupidura.dll
2011-01-13 20:39:31 3017 ----a-w- c:\windows\asoqeluwe.dll
2011-01-12 22:31:24 3017 ----a-w- c:\windows\ohojivuluyetof.dll
2011-01-12 22:00:42 3017 ----a-w- c:\windows\adufovav.dll
2011-01-12 21:56:39 3017 ----a-w- c:\windows\uhacalolacihir.dll
2011-01-12 21:39:38 10752 ----a-w- c:\windows\system32\mpstreg.dll
2011-01-12 21:37:55 3017 ----a-w- c:\windows\uwoyutezezuq.dll
2011-01-12 21:21:39 -------- d-----w- c:\windows\system32\%APPDATA%
2011-01-12 21:19:44 3017 ----a-w- c:\windows\edoleriw.dll
2011-01-12 15:07:28 3017 ----a-w- c:\windows\apejuger.dll
2011-01-12 13:00:15 0 ----a-w- c:\windows\Xpepupewad.bin
2011-01-12 13:00:14 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}
2011-01-12 12:58:36 -------- d-----w- c:\program files\Yontoo Layers Client
2011-01-12 12:58:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2011-01-12 12:58:29 30000 ----a-w- c:\windows\system32\uk82if6.dll
2010-12-27 16:00:08 -------- d-----w- c:\program files\iPod
2010-12-27 16:00:02 -------- d-----w- c:\program files\iTunes
2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\drivers\61883.sys
2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2010-12-15 12:36:15 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 12:35:37 45568 ------w- c:\windows\system32\dllcache\wab.exe

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 16:50:56.75 ===============


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-13 18:29:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SP2504C rev.VT100-38
Running: b7s52e9n.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kwxyafod.sys



GMER log


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text C:\WINDOWS\Explorer.EXE[124] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text C:\WINDOWS\Explorer.EXE[124] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text C:\WINDOWS\Explorer.EXE[124] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text C:\WINDOWS\Explorer.EXE[124] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
.text C:\WINDOWS\Explorer.EXE[124] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
.text C:\WINDOWS\Explorer.EXE[124] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
.text C:\WINDOWS\Explorer.EXE[124] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
.text C:\WINDOWS\Explorer.EXE[124] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
.text C:\WINDOWS\Explorer.EXE[124] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\ehome\ehtray.exe[292] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\ehome\ehtray.exe[292] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\ehome\ehtray.exe[292] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\ehome\ehtray.exe[292] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\ehome\ehtray.exe[292] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\ehome\ehtray.exe[292] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\ctfmon.exe[540] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\ctfmon.exe[540] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\ctfmon.exe[540] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\ctfmon.exe[540] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\ctfmon.exe[540] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\ctfmon.exe[540] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\winlogon.exe[696] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\winlogon.exe[696] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\winlogon.exe[696] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\winlogon.exe[696] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\winlogon.exe[696] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\winlogon.exe[696] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\lsass.exe[752] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\lsass.exe[752] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\lsass.exe[752] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\lsass.exe[752] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\lsass.exe[752] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\lsass.exe[752] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\svchost.exe[944] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\svchost.exe[944] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\svchost.exe[944] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\svchost.exe[944] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\svchost.exe[1004] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\svchost.exe[1004] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\svchost.exe[1004] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\svchost.exe[1004] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\svchost.exe[1004] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\System32\svchost.exe[1096] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\System32\svchost.exe[1096] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\System32\svchost.exe[1096] CRYPT32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\System32\svchost.exe[1096] WININET.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text C:\WINDOWS\system32\rundll32.exe[1140] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text C:\WINDOWS\system32\rundll32.exe[1140] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text C:\WINDOWS\system32\rundll32.exe[1140] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text C:\WINDOWS\system32\rundll32.exe[1140] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
.text C:\WINDOWS\system32\rundll32.exe[1140] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
.text C:\WINDOWS\system32\rundll32.exe[1140] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
.text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\svchost.exe[1196] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\svchost.exe[1196] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\svchost.exe[1196] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\svchost.exe[1196] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\svchost.exe[1196] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\svchost.exe[1196] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\svchost.exe[1240] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\svchost.exe[1240] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\svchost.exe[1240] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\svchost.exe[1240] WS2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\svchost.exe[1240] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\svchost.exe[1240] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1424] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\Program Files\AVG\AVG9\avgrsx.exe[1432] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\system32\spoolsv.exe[1600] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\system32\spoolsv.exe[1600] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\system32\spoolsv.exe[1600] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\system32\spoolsv.exe[1600] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\system32\spoolsv.exe[1600] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\system32\spoolsv.exe[1600] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text C:\Program Files\AVG\AVG9\avgcsrvx.exe[1616] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1788] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text K:\b7s52e9n.exe[2780] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text K:\b7s52e9n.exe[2780] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text K:\b7s52e9n.exe[2780] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text K:\b7s52e9n.exe[2780] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text K:\b7s52e9n.exe[2780] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text K:\b7s52e9n.exe[2780] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
.text K:\b7s52e9n.exe[2780] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
.text K:\b7s52e9n.exe[2780] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
.text K:\b7s52e9n.exe[2780] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
.text K:\b7s52e9n.exe[2780] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
.text K:\b7s52e9n.exe[2780] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
.text K:\b7s52e9n.exe[2780] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
.text K:\b7s52e9n.exe[2780] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
.text K:\b7s52e9n.exe[2780] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
.text K:\b7s52e9n.exe[2780] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
.text K:\b7s52e9n.exe[2780] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text K:\b7s52e9n.exe[2780] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text K:\b7s52e9n.exe[2780] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text K:\b7s52e9n.exe[2780] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3108] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 04FD91DE
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 04FD97DF
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 04FD9995
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 04FD9897
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 04FD34B1
.text C:\WINDOWS\eHome\ehmsas.exe[4340] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04FD5879
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 04FD6F36
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 04FE2660
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 04FE1E10
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 04FE2900
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 04FDF540
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 04FDF2D0
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 04FDEF00
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 04FD7880
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 04FD7749
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 04FE27B0
.text C:\WINDOWS\eHome\ehmsas.exe[4340] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 04FD79B7
.text C:\WINDOWS\eHome\ehmsas.exe[4340] ws2_32.dll!send 71AB4C27 5 Bytes JMP 04FDE736
.text C:\WINDOWS\eHome\ehmsas.exe[4340] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 04FD23AF
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text C:\Documents and Settings\HP_Administrator\Desktop\HijackThis.exe[5628] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF
.text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 0EA091DE
.text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 0EA097DF
.text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 0EA09995
.text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 0EA09897
.text C:\WINDOWS\system32\notepad.exe[5916] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0EA034B1
.text C:\WINDOWS\system32\notepad.exe[5916] ADVAPI32.dll!CryptEncrypt 77DEE360 5 Bytes JMP 0EA06F36
.text C:\WINDOWS\system32\notepad.exe[5916] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 0EA05879
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 0EA12660
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 0EA11E10
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0EA12900
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetQueryDataAvailable 3D94BF83 5 Bytes JMP 0EA0F540
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 0EA0F2D0
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0EA0EF00
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0EA07880
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0EA07749
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 0EA127B0
.text C:\WINDOWS\system32\notepad.exe[5916] wininet.dll!InternetWriteFile 3D9A608E 5 Bytes JMP 0EA079B7
.text C:\WINDOWS\system32\notepad.exe[5916] ws2_32.dll!send 71AB4C27 5 Bytes JMP 0EA0E736
.text C:\WINDOWS\system32\notepad.exe[5916] Crypt32.dll!PFXImportCertStore 77AEFF8F 5 Bytes JMP 0EA023AF

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] 0x97 0x20 0x4E 0x9A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] 0xAA 0x52 0xC6 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] 0xF8 0x31 0x0F 0xA9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] 0xFA 0xEA 0x66 0x7F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\[email protected] C:\usxxxxxxxx.exe\usxxxxxxxx.exe

---- Files - GMER 1.0.15 ----

File C:\usxxxxxxxx.exe 0 bytes
File C:\usxxxxxxxx.exe\config.bin 140940 bytes
File C:\usxxxxxxxx.exe\usxxxxxxxx.exe 526566 bytes executable

---- EOF - GMER 1.0.15 ----
 

Attachments

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,441
Hiya ohiobowtech,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.
  • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
  • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
  • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
  • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
  • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

Proceed as follows please :-

Step 1

Please re-open HiJackThis and scan only.**Check the boxes next to all the entries listed below. Make sure you only check what i`ve listed.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8075
O4 - HKLM\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
O4 - HKLM\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
O4 - HKLM\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKLM\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
O4 - HKLM\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
O4 - HKLM\..\Run: [MKfre] C:\WINDOWS\wininst.exe
O4 - HKLM\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKLM\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
O4 - HKLM\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
O4 - HKLM\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
O4 - HKLM\..\Run: [Gruyaq] rundll32.exe "C:\WINDOWS\uvosodamapesepe.dll",Startup
O4 - HKLM\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKLM\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
O4 - HKLM\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKLM\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
O4 - HKLM\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
O4 - HKLM\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
O4 - HKLM\..\Run: [MKcrc] C:\WINDOWS\login.exe
O4 - HKCU\..\Run: [gionnovn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\ssmmxvwrn\hjjojjvusbs.exe
O4 - HKCU\..\Run: [Wyoqiquyiwifapoy] rundll32.exe "C:\WINDOWS\rherat.dll",Startup
O4 - HKCU\..\Run: [uPc+MV0NdNaGuo] rundll32.exe C:\WINDOWS\system32\uk82if6.dll, SystemServer
O4 - HKCU\..\Run: [HNUOQOXRotgc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\gitqfus5e.exe
O4 - HKCU\..\Run: [rfjpkegn] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\luvlyixey\hyavubfusbs.exe
O4 - HKCU\..\Run: [HNUOQOXRota] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [HNUOQOXRprc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\login.exe
O4 - HKCU\..\Run: [HNUOQOXRpuc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\lsass.exe
O4 - HKCU\..\Run: [MKfre] C:\WINDOWS\wininst.exe
O4 - HKCU\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [MKaZ] C:\WINDOWS\cmd.exe
O4 - HKCU\..\Run: [HNUOQOXRrrb] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\taskmgr.exe
O4 - HKCU\..\Run: [MKetc] C:\WINDOWS\sysedit.exe
O4 - HKCU\..\Run: [HNUOQOXRota (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\install.exe
O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [HNUOQOXRotc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hexdump.exe
O4 - HKCU\..\Run: [MKevc] C:\WINDOWS\setup.exe
O4 - HKCU\..\Run: [HNUOQOXRnoc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\debug.exe
O4 - HKCU\..\Run: [MKerb] C:\WINDOWS\taskmgr.exe
O4 - HKCU\..\Run: [HNUOQOXRnsc] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\drweb.exe
O4 - HKCU\..\Run: [MKcrc] C:\WINDOWS\login.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O20 - Winlogon Notify: mpstreg - mpstreg.dll (file missing)
O22 - SharedTaskScheduler: iwuiahf87sfy8ushfijsjgfgf - {B2B220C1-A503-59BD-F413-01B53A2C8953} - C:\WINDOWS\system32\gyy2vn.dll (file missing)


Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot.

Step 2

Please download OTM by OldTimer.
Alternative Mirror
Save it to your desktop.
Double click OTM.exe to start the tool. Vista or Windows 7 users right click and select Run as Administrator
  • Copy the text between the dotted lines below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    -------------------------------------------------------------------

    :Files
    ipconfig /flushdns /c
    C:\WINDOWS\system32\uk82if6.dll
    C:\WINDOWS\wininst.exe
    C:\WINDOWS\nvsvc32.exe
    C:\WINDOWS\avp.exe
    C:\WINDOWS\cmd.exe
    C:\WINDOWS\uvosodamapesepe.dll
    C:\WINDOWS\win32.exe
    C:\WINDOWS\setup.exe
    C:\WINDOWS\taskmgr.exe
    C:\WINDOWS\login.exe
    C:\WINDOWS\rherat.dll
    C:\WINDOWS\system32\uk82if6.dll
    :Commands
    [EmptyTemp]
    [EmptyFlash
    [Purity]
    [ResetHosts]

    ---------------------------------------------------------------------
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red
    button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Step 4

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like in your reply :-

  • Log from OTM
  • Log from Malwarebytes
  • Log from Security Checks
  • Fresh set of DDS logs

Kevin
 

ohiobowtech

Thread Starter
Joined
Jan 13, 2011
Messages
14
Hey Kevin.....thanks a lot for helping me out.

I am a huge football fan, although Sunderland is not one of my favorite teams. (hate to say it but I am a Fulham fan).

Thanks again for the help!!!!


OTM log

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
K:\cmd.bat deleted successfully.
K:\cmd.txt deleted successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\uk82if6.dll
C:\WINDOWS\system32\uk82if6.dll moved successfully.
File/Folder C:\WINDOWS\wininst.exe not found.
File/Folder C:\WINDOWS\nvsvc32.exe not found.
File/Folder C:\WINDOWS\avp.exe not found.
File/Folder C:\WINDOWS\cmd.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\uvosodamapesepe.dll
C:\WINDOWS\uvosodamapesepe.dll moved successfully.
File/Folder C:\WINDOWS\win32.exe not found.
File/Folder C:\WINDOWS\setup.exe not found.
File/Folder C:\WINDOWS\taskmgr.exe not found.
File/Folder C:\WINDOWS\login.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\rherat.dll
C:\WINDOWS\rherat.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\uk82if6.dll
C:\WINDOWS\system32\uk82if6.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 31254 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 4433930 bytes

User: All Users

User: Default User
->Temp folder emptied: 31242 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: HP_Administrator
->Temp folder emptied: 918901756 bytes
->Temporary Internet Files folder emptied: 5370063 bytes
->Java cache emptied: 2812885 bytes
->FireFox cache emptied: 62825580 bytes
->Flash cache emptied: 3508233 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 36891414 bytes
->Flash cache emptied: 42164 bytes

User: NetworkService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 14311807 bytes
->Java cache emptied: 18756 bytes
->Flash cache emptied: 14283 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 203889 bytes
%systemroot%\System32 .tmp files removed: 307729 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 56010935 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 26560610 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 51915938 bytes

Total Files Cleaned = 1,130.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTM by OldTimer - Version 3.1.17.2 log created on 01162011_164059

Files moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_f8c.dat moved successfully.

Registry entries deleted on Reboot...



MALWARE BYTES LOG

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5533

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/16/2011 5:17:29 PM
mbam-log-2011-01-16 (17-17-29).txt

Scan type: Quick scan
Objects scanned: 160110
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 9
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\uk82if6.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B2B220C1-A503-59BD-F413-01B53A2C8953} (Trojan.ErtFor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B2B220C1-A503-59BD-F413-01B53A2C8953} (Trojan.ErtFor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\yr87fk3d2dnszapq2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uPc+MV0NdNaGuo (Trojan.FakeAlert) -> Value: uPc+MV0NdNaGuo -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uPc+MV0NdNaGuo (Trojan.FakeAlert) -> Value: uPc+MV0NdNaGuo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gruyaq (Adware.Agent) -> Value: Gruyaq -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usxxxxxxxx.exe (Spyware.Passwords) -> Value: usxxxxxxxx.exe -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usxxxxxxxx.exe (Spyware.Passwords) -> Value: usxxxxxxxx.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wyoqiquyiwifapoy (Trojan.TDSS) -> Value: Wyoqiquyiwifapoy -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Value: WINID -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Value: idstrf -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Value: NoFolderOptions -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\usxxxxxxxx.exe (Trojan.SpyEye) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\uk82if6.dll (Trojan.FakeAlert) -> Delete on reboot.
c:\WINDOWS\uvosodamapesepe.dll (Adware.Agent) -> Quarantined and deleted successfully.
c:\usxxxxxxxx.exe\usxxxxxxxx.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
c:\WINDOWS\rherat.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\my documents\downloads\IWON(2).exe (Adware.Iwon) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\my documents\downloads\IWON(3).exe (Adware.Iwon) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\my documents\downloads\IWON.exe (Adware.Iwon) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\my documents\downloads\retrogamer(2).exe (Adware.Iwon) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\my documents\downloads\retrogamer.exe (Adware.Iwon) -> Quarantined and deleted successfully.
c:\usxxxxxxxx.exe\config.bin (Trojan.SpyEye) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\setupCfg.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.


SECURITY CHECK LOG
Results of screen317's Security Check version 0.99.8
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 9.0
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Out of date Java installed!
Adobe Flash Player 10.0.45.2
Adobe Reader 7.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.13)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````



DDS LOG

DDS (Ver_10-12-12.02) - NTFSx86
Run by HP_Administrator at 19:21:53.07 on Sun 01/16/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.333 [GMT -5:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TechSmith\Jing\Jing.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgupd.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Jing] c:\program files\techsmith\jing\Jing.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: trymedia.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-16 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-16 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-16 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-18 308136]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2005-12-23 468768]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

=============== Created Last 30 ================

2011-01-16 22:09:27 -------- d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2011-01-16 22:09:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-16 22:09:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-16 22:09:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-16 22:09:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-16 21:23:26 3017 ----a-w- c:\windows\opivesazuyufom.dll
2011-01-13 21:34:13 3017 ----a-w- c:\windows\ocihigafekutege.dll
2011-01-13 20:58:45 3017 ----a-w- c:\windows\icihubimudutibo.dll
2011-01-13 20:54:11 3017 ----a-w- c:\windows\iwivupil.dll
2011-01-13 20:44:16 3017 ----a-w- c:\windows\avupidura.dll
2011-01-13 20:39:31 3017 ----a-w- c:\windows\asoqeluwe.dll
2011-01-12 22:31:24 3017 ----a-w- c:\windows\ohojivuluyetof.dll
2011-01-12 22:00:42 3017 ----a-w- c:\windows\adufovav.dll
2011-01-12 21:56:39 3017 ----a-w- c:\windows\uhacalolacihir.dll
2011-01-12 21:39:38 10752 ----a-w- c:\windows\system32\mpstreg.dll
2011-01-12 21:37:55 3017 ----a-w- c:\windows\uwoyutezezuq.dll
2011-01-12 21:21:39 -------- d-----w- c:\windows\system32\%APPDATA%
2011-01-12 21:19:44 3017 ----a-w- c:\windows\edoleriw.dll
2011-01-12 15:07:28 3017 ----a-w- c:\windows\apejuger.dll
2011-01-12 13:00:15 0 ----a-w- c:\windows\Xpepupewad.bin
2011-01-12 13:00:14 -------- d-----w- c:\docume~1\hp_adm~1\locals~1\applic~1\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}
2011-01-12 12:58:36 -------- d-----w- c:\program files\Yontoo Layers Client
2011-01-12 12:58:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tarma Installer
2010-12-27 16:00:08 -------- d-----w- c:\program files\iPod
2010-12-27 16:00:02 -------- d-----w- c:\program files\iTunes
2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
2010-12-20 21:16:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2010-12-20 21:16:41 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\drivers\61883.sys
2010-12-20 21:16:36 48128 ----a-w- c:\windows\system32\dllcache\61883.sys

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 19:22:54.93 ===============
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,441
Hiya ohiobowtech,

Fulham, struggling a bit just now. I like your new(ish) manager Mark Hughs, be interesting to see how long he lasts. You must have some great derby games......

There is still a lot of malware on your system, lets try a bigger stick. Proceed as follows please :-

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important

Before saving Combofix to your Desktop re-name to Gotcha.exe as below:



Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in your reply,

Kevin..
 

ohiobowtech

Thread Starter
Joined
Jan 13, 2011
Messages
14
Hello Kevin,
Thanks for the quick reply. I really started to get bummed about Fulham when Brian McBride (the American) left. He was a huge favorite .... even of the Brits. Might have to find another team if they get relegated. Great game between the U.S. and England this summer.....we really blew the rest of the tournament, though.
Thanks!



Here is the ComboFix log:

ComboFix 11-01-16.04 - HP_Administrator 01/17/2011 8:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.390 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Gotcha.exe.exe
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Local Settings\Application Data\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}\chrome.manifest
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}\chrome\content\_cfg.js
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}\chrome\content\overlay.xul
c:\documents and settings\HP_Administrator\Local Settings\Application Data\{67FF3FC2-3A62-49DC-BEE9-049D625A4D5E}\install.rdf
c:\documents and settings\HP_Administrator\Recent\North Carolina three skills test.pdf
c:\windows\adufovav.dll
c:\windows\apejuger.dll
c:\windows\asoqeluwe.dll
c:\windows\avupidura.dll
c:\windows\edoleriw.dll
c:\windows\icihubimudutibo.dll
c:\windows\iwivupil.dll
c:\windows\ocihigafekutege.dll
c:\windows\ohojivuluyetof.dll
c:\windows\opivesazuyufom.dll
c:\windows\system32\mpstreg.dll
c:\windows\system32\ps2.bat
c:\windows\uhacalolacihir.dll
c:\windows\uwoyutezezuq.dll

.
((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))
.

2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-16 22:09 . 2011-01-17 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-12 22:56 . 2011-01-12 22:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2011-01-12 22:54 . 2011-01-12 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-01-12 22:52 . 2011-01-12 22:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-01-12 21:21 . 2011-01-12 21:21 -------- d-----w- c:\windows\system32\%APPDATA%
2011-01-12 13:00 . 2011-01-16 21:22 0 ----a-w- c:\windows\Xpepupewad.bin
2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\program files\Yontoo Layers Client
2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iPod
2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iTunes
2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\drivers\61883.sys
2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-10 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-10 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-10 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Launch Whitesmoke Translator.lnk - c:\program files\Whitesmoke Translator\WSTrayDictMode.exe [N/A]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-23 27136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [12/23/2005 5:25 PM 468768]
.
Contents of the 'Scheduled Tasks' folder

2010-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
Notify-avgrsstarter - avgrsstx.dll
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-17 09:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-01-17 09:03:58
ComboFix-quarantined-files.txt 2011-01-17 14:03

Pre-Run: 13,827,125,248 bytes free
Post-Run: 13,822,537,728 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 97E1A070A2305EC55232E93A9F520BF5
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,441
Hiya ohiobowtech,

Yep know what you mean, sometimes football just drives you crazy. Some great tributes to Brian McBride on YouTube, have a google for them. I dont think Fulham will go down, they`re good enough to stay up...

Proceed as follows please :-

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code:
KillAll::
File::
c:\windows\Xpepupewad.bin
DirLook::
c:\windows\system32\%APPDATA%
DDS::
Trusted Zone: trymedia.com
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_Ac tiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the
    button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on
    to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the
    icon on your desktop.
  • Check
  • Click the
    button.
  • Accept any security warnings from your browser.
  • Check
  • Leave the tick out of remove found threats
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the
    button.
  • Push
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.

Also be aware this scan can take between one and several hours to complete depending on the size of your system.

What i`d like in your reply :-

  • Log from Combofix
  • Log from ESET
  • System review, improvements? any remaining issues?

Kevin
 

ohiobowtech

Thread Starter
Joined
Jan 13, 2011
Messages
14
Combo Fix Log

ComboFix 11-01-16.04 - HP_Administrator 01/17/2011 15:36:37.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.497 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Gotcha.exe.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Xpepupewad.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Xpepupewad.bin

.
((((((((((((((((((((((((( Files Created from 2010-12-17 to 2011-01-17 )))))))))))))))))))))))))))))))
.

2011-01-17 13:14 . 2011-01-17 13:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AVG9
2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-16 22:09 . 2011-01-17 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-12 22:56 . 2011-01-12 22:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2011-01-12 22:54 . 2011-01-12 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-01-12 22:52 . 2011-01-12 22:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-01-12 21:21 . 2011-01-12 21:21 -------- d-----w- c:\windows\system32\%APPDATA%
2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\program files\Yontoo Layers Client
2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iPod
2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iTunes
2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\drivers\61883.sys
2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-10 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-10 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-10 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\%APPDATA% ----

2011-01-12 21:21 . 2011-01-12 21:21 86 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log
2011-01-12 21:21 . 2010-06-14 15:06 165 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.iss
2011-01-12 21:21 . 2010-07-07 09:45 31743 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr
2011-01-12 21:21 . 2010-07-07 09:44 234304 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx
2011-01-12 21:21 . 2009-06-10 11:57 550192 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.ocx
2011-01-12 21:21 . 2010-07-07 09:45 581440 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\ISSetup.dll
2011-01-12 21:21 . 2009-05-21 12:53 21494 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\0x0409.ini
2011-01-12 21:21 . 2010-06-14 15:32 152 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt
2011-01-12 21:21 . 2010-07-07 09:45 473 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin
2011-01-12 21:21 . 2010-07-07 09:45 807744 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.exe
2011-01-12 21:21 . 2010-07-07 09:44 1178 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.ini
2011-01-12 21:21 . 2010-07-07 09:45 3525401 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab
2011-01-12 21:21 . 2010-07-07 09:45 567840 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab


((((((((((((((((((((((((((((( [email protected]_14.01.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-17 20:43 . 2011-01-17 20:43 16384 c:\windows\temp\Perflib_Perfdata_d24.dat
+ 2011-01-17 20:42 . 2011-01-17 20:42 16384 c:\windows\temp\Perflib_Perfdata_8d4.dat
+ 2011-01-17 20:42 . 2011-01-17 20:42 16384 c:\windows\temp\Perflib_Perfdata_444.dat
+ 2011-01-17 20:42 . 2011-01-17 20:42 49152 c:\windows\temp\CompiledAdapter.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Launch Whitesmoke Translator.lnk - c:\program files\Whitesmoke Translator\WSTrayDictMode.exe [N/A]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-12-23 27136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [12/23/2005 5:25 PM 468768]
.
Contents of the 'Scheduled Tasks' folder

2010-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-17 15:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\DISC\DiscStreamHub.exe
.
**************************************************************************
.
Completion time: 2011-01-17 15:45:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-17 20:45
ComboFix2.txt 2011-01-17 14:03

Pre-Run: 13,800,304,640 bytes free
Post-Run: 13,787,979,776 bytes free

- - End Of File - - 483871808D42B71B753A79E8150760E3



ESET log

C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Setup_FreeConverter.exe Win32/Adware.Toolbar.Dealio application
C:\Qoobox\Quarantine\C\WINDOWS\adufovav.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\apejuger.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\asoqeluwe.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\avupidura.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\edoleriw.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\icihubimudutibo.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\iwivupil.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\ocihigafekutege.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\ohojivuluyetof.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\opivesazuyufom.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\uhacalolacihir.dll.vir Win32/Adware.SpywareProtect2009 application
C:\Qoobox\Quarantine\C\WINDOWS\uwoyutezezuq.dll.vir Win32/Adware.SpywareProtect2009 application



System report
1. seems to be running well. Whitesmoke is still my default homepage for Mozilla Firefox.
2. Whitesmoke Translator shows up as a program that is still installed in my computer.

Any suggestions for virus and malware/adware protection?

Thanks Kevin!!!
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,441
Hiya ohiobowtech,

Proceed as follows :-

Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code:
KillAll::

Folder::
c:\windows\system32\%APPDATA%
c:\program files\Whitesmoke Translator

File::
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Setup_FreeConverter.exe
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2

The easiest way to change the Home page in Firefox, open FF > open a new tab > add your favorite bookmark, eg Google > left click on that tab and hold the button down > drag the tab to the Home icon (top left of page) and drop it in. You will get an alert asking if you want that as your Home page, accept it.
You can also open FF > Select > tools > options > general tab, change it there.

Post the new log from Combofix, let me know if any issues remain. We should be able to clean up after this....

Regarding Security - My set up is :-

Windows own Firewall, Microsoft Security Essentials, Malwarebytes (paid for) $30 for lifetime license, also gives realtime protection and auto updates.

Kevin
 

ohiobowtech

Thread Starter
Joined
Jan 13, 2011
Messages
14
Hello Kevin,

Here is the ComboFix log:

ComboFix 11-01-17.01 - HP_Administrator 01/17/2011 18:54:48.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.504 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\Gotcha.exe.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\HP_Administrator\My Documents\Downloads\Setup_FreeConverter.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\My Documents\Downloads\Setup_FreeConverter.exe
C:\Gotcha.exe
c:\gotcha.exe\pev.exe
c:\windows\system32\%APPDATA%

.
((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
.

2011-01-17 20:56 . 2011-01-17 20:56 -------- d-----w- c:\program files\ESET
2011-01-17 13:14 . 2011-01-17 13:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AVG9
2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2011-01-16 22:09 . 2011-01-16 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-16 22:09 . 2011-01-17 13:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-12 22:56 . 2011-01-12 22:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2011-01-12 22:54 . 2011-01-12 22:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-01-12 22:52 . 2011-01-12 22:52 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\program files\Yontoo Layers Client
2011-01-12 12:58 . 2011-01-12 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iPod
2010-12-27 16:00 . 2010-12-27 16:00 -------- d-----w- c:\program files\iTunes
2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\drivers\msdv.sys
2010-12-20 21:16 . 2008-04-13 19:46 51200 ----a-w- c:\windows\system32\dllcache\msdv.sys
2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2010-12-20 21:16 . 2008-04-13 19:46 38912 ----a-w- c:\windows\system32\dllcache\avc.sys
2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\drivers\61883.sys
2010-12-20 21:16 . 2008-04-13 19:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2004-08-10 12:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-10 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-10 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-10 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-10 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-10 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-10 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-10 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( [email protected]_14.01.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-18 00:01 . 2011-01-18 00:01 16384 c:\windows\temp\Perflib_Perfdata_f1c.dat
+ 2011-01-18 00:00 . 2011-01-18 00:00 16384 c:\windows\temp\Perflib_Perfdata_908.dat
+ 2011-01-18 00:00 . 2011-01-18 00:00 16384 c:\windows\temp\Perflib_Perfdata_638.dat
+ 2011-01-18 00:00 . 2011-01-18 00:00 49152 c:\windows\temp\CompiledAdapter.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2010-08-19 3069192]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 77312]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"PinnacleDriverCheck"="c:\windows\system32\\PSDrvCheck.exe" [2004-03-11 406016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Launch Whitesmoke Translator.lnk - c:\program files\Whitesmoke Translator\WSTrayDictMode.exe [N/A]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\Shared Files\\Programs\\MediaManager\\PMSManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [12/23/2005 5:25 PM 468768]
.
Contents of the 'Scheduled Tasks' folder

2010-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z007&form=ZGAPHP
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = <local>
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-17 19:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4060)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\DISC\DiscStreamHub.exe
.
**************************************************************************
.
Completion time: 2011-01-17 19:03:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-18 00:03
ComboFix2.txt 2011-01-17 20:45
ComboFix3.txt 2011-01-17 14:03

Pre-Run: 13,626,634,240 bytes free
Post-Run: 13,617,491,968 bytes free

- - End Of File - - 061DD1E64E54BC6F24F676DA0990F98C
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,441
How is system now? any issues. Did you change Homepage on FF ok?
 

ohiobowtech

Thread Starter
Joined
Jan 13, 2011
Messages
14
Hi Kevin.....pulling a late one tonight, eh? Got the Jameson out? :)

Watched a great game today.....Man. City vs. Wolves. 5+ goals!

Everything seems good. Running ok. The only thing I see that it didn't used to do on start up is a black screen shows quickly with the options of the operating system to run and it always chooses Windows XP Media Center edition (which is fine).

How do things look to you? Any idea where this came from?

Cheers,
Chad
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,441
Hiya Chad,

The black screen you refer to gives the option to boot your OS or the Recovery Console (we installed that) the default is to boot your OS. The recovery console is well worth keeping, it can be used for many different repairs should your system ever have problems.

Been drinking Macallans, very nice single malt. Yep its nearly 1am for me, nearly sleepy time. I dont mind stopping up if I can complete a log, I also work logs at SpywareHammer and Dell community Forum so have been busy there also. Calling time now... zzzzzzzz

Proceed as follows to clean up :-

Step 1

Remove Combofix now that we're done with it
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")

  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
The above procedure will delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

Step 2

  • Download OTC by OldTimer and save it to your desktop. Alternative mirror
  • Double click
    icon to start the program.
    If you are using Vista or Windows 7, please right-click and choose run as administrator
  • Then Click the big
    button.
  • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Step 3

Remove the ESET Online Scanner components from your computer, start the Add or Remove Programs applet via Start > Control Panel, select the ESET Online Scanner entry and click Remove. This will happen very quickly, only reboot if requested

Whilst in Add/Remove Programs also remove :-

Adobe Reader 7.0

Step 4

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version.
For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system.
The most current version of Sun Java is: Java Runtime Environment Version 6 Update 23.

  • Go to Sun Java
  • Select Windows 7/XP/Vista/2000/2003/2008
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

Step 5

Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack and exploitation.

Please go to the link below to update.

Adobe Reader Untick the Free McAfee® Security Scan Plus (optional)

Step 6

Download and scan with CCleaner

1. Use either one of the two free links below the Premium version.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 24 hours"
3. Then select the items you wish to clean up.

In the Windows Tab:

  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.


In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Let me know if the above steps completed OK, especially the Combofix /Uninstall command. If for any reason CF does not uninstall correctly OTC will clean it up, you`ll then have to manually flush the system restore cache and create a new restore point, Only do this if you do not get the Combofix uninstalled successfully alert:

We now need to reset your system restore points and create a new clean one. To do this “Turn off” System restore > Left click start > Right click My Computer > Left click Properties > Select System restore tab > put tick in Turn off System Restore box > apply > ok. To reverse as previous but remove the tick from Turn off System Restore > apply ok.

Create the new restore point > Start > all programs > accessories > system tools > system restore > create a restore point > In the Restore point description box give it a name for reference eg. Clean 1. The time and date are added automatically > then select create and follow the wizard out.

Kevin
 

ohiobowtech

Thread Starter
Joined
Jan 13, 2011
Messages
14
Good Evening Kevin,

I did everything you asked, including the new system restore point.

Thanks so much for your help....you made everything so easy to understand.

Your help is very much appreciated! I cannot thank you enough.

Karma is definitely on your side!

Much respect and thanks!
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,441
Hiya Chad,

Thankyou for the kind words, replies like yours make it all worthwhile. Here are some tips to reduce the potential for malware infection in the future:

Make proper use of your antivirus and firewall

Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.

You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Install and use WinPatrol This will inform you of any attempted unauthorized changes to your system.

WinPatrol features explained Here

You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....

...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:

Firefox,

Opera, and

Chrome.

All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.

These browser add-ons will help to make your browser safer:

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:

Available for Firefox and Internet Explorer.

Green to go,
Yellow for caution, and
Red to stop.


Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.

These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.

Here a couple of links by two security experts that will give some excellent tips and advice.

So how did I get infected in the first place by Tony Klein

How to prevent Malware by Miekiemoes

Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.

Let me know if you have any remaining issues or questions, if not hit the Mark Solved tab at thetop of the thread.

Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.

Its been a pleasure working with you,

take care,

Kevin
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top