WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Google redirect to licosearch

Started by tonyperrin , Apr 16 2011 05:46 AM

This topic is locked

39 replies to this topic

#1 tonyperrin

Authentic Member

Authentic Member
53 posts

Posted 16 April 2011 - 05:46 AM

Hello - having big problems at present. Began with a browser redirect as above but rapidly got much worse. At present I am unable to launch IE or Firefox, nor can I access email (writing this from different computer). Cannot scan with HJ (in safe mode) as it tries to re-install when launched and an error tells me that windows installer cannot be accessed. I have run rkill, scanned with Malwarebytes and TDSS killer - no infections found. As explained, I can't post a HJ log but I have scanned with Combofix and can post a log if needed. Any help you could give will be hugely appreciated - Thanks - Tonyp Forgot to say that when I start windows normally 'hph_software' tries (and fails) to install, HJ then fails to launch as an 'installation is already in progress'. I assume (but not sure) that this is something relating to my HP printer - if I close the error windows they simply come back infinitely. Update - I now have 'TrayApp.msi' repeatedly trying to install - asks me for a path to the folder containing TrayApp.msi istallation package, when I cancel it simply keeps repeating.

Edited by tonyperrin, 17 April 2011 - 07:21 AM.

Advertisements

Register to Remove

#2 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 18 April 2011 - 04:40 AM

Hello tonyperrin and welcome to the WTT forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:• Please follow all instructions in the order posted
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If you don't understand something, please don't hesitate to ask for clarification before proceeding
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!
IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

You seem to have tried to diagnose this problem on your own. Running programs without expert knowledge can cause enormous problems, especially with ComboFix which can render your PC to a useless lump of metal if used by anyone except an expert.

Please note what is written in the guidelines above and do not run anything else unless requested. Thanks

===================================================

when I start windows normally 'hph_software' tries (and fails) to install,

I now have 'TrayApp.msi' repeatedly trying to install

Do you have HP Photosmart installed? If so, try reinstalling HP Photosmart Premier software

===================================================

Please download DDS from either of these links

Link 1
LIink 2

and save it to your desktop.

Disable any script blocking protection
Double click dds to run the tool.
When done, two DDS.txt's will open.
Save both reports to your desktop.

Download the GMER Rootkit Scanner

Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.

Double click the exe file.
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Logs to include with next post:

DDS.txt
Attach.txt
Gmer.txt.

Please also include the ComboFix log

Thanks

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#3 tonyperrin

Authentic Member

Authentic Member
53 posts

Posted 19 April 2011 - 04:35 PM

Hello Satchfan -

Thanks very much for your reply. Forgive my tardy response (don't get off work till quite late in the evening). Last night I reinstalled the printer software, then scanned with DDS. When I tried to scan with GMER computer crashed out to blue warning screen, I tried both safe and normal modes - no difference. The warnig was the one that tells you there may be a conflict caused by recently installed hardware. Tonight I uninstalled the printer completely and tried scanning with GMER again (in safe mode) after running for over a couple of hours the same crash occurred, so I'm unable to post a GMER log. Below is my DDS log plus the ComboFix log from Saturday (when I was unable to get HJ to launch I thought I would try scanning with ComboFix as it's often the first thing advised when I post to the forum here - apologies if I did wrong!) Attach document is attached as per instructions at the top of the document.

DDS:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by tony1 at 22:53:56.98 on 18/04/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.637 [GMT 1:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\system32\svchost.exe -k DcomLaunch
C:\WINDOWS.0\system32\svchost.exe -k rpcss
C:\WINDOWS.0\System32\svchost.exe -k netsvcs
C:\WINDOWS.0\system32\svchost.exe -k NetworkService
C:\WINDOWS.0\system32\svchost.exe -k LocalService
C:\WINDOWS.0\system32\Ati2evxx.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS.0\system32\svchost.exe -k LocalService
C:\WINDOWS.0\system32\ASTSRV.EXE
C:\WINDOWS.0\system32\HPZipm12.exe
C:\WINDOWS.0\system32\svchost.exe -k imgsvc
C:\WINDOWS.0\system32\Tablet.exe
C:\WINDOWS.0\System32\alg.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS.0\SOUNDMAN.EXE
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS.0\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS.0\System32\svchost.exe -k HTTPFilter
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Perrin\Desktop\dds.scr
C:\WINDOWS.0\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: Userinit=c:\windows.0\system32\userinit.exe,,c:\program files\kqhdmfdu\swypwijl.exe
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
StartupFolder: c:\docume~1\perrin\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows.0\system32\wtablet\TabUserW.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\viarai~1.lnk - c:\program files\via\raid\raid_tool.exe
Trusted Zone: amazon.co.uk\www
Trusted Zone: ravenwoodfair.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.0\system32\wpdshserviceobj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\perrin\applic~1\mozilla\firefox\profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Get Mail Plus: getmail@webdesigns.ms11.net - %profile%\extensions\getmail@webdesigns.ms11.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [2010-6-6 77312]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [2010-4-5 57344]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [2010-1-29 66944]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-25 136176]
S3 cpuz132;cpuz132;\??\c:\docume~1\perrin\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\perrin\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [2010-1-24 11520]
.
=============== Created Last 30 ================
.
2011-04-18 21:40:15 69632 ----a-w- c:\windows.0\system32\HPZipm12.1
2011-04-15 23:04:16 184691 ----a-w- c:\windows.0\explorermgr.exe
2011-04-15 22:46:54 98816 ----a-w- c:\windows.0\sed.exe
2011-04-15 22:46:54 89088 ----a-w- c:\windows.0\MBR.exe
2011-04-15 22:46:54 256512 ----a-w- c:\windows.0\PEV.exe
2011-04-15 22:46:54 161792 ----a-w- c:\windows.0\SWREG.exe
2011-04-14 21:36:41 -------- d-----w- c:\program files\kqhdmfdu
2011-04-14 21:36:37 184691 ----a-w- c:\program files\mozilla firefox\null0.2449669082786433.exe
2011-04-11 22:11:54 -------- d-----w- c:\docume~1\perrin\applic~1\avidemux
2011-04-11 22:11:37 -------- d-----w- c:\program files\Avidemux 2.5
2011-04-01 17:38:33 -------- d-sh--w- c:\documents and settings\perrin\IECompatCache
.
==================== Find3M ====================
.
2011-03-11 01:32:00 0 ----a-w- c:\windows.0\Mlohimeqaguv.bin
2009-05-14 20:02:10 3392872 ----a-w- c:\program files\common files\adlmint_libFNP.dll
2009-05-14 20:02:10 3298152 ----a-w- c:\program files\common files\adlmint.dll
.
============= FINISH: 22:54:49.18 ===============

ComboFix:

ComboFix 11-04-14.03 - tony1 16/04/2011 11:44:59.8.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.804 [GMT 1:00]
Running from: c:\documents and settings\Perrin\Desktop\ComboFix.exe
.
ADS - WINDOWS.0: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((( Files Created from 2011-03-16 to 2011-04-16 )))))))))))))))))))))))))))))))
.
.
2011-04-15 23:04 . 2011-04-15 23:04 184691 ----a-w- c:\windows.0\explorermgr.exe
2011-04-14 21:36 . 2011-04-15 23:04 -------- d-----w- c:\program files\kqhdmfdu
2011-04-14 21:36 . 2011-04-14 21:36 184691 ----a-w- c:\program files\Mozilla Firefox\null0.2449669082786433.exe
2011-04-11 22:11 . 2011-04-11 22:14 -------- d-----w- c:\documents and settings\Perrin\Application Data\avidemux
2011-04-11 22:11 . 2011-04-11 22:11 -------- d-----w- c:\program files\Avidemux 2.5
2011-04-01 17:38 . 2011-04-01 17:38 -------- d-sh--w- c:\documents and settings\Perrin\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2011-03-12 13:12 . 2011-03-12 13:12 27648 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2009-05-14 20:02 . 2009-05-14 20:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-05-14 20:02 . 2009-05-14 20:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll
.
.
------- Sigcheck -------
.
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-04-15_22.55.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 10:29 . 2011-04-16 10:35 26238 c:\windows.0\system32\tablet.dat
- 2010-07-28 10:29 . 2011-04-15 19:17 26238 c:\windows.0\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
TabUserW.exe.lnk - c:\windows.0\system32\WTablet\TabUserW.exe [2010-7-28 77824]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 16:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 16:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 602562 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [06/06/2010 17:07 77312]
S2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [05/04/2010 16:41 57344]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [29/01/2010 17:05 66944]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [24/01/2010 12:29 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-16 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
2011-04-15 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: amazon.co.uk\www
Trusted Zone: ravenwoodfair.com\www
FF - ProfilePath - c:\documents and settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Get Mail Plus: getmail@webdesigns.ms11.net - %profile%\extensions\getmail@webdesigns.ms11.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-16 11:51
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D940F9-0E35-E0F0-1675-249C6C404004}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(240)
c:\windows.0\system32\Ati2evxx.dll
c:\windows.0\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(1384)
c:\windows.0\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows.0\system32\ieframe.dll
.
Completion time: 2011-04-16 11:54:18
ComboFix-quarantined-files.txt 2011-04-16 10:54
ComboFix2.txt 2011-04-15 22:57
ComboFix3.txt 2011-03-11 21:33
.
Pre-Run: 112,207,507,456 bytes free
Post-Run: 112,195,256,320 bytes free
.
- - End Of File - - C68B71429BFD678336EEE9EAB0FF9372

Thanks again for your help Satchfan, best regards -

Tonyp

Attached Files

Attach.txt 18.02KB 250 downloads

#4 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 20 April 2011 - 04:36 AM

Hi tony

Clear all your temporary files

Download ATF Cleaner
• Double-click ATF-Cleaner.exe (on your desktop) to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.
If you use Firefox browser
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu

===================================================

Flush the DNS cache

click on Start > Run > type: cmd
press OK or Hit Enter.
at the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
hit Enter.
you will get a confirmation that the flush was successful.
close the command box.

===================================================

Please run GMER again, but this time uncheck everything EXCEPT "Sections" and "C:\" .

Let me know if you can connect to the Internet.

Also, please send the log from the first time you ran ComboFi to try and fix this problem. The recent logs are located at c:\combofix.txt, older logs are at c:\qoobox\combofix2.txt, c:\qoobox\ComboFix3.txt etc

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#5 tonyperrin

Authentic Member

Authentic Member
53 posts

Posted 20 April 2011 - 01:50 PM

Hi Satchfan -

Thanks very much for your continued support. I've followed all instructions. Gmer ran OK for me this time. I have a live internet connection, but both Firefox - Thunderbird crash at launch and IE will not attempt to launch at all. Here are my logs (including Combofix 2 & 3) -

GMER:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-20 20:24:52
Windows 5.1.2600 Service Pack 3
Running: xig1dd0n.exe; Driver: C:\DOCUME~1\Perrin\LOCALS~1\Temp\kgldquow.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS.0\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6DC9000, 0x239517, 0xE8000020]
init C:\WINDOWS.0\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF6C82510]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS.0\system32\spoolsv.exe[236] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\spoolsv.exe[236] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\spoolsv.exe[236] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\spoolsv.exe[236] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[308] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[308] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[308] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[308] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ws2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ws2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ws2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ws2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ws2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\Program Files\Internet Explorer\iexplore.exe[328] ws2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\Program Files\Internet Explorer\iexplore.exe[336] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\Program Files\Internet Explorer\iexplore.exe[336] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\Program Files\Internet Explorer\iexplore.exe[336] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\Program Files\Internet Explorer\iexplore.exe[336] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
? C:\WINDOWS.0\system32\svchost.exe[720] time/date stamp mismatch;
.text C:\WINDOWS.0\system32\svchost.exe[720] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS.0\system32\svchost.exe[720] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS.0\system32\svchost.exe[720] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\WINDOWS.0\system32\svchost.exe[720] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
? C:\WINDOWS.0\System32\smss.exe[764] time/date stamp mismatch;
.text C:\WINDOWS.0\system32\ASTSRV.EXE[784] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS.0\system32\ASTSRV.EXE[784] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS.0\system32\ASTSRV.EXE[784] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\WINDOWS.0\system32\ASTSRV.EXE[784] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2001D423
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2001D74D
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2001DA66
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2001D3D5
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2001D8AA
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2001D6DE
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2001D7C2
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2001D985
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2001D833
.text C:\WINDOWS.0\system32\HPZipm12.exe[884] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
? C:\WINDOWS.0\system32\svchost.exe[1000] time/date stamp mismatch;
.text C:\WINDOWS.0\system32\svchost.exe[1000] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS.0\system32\svchost.exe[1000] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS.0\system32\svchost.exe[1000] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\WINDOWS.0\system32\svchost.exe[1000] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
? C:\WINDOWS.0\system32\csrss.exe[1008] time/date stamp mismatch; unknown module: CSRSRV.dll
.text C:\WINDOWS.0\system32\csrss.exe[1008] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\csrss.exe[1008] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\csrss.exe[1008] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\csrss.exe[1008] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
? C:\WINDOWS.0\system32\winlogon.exe[1048] time/date stamp mismatch; unknown module: WINMM.dllunknown module: MSGINA.dllunknown module: RASAPI32.dllunknown module: MPR.dllunknown module: AUTHZ.dllunknown module: NDdeApi.dllunknown module: PROFMAP.dllunknown module: SETUPAPI.dllunknown module: VERSION.dllunknown module: WINSTA.dllunknown module: WINTRUST.dll
.text C:\WINDOWS.0\system32\winlogon.exe[1048] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\winlogon.exe[1048] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\winlogon.exe[1048] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\winlogon.exe[1048] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS.0\system32\winlogon.exe[1048] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS.0\system32\winlogon.exe[1048] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS.0\system32\winlogon.exe[1048] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS.0\system32\winlogon.exe[1048] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS.0\system32\winlogon.exe[1048] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS.0\system32\winlogon.exe[1048] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS.0\system32\winlogon.exe[1048] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS.0\system32\winlogon.exe[1048] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS.0\system32\winlogon.exe[1048] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS.0\system32\services.exe[1092] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: NCObjAPI.DLLunknown module: SCESRV.dllunknown module: umpnpmgr.dll
.text C:\WINDOWS.0\system32\services.exe[1092] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\services.exe[1092] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\services.exe[1092] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\services.exe[1092] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS.0\system32\services.exe[1092] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS.0\system32\services.exe[1092] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS.0\system32\services.exe[1092] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS.0\system32\services.exe[1092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS.0\system32\services.exe[1092] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS.0\system32\services.exe[1092] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS.0\system32\services.exe[1092] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS.0\system32\services.exe[1092] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS.0\system32\services.exe[1092] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\WINDOWS.0\system32\lsass.exe[1112] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\lsass.exe[1112] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\lsass.exe[1112] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\lsass.exe[1112] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS.0\system32\lsass.exe[1112] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS.0\system32\lsass.exe[1112] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS.0\system32\lsass.exe[1112] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS.0\system32\lsass.exe[1112] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS.0\system32\lsass.exe[1112] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS.0\system32\lsass.exe[1112] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS.0\system32\lsass.exe[1112] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS.0\system32\lsass.exe[1112] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS.0\system32\lsass.exe[1112] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\WINDOWS.0\system32\Tablet.exe[1224] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS.0\system32\Tablet.exe[1224] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS.0\system32\Tablet.exe[1224] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\WINDOWS.0\system32\Tablet.exe[1224] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\WINDOWS.0\system32\Ati2evxx.exe[1260] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\Ati2evxx.exe[1260] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\Ati2evxx.exe[1260] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\Ati2evxx.exe[1260] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
? C:\WINDOWS.0\system32\svchost.exe[1272] time/date stamp mismatch;
.text C:\WINDOWS.0\system32\svchost.exe[1272] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\svchost.exe[1272] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\svchost.exe[1272] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\svchost.exe[1272] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS.0\system32\svchost.exe[1272] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS.0\system32\svchost.exe[1272] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS.0\system32\svchost.exe[1272] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS.0\system32\svchost.exe[1272] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS.0\system32\svchost.exe[1272] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS.0\system32\svchost.exe[1272] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS.0\system32\svchost.exe[1272] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS.0\system32\svchost.exe[1272] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS.0\system32\svchost.exe[1272] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS.0\system32\svchost.exe[1348] time/date stamp mismatch;
.text C:\WINDOWS.0\system32\svchost.exe[1348] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\svchost.exe[1348] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\svchost.exe[1348] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\svchost.exe[1348] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS.0\system32\svchost.exe[1348] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS.0\system32\svchost.exe[1348] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS.0\system32\svchost.exe[1348] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS.0\system32\svchost.exe[1348] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS.0\system32\svchost.exe[1348] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS.0\system32\svchost.exe[1348] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS.0\system32\svchost.exe[1348] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS.0\system32\svchost.exe[1348] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS.0\system32\svchost.exe[1348] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS.0\System32\svchost.exe[1384] time/date stamp mismatch;
.text C:\WINDOWS.0\System32\svchost.exe[1384] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\System32\svchost.exe[1384] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\System32\svchost.exe[1384] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\System32\svchost.exe[1384] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS.0\System32\svchost.exe[1384] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS.0\System32\svchost.exe[1384] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS.0\System32\svchost.exe[1384] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS.0\System32\svchost.exe[1384] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS.0\System32\svchost.exe[1384] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS.0\System32\svchost.exe[1384] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS.0\System32\svchost.exe[1384] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS.0\System32\svchost.exe[1384] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS.0\System32\svchost.exe[1384] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 2004E7B8
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!InternetReadFileExW 3D963349 5 Bytes JMP 2004E9BC
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 2004E915
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058
.text C:\WINDOWS.0\System32\svchost.exe[1384] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012
? C:\WINDOWS.0\system32\svchost.exe[1436] time/date stamp mismatch;
.text C:\WINDOWS.0\system32\svchost.exe[1436] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\svchost.exe[1436] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\svchost.exe[1436] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\svchost.exe[1436] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS.0\system32\svchost.exe[1436] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS.0\system32\svchost.exe[1436] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS.0\system32\svchost.exe[1436] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS.0\system32\svchost.exe[1436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS.0\system32\svchost.exe[1436] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS.0\system32\svchost.exe[1436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS.0\system32\svchost.exe[1436] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS.0\system32\svchost.exe[1436] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS.0\system32\svchost.exe[1436] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
? C:\WINDOWS.0\system32\svchost.exe[1544] time/date stamp mismatch;
.text C:\WINDOWS.0\system32\svchost.exe[1544] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\svchost.exe[1544] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\svchost.exe[1544] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\svchost.exe[1544] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS.0\system32\svchost.exe[1544] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004D423
.text C:\WINDOWS.0\system32\svchost.exe[1544] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004D74D
.text C:\WINDOWS.0\system32\svchost.exe[1544] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004DA66
.text C:\WINDOWS.0\system32\svchost.exe[1544] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004D3D5
.text C:\WINDOWS.0\system32\svchost.exe[1544] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004D8AA
.text C:\WINDOWS.0\system32\svchost.exe[1544] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004D6DE
.text C:\WINDOWS.0\system32\svchost.exe[1544] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004D7C2
.text C:\WINDOWS.0\system32\svchost.exe[1544] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004D985
.text C:\WINDOWS.0\system32\svchost.exe[1544] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004D833
.text C:\WINDOWS.0\system32\Ati2evxx.exe[1676] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\system32\Ati2evxx.exe[1676] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\system32\Ati2evxx.exe[1676] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\system32\Ati2evxx.exe[1676] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
? C:\WINDOWS.0\Explorer.EXE[1944] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: BROWSEUI.dllunknown module: OLEAUT32.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
.text C:\WINDOWS.0\Explorer.EXE[1944] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004FF3F
.text C:\WINDOWS.0\Explorer.EXE[1944] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20047A40
.text C:\WINDOWS.0\Explorer.EXE[1944] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004FDBB
.text C:\WINDOWS.0\Explorer.EXE[1944] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2004C9AD
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2004EAD7
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2004E132
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 2004E7B8
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2004EB92
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2004E0D3
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2004EBBF
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2004E09E
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2004EBEC
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!InternetReadFileExW 3D963349 5 Bytes JMP 2004E9BC
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 2004E915
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2004E105
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2004EC13
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2004E058
.text C:\WINDOWS.0\Explorer.EXE[1944] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2004E012
? C:\WINDOWS.0\System32\svchost.exe[2140] time/date stamp mismatch;
.text C:\WINDOWS.0\System32\svchost.exe[2140] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS.0\System32\svchost.exe[2140] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS.0\System32\svchost.exe[2140] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\WINDOWS.0\System32\svchost.exe[2140] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\WINDOWS.0\System32\alg.exe[2804] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS.0\System32\alg.exe[2804] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS.0\System32\alg.exe[2804] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\WINDOWS.0\System32\alg.exe[2804] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\WINDOWS.0\System32\alg.exe[2804] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2001D423
.text C:\WINDOWS.0\System32\alg.exe[2804] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2001D74D
.text C:\WINDOWS.0\System32\alg.exe[2804] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2001DA66
.text C:\WINDOWS.0\System32\alg.exe[2804] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2001D3D5
.text C:\WINDOWS.0\System32\alg.exe[2804] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2001D8AA
.text C:\WINDOWS.0\System32\alg.exe[2804] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2001D6DE
.text C:\WINDOWS.0\System32\alg.exe[2804] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2001D7C2
.text C:\WINDOWS.0\System32\alg.exe[2804] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2001D985
.text C:\WINDOWS.0\System32\alg.exe[2804] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2001D833
.text C:\WINDOWS.0\system32\wscntfy.exe[3088] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS.0\system32\wscntfy.exe[3088] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS.0\system32\wscntfy.exe[3088] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\WINDOWS.0\system32\wscntfy.exe[3088] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2001EAD7
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2001E132
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 2001E7B8
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2001EB92
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2001E0D3
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2001EBBF
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2001E09E
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2001EBEC
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!InternetReadFileExW 3D963349 5 Bytes JMP 2001E9BC
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 2001E915
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2001E105
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2001EC13
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2001E058
.text C:\Program Files\Java\jre6\bin\jusched.exe[3356] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2001E012
.text C:\WINDOWS.0\SOUNDMAN.EXE[3416] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS.0\SOUNDMAN.EXE[3416] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS.0\SOUNDMAN.EXE[3416] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\WINDOWS.0\SOUNDMAN.EXE[3416] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 2001EAD7
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 2001E132
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 2001E7B8
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 2001EB92
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 2001E0D3
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!HttpOpenRequestW 3D94FBFB 5 Bytes JMP 2001EBBF
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 2001E09E
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 2001EBEC
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!InternetReadFileExW 3D963349 5 Bytes JMP 2001E9BC
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 2001E915
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!InternetWriteFile 3D9A6076 5 Bytes JMP 2001E105
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 2001EC13
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!HttpSendRequestExA 3D9BA642 5 Bytes JMP 2001E058
.text C:\Program Files\Logitech\QuickCam\Quickcam.exe[3468] WININET.dll!HttpSendRequestExW 3D9BA69B 5 Bytes JMP 2001E012
.text C:\Documents and Settings\Perrin\Desktop\xig1dd0n.exe[3496] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\Documents and Settings\Perrin\Desktop\xig1dd0n.exe[3496] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\Documents and Settings\Perrin\Desktop\xig1dd0n.exe[3496] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\Documents and Settings\Perrin\Desktop\xig1dd0n.exe[3496] user32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3500] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3500] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3500] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe[3500] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3608] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3608] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3608] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[3608] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\WINDOWS.0\system32\WTablet\TabUserW.exe[3660] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\WINDOWS.0\system32\WTablet\TabUserW.exe[3660] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\WINDOWS.0\system32\WTablet\TabUserW.exe[3660] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\WINDOWS.0\system32\WTablet\TabUserW.exe[3660] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3916] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001FF3F
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3916] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 20017A40
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3916] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001FDBB
.text C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3916] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 2001C9AD

---- EOF - GMER 1.0.15 ----

ComboFix 2:

ComboFix 11-04-14.03 - tony1 15/04/2011 23:49:20.7.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.796 [GMT 1:00]
Running from: c:\documents and settings\Perrin\Desktop\ComboFix.exe
.
ADS - WINDOWS.0: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Adobe Systems
c:\documents and settings\All Users\Application Data\Adobe Systems\Product licenses\B2B64000.dat
c:\documents and settings\All Users\Application Data\Adobe Systems\Product licenses\B2B86000.dat
c:\documents and settings\Perrin\Templates\r0t835ni0n1t18aj4n071sa4s7m
c:\documents and settings\Perrin\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-14 21:36 . 2011-04-14 21:36 -------- d-----w- c:\program files\kqhdmfdu
2011-04-14 21:36 . 2011-04-14 21:36 184691 ----a-w- c:\program files\Mozilla Firefox\null0.2449669082786433.exe
2011-04-11 22:11 . 2011-04-11 22:14 -------- d-----w- c:\documents and settings\Perrin\Application Data\avidemux
2011-04-11 22:11 . 2011-04-11 22:11 -------- d-----w- c:\program files\Avidemux 2.5
2011-04-01 17:38 . 2011-04-01 17:38 -------- d-sh--w- c:\documents and settings\Perrin\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2011-03-12 13:12 . 2011-03-12 13:12 27648 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2009-05-14 20:02 . 2009-05-14 20:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-05-14 20:02 . 2009-05-14 20:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll
.
.
------- Sigcheck -------
.
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
TabUserW.exe.lnk - c:\windows.0\system32\WTablet\TabUserW.exe [2010-7-28 77824]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 16:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 16:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 602562 ------w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [06/06/2010 17:07 77312]
S2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [05/04/2010 16:41 57344]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [29/01/2010 17:05 66944]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [24/01/2010 12:29 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-15 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
2011-04-15 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: amazon.co.uk\www
Trusted Zone: ravenwoodfair.com\www
FF - ProfilePath - c:\documents and settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Get Mail Plus: getmail@webdesigns.ms11.net - %profile%\extensions\getmail@webdesigns.ms11.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-15 23:55
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D940F9-0E35-E0F0-1675-249C6C404004}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(240)
c:\windows.0\system32\Ati2evxx.dll
c:\windows.0\system32\atiadlxx.dll
.
Completion time: 2011-04-15 23:57:37
ComboFix-quarantined-files.txt 2011-04-15 22:57
ComboFix2.txt 2011-03-11 21:33
.
Pre-Run: 112,280,256,512 bytes free
Post-Run: 112,310,530,048 bytes free
.
- - End Of File - - AD955C1565988C07CE96413F79DF5436

Combofix 3:

ComboFix 11-03-10.04 - tony1 11/03/2011 21:22:08.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.588 [GMT 0:00]
Running from: c:\documents and settings\Perrin\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Perrin\Application Data\49C41166F02DECD8E1EE1D3725972576
c:\documents and settings\Perrin\Application Data\49C41166F02DECD8E1EE1D3725972576\enemies-names.txt
c:\documents and settings\Perrin\Application Data\49C41166F02DECD8E1EE1D3725972576\local.ini
c:\documents and settings\Perrin\Application Data\49C41166F02DECD8E1EE1D3725972576\lsrslt.ini
c:\documents and settings\Perrin\Application Data\Adobe\plugs
c:\documents and settings\Perrin\Application Data\Ivxuf
c:\documents and settings\Perrin\Application Data\Ivxuf\dihel.sad
c:\documents and settings\Perrin\Application Data\Ivxuf\dihel.tmp
c:\documents and settings\Perrin\Local Settings\Application Data\{9F570076-9AFD-4B9E-9980-B3E4E9A43D41}
c:\documents and settings\Perrin\Local Settings\Application Data\{9F570076-9AFD-4B9E-9980-B3E4E9A43D41}\chrome.manifest
c:\documents and settings\Perrin\Local Settings\Application Data\{9F570076-9AFD-4B9E-9980-B3E4E9A43D41}\chrome\content\_cfg.js
c:\documents and settings\Perrin\Local Settings\Application Data\{9F570076-9AFD-4B9E-9980-B3E4E9A43D41}\chrome\content\overlay.xul
c:\documents and settings\Perrin\Local Settings\Application Data\{9F570076-9AFD-4B9E-9980-B3E4E9A43D41}\install.rdf
c:\windows.0\ujojuciv.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SSHNAS
.
.
((((((((((((((((((((((((( Files Created from 2011-02-11 to 2011-03-11 )))))))))))))))))))))))))))))))
.
.
2011-03-11 01:32 . 2011-03-11 01:32 0 ----a-w- c:\windows.0\Mlohimeqaguv.bin
2011-03-11 01:31 . 2011-03-11 01:31 102400 --sha-r- c:\windows.0\system32\rasmansb.dll
2011-03-09 15:55 . 2011-03-10 11:23 -------- d-----w- c:\documents and settings\All Users\Application Data\oAfNgDo06504
2011-02-25 15:07 . 2008-06-08 22:58 60273 ----a-w- c:\windows.0\system32\pthreadGC2.dll
2011-02-25 15:06 . 2011-02-25 15:06 -------- d-----w- c:\documents and settings\Perrin\Application Data\InstallShield
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 18:09 . 2009-08-11 10:13 38224 ----a-w- c:\windows.0\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2009-08-11 10:13 20952 ----a-w- c:\windows.0\system32\drivers\mbam.sys
2009-05-14 20:02 . 2009-05-14 20:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-05-14 20:02 . 2009-05-14 20:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll
.
.
------- Sigcheck -------
.
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-04 102400]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
TabUserW.exe.lnk - c:\windows.0\system32\WTablet\TabUserW.exe [2010-7-28 77824]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2010-6-6 565248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 16:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 16:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Autodesk\\Maya2010\\bin\\maya.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [06/06/2010 16:07 77312]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [05/04/2010 15:41 57344]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [29/01/2010 16:05 66944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 13:45 136176]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [24/01/2010 11:29 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-11 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
2011-03-11 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: amazon.co.uk\www
FF - ProfilePath - c:\documents and settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Get Mail Plus: getmail@webdesigns.ms11.net - %profile%\extensions\getmail@webdesigns.ms11.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Ivogowaqifih - c:\windows.0\ujojuciv.dll
AddRemove-{2460923D-1AA6-47FE-A375-76308780D20F} - c:\program files\InstallShield Installation Information\{2460923D-1AA6-47FE-A375-76308780D20F}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-11 21:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D940F9-0E35-E0F0-1675-249C6C404004}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1052)
c:\windows.0\system32\Ati2evxx.dll
c:\windows.0\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(7932)
c:\windows.0\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows.0\system32\tabhook.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows.0\system32\ieframe.dll
c:\windows.0\system32\webcheck.dll
c:\windows.0\system32\wpdshserviceobj.dll
c:\windows.0\system32\portabledevicetypes.dll
c:\windows.0\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows.0\system32\savedump.exe
c:\windows.0\system32\Ati2evxx.exe
c:\windows.0\system32\Ati2evxx.exe
c:\windows.0\system32\rundll32.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows.0\system32\HPZipm12.exe
c:\windows.0\system32\Tablet.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows.0\SOUNDMAN.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-03-11 21:33:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-11 21:33
ComboFix2.txt 2011-01-25 22:34
.
Pre-Run: 121,422,401,536 bytes free
Post-Run: 121,344,237,568 bytes free
.
- - End Of File - - 96ACBE37A5FE98D8652398A904E52833

Thanks again Satchfan, very best -

Tonyp

#6 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 21 April 2011 - 05:51 AM

Tony

Open ComboFix

Please do the following:• Close any open browsers.
• Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
File:: C:\program files\mozilla firefox\null0.2449669082786433.exe c:\windows.0\Mlohimeqaguv.bin Folder:: c:\program files\kqhdmfdu Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000000 "FirewallOverride"=dword:00000000 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableNotifications"=dword:00000000

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.

Make all files and folders VISIBLE: • Click Start, Setting, Control Panel.
• Double-click on Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Submit a file to VirusTotal

Go to VirusTotal and submit this file for analysis:

C:\WINDOWS\explorermgr.exe • Click on Browse
• Click on the arrow and choose Local Disc (C:)
Posted Image

• Below, double-click on Windows
• Locate the file explorermgr.exe click on it and then on Open
• Click on Send File.
You will get a report back, post the report into this thread for me to see.

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#7 tonyperrin

Authentic Member

Authentic Member
53 posts

Posted 21 April 2011 - 03:21 PM

Hi Satchfan -

Thanks for your reply. At the moment I have an internet connection, but no working browsers, so had to copy the explorermgr.exe file to another machine and upload it from there (actually found the file in C:\WINDOWS.0). VirusTotal didn't offer me the opportunity to save a log so I pasted the results int a text document, hope that's okay. So, these are my logs -

Combofix:

ComboFix 11-04-21.02 - tony1 21/04/2011 19:47:49.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.641 [GMT 1:00]
Running from: c:\documents and settings\Perrin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Perrin\Desktop\CFScript.txt
.
FILE ::
"c:\program files\mozilla firefox\null0.2449669082786433.exe"
"c:\windows.0\Mlohimeqaguv.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\mozilla firefox\null0.2449669082786433.exe
c:\windows.0\Mlohimeqaguv.bin
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-15 23:04 . 2011-04-16 11:06 184691 ----a-w- c:\windows.0\explorermgr.exe
2011-04-14 21:36 . 2011-04-16 11:06 -------- d-----w- c:\program files\kqhdmfdu
2011-04-11 22:11 . 2011-04-11 22:14 -------- d-----w- c:\documents and settings\Perrin\Application Data\avidemux
2011-04-11 22:11 . 2011-04-11 22:11 -------- d-----w- c:\program files\Avidemux 2.5
2011-04-01 17:38 . 2011-04-01 17:38 -------- d-sh--w- c:\documents and settings\Perrin\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2011-03-12 13:12 . 2011-03-12 13:12 27648 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2009-05-14 20:02 . 2009-05-14 20:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-05-14 20:02 . 2009-05-14 20:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll
.
.
------- Sigcheck -------
.
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-04-15_22.55.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 10:29 . 2011-04-21 18:31 26238 c:\windows.0\system32\tablet.dat
- 2010-07-28 10:29 . 2011-04-15 19:17 26238 c:\windows.0\system32\tablet.dat
+ 2011-04-18 21:42 . 2011-04-18 21:42 84992 c:\windows.0\Installer\5a0fc.msi
+ 2011-04-18 21:41 . 2011-04-18 21:41 65536 c:\windows.0\Installer\{DBC20735-34E6-4E97-A9E5-2066B66B243D}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 65536 c:\windows.0\Installer\{DBC20735-34E6-4E97-A9E5-2066B66B243D}\NewShortcut1.A6CC6977_F7B4_4C0B_9510_BCD847D4BDB2.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 65536 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut27.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 65536 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut27.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 65536 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut25.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 65536 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut25.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 65536 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut15_1.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 65536 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut15_1.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 18:42 . 1998-10-29 15:45 306688 c:\windows.0\IsUninst.exe
- 2009-08-12 18:42 . 2003-06-18 15:48 306688 c:\windows.0\IsUninst.exe
+ 2011-04-18 21:42 . 2011-04-18 21:42 425984 c:\windows.0\Installer\5a0f7.msi
+ 2011-04-18 21:42 . 2011-04-18 21:42 302592 c:\windows.0\Installer\5a0f0.msi
+ 2011-04-18 21:42 . 2011-04-18 21:42 336896 c:\windows.0\Installer\5a0e9.msi
+ 2011-04-18 21:42 . 2011-04-18 21:42 758272 c:\windows.0\Installer\5a0cf.msi
+ 2011-04-18 21:42 . 2011-04-18 21:42 344064 c:\windows.0\Installer\5a0b0.msi
+ 2011-04-18 21:42 . 2011-04-18 21:42 338944 c:\windows.0\Installer\5a0aa.msi
+ 2011-04-18 21:42 . 2011-04-18 21:42 557056 c:\windows.0\Installer\5a0a4.msi
+ 2011-04-18 21:42 . 2011-04-18 21:42 325632 c:\windows.0\Installer\5a099.msi
+ 2011-04-18 21:41 . 2011-04-18 21:41 489472 c:\windows.0\Installer\5a093.msi
+ 2011-04-18 21:41 . 2011-04-18 21:41 467456 c:\windows.0\Installer\5a086.msi
+ 2011-04-18 21:41 . 2011-04-18 21:41 488448 c:\windows.0\Installer\5a073.msi
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut9.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut9.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut8.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut8.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut7.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut7.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut6.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut6.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut24.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut24.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut23.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut23.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut22.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut22.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut21.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut21.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut20.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut20.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut2.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut2.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut19.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut19.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut18.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut18.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut17.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut17.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut16.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut16.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut14.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut14.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut13.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut13.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut12.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut12.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut11.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut11.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut10.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut10.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2009-08-12 19:54 . 2011-04-18 21:41 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut1.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
- 2009-08-12 19:54 . 2009-08-12 19:54 110592 c:\windows.0\Installer\{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}\NewShortcut1.DE9B046B_865A_4DEC_B555_7F4B3C92BD42.exe
+ 2011-04-18 21:42 . 2011-04-18 21:42 1499648 c:\windows.0\Installer\5a107.msi
+ 2011-04-18 21:41 . 2011-04-18 21:41 3155456 c:\windows.0\Installer\5a050.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 602562]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
TabUserW.exe.lnk - c:\windows.0\system32\WTablet\TabUserW.exe [2010-7-28 77824]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [06/06/2010 17:07 77312]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [05/04/2010 16:41 57344]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [29/01/2010 17:05 66944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [24/01/2010 12:29 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
2011-04-20 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: amazon.co.uk\www
Trusted Zone: ravenwoodfair.com\www
FF - ProfilePath - c:\documents and settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Get Mail Plus: getmail@webdesigns.ms11.net - %profile%\extensions\getmail@webdesigns.ms11.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-21 19:52
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D940F9-0E35-E0F0-1675-249C6C404004}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1052)
c:\windows.0\system32\Ati2evxx.dll
c:\windows.0\system32\atiadlxx.dll
.
Completion time: 2011-04-21 19:54:36
ComboFix-quarantined-files.txt 2011-04-21 18:54
ComboFix2.txt 2011-04-16 10:54
ComboFix3.txt 2011-04-15 22:57
ComboFix4.txt 2011-03-11 21:33
.
Pre-Run: 102,762,348,544 bytes free
Post-Run: 102,749,986,816 bytes free
.
- - End Of File - - B3F627C482856105DE602AD2E7DE22C3

VirusTotal:

Antivirus Version Last update Result
AhnLab-V3 2011.04.22.00 2011.04.21 -
AntiVir 7.11.6.230 2011.04.21 -
Antiy-AVL 2.0.3.7 2011.04.21 -
Avast 4.8.1351.0 2011.04.21 Win32:Hiloti-AX
Avast5 5.0.677.0 2011.04.21 Win32:Hiloti-AX
AVG 10.0.0.1190 2011.04.21 Generic22.IDR
BitDefender 7.2 2011.04.21 Trojan.Generic.KD.188633
CAT-QuickHeal 11.00 2011.04.21 -
ClamAV 0.97.0.0 2011.04.21 -
Commtouch 5.3.2.6 2011.04.21 -
Comodo 8427 2011.04.21 Heur.Suspicious
DrWeb 5.0.2.03300 2011.04.21 Trojan.Starter.1591
eSafe 7.0.17.0 2011.04.20 -
eTrust-Vet 36.1.8284 2011.04.21 -
F-Prot 4.6.2.117 2011.04.21 -
F-Secure 9.0.16440.0 2011.04.21 -
Fortinet 4.2.257.0 2011.04.21 -
GData 22 2011.04.21 Trojan.Generic.KD.188633
Ikarus T3.1.1.103.0 2011.04.21 Trojan.SuspectCRC
Jiangmin 13.0.900 2011.04.21 -
K7AntiVirus 9.97.4451 2011.04.21 -
Kaspersky 7.0.0.125 2011.04.21 -
McAfee 5.400.0.1158 2011.04.21 -
McAfee-GW-Edition 2010.1D 2011.04.21 -
Microsoft 1.6802 2011.04.21 Trojan:Win32/Ramnit
NOD32 6062 2011.04.21 Win32/Ramnit.A
Norman 6.07.07 2011.04.21 -
Panda 10.0.3.5 2011.04.21 Generic Trojan
PCTools 7.0.3.5 2011.04.21 -
Prevx 3.0 2011.04.21 Medium Risk Malware
Rising 23.54.03.06 2011.04.21 Trojan.Win32.Generic.1285742F
Sophos 4.64.0 2011.04.21 Mal/Generic-L
SUPERAntiSpyware 4.40.0.1006 2011.04.21 -
Symantec 20101.3.2.89 2011.04.21 -
TheHacker 6.7.0.1.180 2011.04.21 -
TrendMicro 9.200.0.1012 2011.04.21 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.21 -
VBA32 3.12.16.0 2011.04.21 -
VIPRE 9079 2011.04.21 Trojan.Win32.Generic!BT
ViRobot 2011.4.21.4422 2011.04.21 -
VirusBuster 13.6.315.0 2011.04.21 -
MD5: 237b65b20929784fc58d3234c610ad16
SHA1: 513daca04b370966ddfa62c7066aace2873196b6
SHA256: 9cba256b9a66163f4df9429c20b82e3f8463cade38171dc3fd4677fd60fc3de4
File size: 184691 bytes
Scan date: 2011-04-21 20:48:13 (UTC)

I'm afraid I'm gonna be away now for a week. Would you be able to keep my topic open? If not what should I do? I will be able to check and reply to emails but won't have access to my own machine until I am back in the country on the 29th.

Thanks as usual Satchfan for your help and support, best regards -

Tonyp

#8 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 21 April 2011 - 03:58 PM

Hi tony

I'm gonna be away now for a week. Would you be able to keep my topic open?

Thanks for letting me know.

I'll keep this open until you come back.

Satchfan.

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#9 tonyperrin

Authentic Member

Authentic Member
53 posts

Posted 30 April 2011 - 10:44 AM

Hello Satchfan - Thanks very much for keeping my post open. Got back home last night, but couldn't get onto the forum until now. The logs in my last post on 21 April are my up to date ones, that's the position I'm in at present. If you're able and still willing I'll be very glad to have your help again - Thanks as usual - Tonyp

#10 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 30 April 2011 - 11:08 AM

Hi Tony Thanks for letting me know I will be away until tomorrow morning (GM0 so will send new instructions then. Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

Advertisements

Register to Remove

#11 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 01 May 2011 - 04:37 AM

Hi tony

Open ComboFix

Please do the following:• Close any open browsers.
• Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
File:: c:\windows.0\explorermgr.exe c:\program files\kqhdmfdu Rootkit:: c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.

Submit a file to VirusTotal

Go to VirusTotal and submit this file for analysis:

C:\WINDOWS\system32\sfcfiles.dll

Run AVPTool by Kaspersky

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

Please post back with both logs, the ComboFix.txt log and the result from VirusTotal

Thanks

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#12 tonyperrin

Authentic Member

Authentic Member
53 posts

Posted 01 May 2011 - 03:30 PM

Hi Satchfan -

Thanks for your continuing support. I have been trying all day to get the AVT toolto run. I managed to re-install Firefox on the infected computer but it refuses to connect to any url with Kaspersky in the title (connects to other thinks though still re-directing to licosearch when a new window opens). I tried downloading the file with another machine and transferring it to my desktop, when I run it creates a folder on the desktop, but doesn't launch the scan interface. I downloaded numerous times, tried it in safemode, normal and every whichway, even tried running rkill before running - but no joy, so I guess something is preventing it.

VirusTotal returned the following result:

File name: sfcfiles.dll
Submission date: 2011-05-01 16:54:44 (UTC)
Current status: finished
Result: 0/ 41 (0.0%)

- and this is my ComboFix log:

ComboFix 11-04-30.05 - tony1 01/05/2011 14:57:29.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.595 [GMT 1:00]
Running from: c:\documents and settings\Perrin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Perrin\Desktop\CFScript.txt
.
FILE ::
"c:\program files\kqhdmfdu"
"c:\windows.0\explorermgr.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows.0\explorermgr.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-01 to 2011-05-01 )))))))))))))))))))))))))))))))
.
.
2011-04-14 21:36 . 2011-04-21 21:25 -------- d-----w- c:\program files\kqhdmfdu
2011-04-11 22:11 . 2011-04-11 22:14 -------- d-----w- c:\documents and settings\Perrin\Application Data\avidemux
2011-04-11 22:11 . 2011-04-11 22:11 -------- d-----w- c:\program files\Avidemux 2.5
2011-04-01 17:38 . 2011-04-01 17:38 -------- d-sh--w- c:\documents and settings\Perrin\IECompatCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D174.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D173.exe
2011-03-12 13:12 . 2011-03-12 13:12 51712 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D172.exe
2011-03-12 13:12 . 2011-03-12 13:12 27648 ----a-r- c:\documents and settings\Perrin\Application Data\Microsoft\Installer\{78D62D17-D970-42DA-B8CF-5E5576293B33}\Icon78D62D171.exe
2009-05-14 20:02 . 2009-05-14 20:02 3392872 ----a-w- c:\program files\Common Files\adlmint_libFNP.dll
2009-05-14 20:02 . 2009-05-14 20:02 3298152 ----a-w- c:\program files\Common Files\adlmint.dll
.
.
------- Sigcheck -------
.
[-] 2009-01-12 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows.0\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2011-04-21_18.52.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-28 10:29 . 2011-05-01 11:26 26238 c:\windows.0\system32\tablet.dat
- 2010-07-28 10:29 . 2011-04-21 18:31 26238 c:\windows.0\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-30 149280]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 577536]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 602562]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
TabUserW.exe.lnk - c:\windows.0\system32\WTablet\TabUserW.exe [2010-7-28 77824]
VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [N/A]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS4\\Dreamweaver.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
R0 viasraid;viasraid;c:\windows.0\system32\drivers\viasraid.sys [06/06/2010 17:07 77312]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows.0\system32\ASTSRV.EXE [05/04/2010 16:41 57344]
R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows.0\system32\drivers\thdudf.sys [29/01/2010 17:05 66944]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [25/12/2010 14:45 136176]
S3 scsiscan;SCSI Scanner Driver;c:\windows.0\system32\drivers\scsiscan.sys [24/01/2010 12:29 11520]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-01 c:\windows.0\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
2011-05-01 c:\windows.0\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-25 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: amazon.co.uk\www
Trusted Zone: ravenwoodfair.com\www
FF - ProfilePath - c:\documents and settings\Perrin\Application Data\Mozilla\Firefox\Profiles\pjo20krg.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Get Mail Plus: getmail@webdesigns.ms11.net - %profile%\extensions\getmail@webdesigns.ms11.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.0\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-01 15:02
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe 184691 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1960408961-413027322-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D940F9-0E35-E0F0-1675-249C6C404004}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS.0\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1052)
c:\windows.0\system32\Ati2evxx.dll
c:\windows.0\system32\atiadlxx.dll
.
Completion time: 2011-05-01 15:04:20
ComboFix-quarantined-files.txt 2011-05-01 14:04
ComboFix2.txt 2011-04-21 18:54
ComboFix3.txt 2011-04-16 10:54
ComboFix4.txt 2011-04-15 22:57
ComboFix5.txt 2011-05-01 13:49
.
Pre-Run: 103,603,355,648 bytes free
Post-Run: 103,591,510,016 bytes free
.
- - End Of File - - 6A69D6E9191C6BD6E041D872FB957F62

Thanks as usual - Tonyp

#13 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 01 May 2011 - 04:10 PM

Hi Tony

Let's try a different scan

Run ESET Online Scan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan 1. Click the Eset online Scanner button.
2. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop.
• Double click on the Eset installer icon on your desktop.

3. Check Yes, I accept the Terms of Use
4. Click the Start button.
5. Accept any security warnings from your browser.
6. Check Scan archives
7. Push the Start button.
8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
9. When the scan completes, push List of found threats
10. Push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Note - when ESET doesn't find any threats, no report will be created.
11. Push the back button.
12. Push Finish
If a log has been produced post it in your next reply.

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

#14 tonyperrin

Authentic Member

Authentic Member
53 posts

Posted 01 May 2011 - 05:04 PM

Hi Satchfan - Just tried this - same deal - browser refuses to connect to Eset. I downloaded the exe via another machine but when I try to run it stalls at the message - 'Cannot get update. Is proxy configured?' - I've no idea what to do about this! - Tonyp

#15 Satchfan

SuperHelper

Malware Team
6,813 posts

Interests:LFC, music, more LFC, more music

Posted 02 May 2011 - 03:25 AM

Hi Tony

Boot to Safe mode with Networking and see if you can then run Internet Explorer or Firefox

To Enter Safemode• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY - this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode
• Then press Enter on your keyboard
===================================================

If necessary, download this from another computer.

Run RogueKiller

Note: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run roguekiller again

Download RogueKiller to your desktop.

close all running programs
for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
when prompted, type 1 and press Enter
the RKreport.txt will be generated next to the executable, (on the desktop).
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Remember, do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run roguekiller again

Open ComboFix

Please do the following:• Close any open browsers.
• Close/disable all anti virus and anti malware programs so that they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the codebox below into it:
Folder:: c:\program files\kqhdmfdu Rootkit:: c:\documents and settings\Perrin\Start Menu\Programs\Startup\swypwijl.exe Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,"

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it produces a log at C:\ComboFix.txt. Post the contents of Combofix.txt in your next reply.

Let me know how things are now.

Satchfan

NINA - Proud graduate of the WTT Classroom

Member of UNITE

The help you receive here is free but if you feel I have helped, you may consider making a Donation.

Body Background

skin color theme