skizzo

hi i can t access the page in IE or firefox i get an error 405 Not Allowed -------------------------------------------------------------------------------- nginx/0.8.15

hey i can t get the trial version, i dont really understand russian ? if you download it does it ask you to dowload the trial version ? this is the url http://forums.malwarebytes.org/index.php?showtopic=43468

ye i have i can t see a radio button to select ... it looks like the software don t istalls ... i ve posted some screen shots ... dr.web.doc s

Hi again i ve downloaded the program disconnected the laptop from the internet and when i click on the drweb-cureit.exe a green screen comes up telling me that the dr web is free for home pc only if i want to read the purchase term now, i click cancel and i have a green page with star and update, click on start and the scan starts takes half a second then tells me that there is notthing suspiciouse or viruses ( RC = 0) and then it askes me if i want to open teh FAQ if i click ok it goes to a web page, if i click cancel it goes back to the main green page but the only option i have is to download a full version trial to some russian web site that i dont understand ? do you want me to download the full version ? i also have lots of .pf file in c: \windows\prefetch .....

Hey i am back ... with more issues ... I can t run the online scan, the page do not load and I can t seem to start the scan manually either in internet explorer the pag has lots of red crosses and does not display properly ... other pages are working fine ....if i go to sophos web site the page times out ... I don t know about you but i m tempted to format c:\*.* ;o)

hey success .. ;o) the malwarebytes ran after i started the winlogon ..... log attached mbam_log_2010_03_18__22_18_01_.txt thanks again .. feels like we making lill progress .... skizzo

Hi when i start running the program the program closes and the scan stops can i run this in safe mode ? PS I will be away from tomorrow morning till tuesday morning if you not able to get back to me tonight I ll spk to you on tuesday

Hi if i run the program in safe mode i get the same error, the process has a big log file, do you want me post the log file ? after the error the scan carries on but sometime it tells me that there is not enough free system memory ( laptop has 2Gb and when combofix runs the system has 1.5gb of mem available ) Shall i ignore the error and carry on the scan ? thanks for your help I warned you that this one was a bit of a strange one s

Hi thanks once again everything ran ok this time .. ... logs atached OTLnew.Txt JavaRa.txt

Hi , logs attached Extras.Txt OTL.Txt thanks for looking in to this Skizzo

Hi I have deleted the combofix file and deleted the folder, downloaded the file from new again but same error came up ? is there anything else i can do ? Thanks Skizzo

Hi Borislav, thank you for coming to my rescue ) Wile i was running the combofix at complete stage_2 I got a message PEV.cfxxe has encountered a problem and needs to close, i clicked send the error report and the scann continued. Aslo afte the scan the combofix restarted the PC. Logs attached ...... many thanks for your help. Skizzo .... combofix.txt DDSnew.txt Attach.txt

i ve managed to run the GMER utility too below the logs.. i also get the RPc terminated unexpectedly ..reboot the machine ... GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-03-16 17:51:39 Windows 5.1.2600 Service Pack 3 Running: xg7iebzh.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugriapoc.sys ---- Kernel code sections - GMER 1.0.15 ---- init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF5776EBF] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\svchost.exe[212] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\svchost.exe[212] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\svchost.exe[212] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\svchost.exe[212] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\svchost.exe[212] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\svchost.exe[212] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\HHVcdV7Sys\VC7SecS.exe[276] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10013DF4 .text C:\Program Files\HHVcdV7Sys\VC7SecS.exe[276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10013C3C .text C:\Program Files\HHVcdV7Sys\VC7SecS.exe[276] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10013E78 .text C:\Program Files\HHVcdV7Sys\VC7SecS.exe[276] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10013AF0 .text C:\Program Files\HHVcdV7Sys\VC7SecS.exe[276] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10013264 .text C:\Program Files\HHVcdV7Sys\VC7SecS.exe[276] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100127F8 .text C:\Program Files\HHVcdV7Sys\VC7SecS.exe[276] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1001278C .text C:\Program Files\HHVcdV7Sys\VC7SecS.exe[276] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10013A9C .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[392] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[392] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[392] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[392] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[392] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[392] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[392] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Viewpoint\Common\ViewpointService.exe[392] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\UltraVNC\WinVNC.exe[456] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\UltraVNC\WinVNC.exe[456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\UltraVNC\WinVNC.exe[456] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\UltraVNC\WinVNC.exe[456] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\UltraVNC\WinVNC.exe[456] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\UltraVNC\WinVNC.exe[456] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\UltraVNC\WinVNC.exe[456] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\UltraVNC\WinVNC.exe[456] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\system32\spoolsv.exe[564] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\spoolsv.exe[564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\spoolsv.exe[564] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\spoolsv.exe[564] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\spoolsv.exe[564] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\spoolsv.exe[564] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\spoolsv.exe[564] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\spoolsv.exe[564] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[720] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[720] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[720] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[720] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[720] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[720] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[720] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[808] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[808] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[808] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[808] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[808] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[808] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[808] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[880] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10183DF4 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10183C3C .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[880] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10183E78 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[880] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10183AF0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[880] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10183264 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[880] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 101827F8 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[880] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1018278C .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[880] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10183A9C .text C:\Program Files\Java\jre6\bin\jqs.exe[944] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Java\jre6\bin\jqs.exe[944] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Java\jre6\bin\jqs.exe[944] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Java\jre6\bin\jqs.exe[944] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Java\jre6\bin\jqs.exe[944] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Java\jre6\bin\jqs.exe[944] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Java\jre6\bin\jqs.exe[944] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Java\jre6\bin\jqs.exe[944] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\system32\mqsvc.exe[972] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\mqsvc.exe[972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\mqsvc.exe[972] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\mqsvc.exe[972] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\mqsvc.exe[972] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\mqsvc.exe[972] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\mqsvc.exe[972] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\mqsvc.exe[972] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\system32\winlogon.exe[992] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\winlogon.exe[992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\winlogon.exe[992] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\winlogon.exe[992] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\winlogon.exe[992] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\winlogon.exe[992] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\winlogon.exe[992] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\winlogon.exe[992] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\system32\services.exe[1048] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\services.exe[1048] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\services.exe[1048] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\services.exe[1048] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\services.exe[1048] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\services.exe[1048] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\services.exe[1048] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\system32\lsass.exe[1060] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\lsass.exe[1060] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\lsass.exe[1060] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\lsass.exe[1060] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\lsass.exe[1060] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\lsass.exe[1060] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\lsass.exe[1060] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\system32\svchost.exe[1244] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\svchost.exe[1244] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\svchost.exe[1244] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\System32\svchost.exe[1364] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\System32\svchost.exe[1364] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\System32\svchost.exe[1364] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\System32\svchost.exe[1364] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\System32\svchost.exe[1364] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\System32\svchost.exe[1364] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\System32\svchost.exe[1364] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1468] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1468] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1468] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1468] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1468] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1468] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1468] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1576] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10083DF4 .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1576] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10083C3C .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1576] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10083E78 .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1576] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10083AF0 .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1576] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10083264 .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1576] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100827F8 .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1576] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1008278C .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1576] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10083A9C .text C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe[1612] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe[1612] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe[1612] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe[1612] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe[1612] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe[1612] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe[1612] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe[1612] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe[1816] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe[1816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe[1816] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe[1816] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe[1816] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe[1816] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe[1816] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe[1816] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[1880] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[1880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[1880] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[1880] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[1880] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[1880] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[1880] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[1880] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1920] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10113DF4 .text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10113C3C .text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1920] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10113E78 .text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1920] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10113AF0 .text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1920] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10113264 .text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1920] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 101127F8 .text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1920] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1011278C .text C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe[1920] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10113A9C .text C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[1992] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[1992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[1992] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[1992] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[1992] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[1992] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[1992] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[1992] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Sophos\Remote Management System\RouterNT.exe[2024] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Sophos\Remote Management System\RouterNT.exe[2024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Sophos\Remote Management System\RouterNT.exe[2024] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Sophos\Remote Management System\RouterNT.exe[2024] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Sophos\Remote Management System\RouterNT.exe[2024] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Sophos\Remote Management System\RouterNT.exe[2024] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Sophos\Remote Management System\RouterNT.exe[2024] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Sophos\Remote Management System\RouterNT.exe[2024] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\system32\mqtgsvc.exe[2256] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\mqtgsvc.exe[2256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\mqtgsvc.exe[2256] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\mqtgsvc.exe[2256] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\mqtgsvc.exe[2256] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\mqtgsvc.exe[2256] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\mqtgsvc.exe[2256] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\mqtgsvc.exe[2256] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2384] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2384] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2384] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2384] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2384] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2384] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2384] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\Explorer.EXE[3248] ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [90, 61, C8, 00] .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3320] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10063DF4 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10063C3C .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3320] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10063E78 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3320] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10063AF0 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3320] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10063264 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3320] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100627F8 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3320] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1006278C .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[3320] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10063A9C .text C:\WINDOWS\system32\igfxtray.exe[3340] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10023DF4 .text C:\WINDOWS\system32\igfxtray.exe[3340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10023C3C .text C:\WINDOWS\system32\igfxtray.exe[3340] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10023E78 .text C:\WINDOWS\system32\igfxtray.exe[3340] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10023AF0 .text C:\WINDOWS\system32\igfxtray.exe[3340] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10023264 .text C:\WINDOWS\system32\igfxtray.exe[3340] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100227F8 .text C:\WINDOWS\system32\igfxtray.exe[3340] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1002278C .text C:\WINDOWS\system32\igfxtray.exe[3340] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10023A9C .text C:\WINDOWS\system32\igfxpers.exe[3356] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\igfxpers.exe[3356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\igfxpers.exe[3356] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\igfxpers.exe[3356] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\igfxpers.exe[3356] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\igfxpers.exe[3356] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\igfxpers.exe[3356] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\igfxpers.exe[3356] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\system32\igfxsrvc.exe[3412] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\igfxsrvc.exe[3412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\igfxsrvc.exe[3412] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\igfxsrvc.exe[3412] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\igfxsrvc.exe[3412] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\igfxsrvc.exe[3412] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\igfxsrvc.exe[3412] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\igfxsrvc.exe[3412] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\WINDOWS\system32\ctfmon.exe[3500] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\WINDOWS\system32\ctfmon.exe[3500] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\WINDOWS\system32\ctfmon.exe[3500] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\WINDOWS\system32\ctfmon.exe[3500] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\WINDOWS\system32\ctfmon.exe[3500] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\WINDOWS\system32\ctfmon.exe[3500] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\WINDOWS\system32\ctfmon.exe[3500] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\WINDOWS\system32\ctfmon.exe[3500] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3608] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3608] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3608] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3608] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3608] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3608] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Microsoft ActiveSync\Wcescomm.exe[3608] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\Sophos\AutoUpdate\ALMon.exe[3904] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\Sophos\AutoUpdate\ALMon.exe[3904] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\Sophos\AutoUpdate\ALMon.exe[3904] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\Sophos\AutoUpdate\ALMon.exe[3904] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\Sophos\AutoUpdate\ALMon.exe[3904] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\Sophos\AutoUpdate\ALMon.exe[3904] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\Sophos\AutoUpdate\ALMon.exe[3904] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\Sophos\AutoUpdate\ALMon.exe[3904] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Program Files\WinZip\WZQKPICK.EXE[3920] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Program Files\WinZip\WZQKPICK.EXE[3920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Program Files\WinZip\WZQKPICK.EXE[3920] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Program Files\WinZip\WZQKPICK.EXE[3920] ws2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\Program Files\WinZip\WZQKPICK.EXE[3920] ws2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\Program Files\WinZip\WZQKPICK.EXE[3920] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Program Files\WinZip\WZQKPICK.EXE[3920] ws2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\Program Files\WinZip\WZQKPICK.EXE[3920] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winesm32.exe[3960] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winesm32.exe[3960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winesm32.exe[3960] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winesm32.exe[3960] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winesm32.exe[3960] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C .text C:\PROGRA~1\MICROS~3\rapimgr.exe[3972] ntdll.dll!NtOpenKey 7C90D5CE 5 Bytes JMP 10003DF4 .text C:\PROGRA~1\MICROS~3\rapimgr.exe[3972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10003C3C .text C:\PROGRA~1\MICROS~3\rapimgr.exe[3972] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 10003E78 .text C:\PROGRA~1\MICROS~3\rapimgr.exe[3972] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10003AF0 .text C:\PROGRA~1\MICROS~3\rapimgr.exe[3972] WS2_32.dll!send 71AB4C27 5 Bytes JMP 10003264 .text C:\PROGRA~1\MICROS~3\rapimgr.exe[3972] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\PROGRA~1\MICROS~3\rapimgr.exe[3972] WS2_32.dll!recv 71AB676F 5 Bytes JMP 1000278C .text C:\PROGRA~1\MICROS~3\rapimgr.exe[3972] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10003A9C ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [6113909F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A33F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A37F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139C3F] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A40D] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A3BF] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [611390DD] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [61138FA4] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [61138FE2] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [61139856] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColorBrush] [611390A5] C:\Program Files\Yahoo!\Messenger\yui.dll IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2732] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [61138F66] C:\Program Files\Yahoo!\Messenger\yui.dll ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.) AttachedDevice \FileSystem\Fastfat \Fat savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc) ---- EOF - GMER 1.0.15 ---- once again thanks

Hi I have been dealing with something a bit strange in the last few days. I have lost the wi fi connection on my laptop to begin with and now all sort of things are happening. I have sophos installed and up to date still managed to catch something strange. I have installed malwarebytes but this keep colosing after few seconds .. also my sophos service do not start anymore.... any help much appreciated Gmer keeps crashing or I GET A BLUE SCREEN ... DSS logs DDS (Ver_09-12-01.01) - NTFSx86 Run by Administrator at 16:37:25.76 on 16/03/2010 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2039.1591 [GMT 0:00] AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\WiFi\bin\S24EvMon.exe C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\msdtc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Intel\WiFi\bin\EvtEng.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\HHVcdV7Sys\VC7SecS.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\UltraVNC\WinVNC.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Garmin\gStart.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\winesm32.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe C:\malware\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = hxxp://google.co.uk/ mDefault_Page_URL = hxxp://www.google.co.uk uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/ uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [Aim6] uRun: [gStart] c:\garmin\gStart.exe uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe" mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [HomeKeyLogger] c:\program files\homekeylogger\KeyLogger.exe mRun: [intelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe" mRun: [intelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE StartupFolder: c:\documents and settings\administrator\start menu\programs\startup\winesm32.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {4819DFDF-ABC4-488C-A323-919848C51175} - hxxp://portal3.rinera.com/download/ConvivaStreamingPlugin-1.7.0.cab DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxps://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267052785453 DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267052772062 DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {9CFB9269-2A81-4499-BD8D-9C8A302D140B} - hxxp://spsdms/osd/DMSAdmin30050.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\xmnz6g5b.default\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ ==================== Find3M ==================== ============= FINISH: 16:38:46.28 ===============