Jump to content

Recommended Posts

Please Help.

I have been having difficulties with malware for several week now. I have used Malwarebytes to clean my system regularly and have use Super Antispyware as well. I also run AVG v9 anti virus, Comodo firewall and Arovax Shield.

I have managed to clean some infections off the system but am repeatedly having the following registry entry come up as an infection within the log when I run Malwarebytes:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4108

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

17/05/2010 07:36:10

mbam-log-2010-05-17 (07-36-10).txt

Scan type: Quick scan

Objects scanned: 145134

Time elapsed: 16 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I have checked the registry and noted that the entry above is still there despite the number of times I run Malwarebytes.

In addition, when I use IE8 or Firefox 3.6.3 and I use a search engine I often, but not always, get re-directed to a completed unrelated sites which is usually associated with advertising.

Please can someone help as I am concerned to use the machine in case more damage is done or information is being stolen?

Many thanks

jonnie

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the runscanbutton.png button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Link to post
Share on other sites

Elise

Sorry forgot the attachments.

The OTL ane Extra files are attached the gmer.log file is below:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-17 19:18:44

Windows 5.1.2600 Service Pack 2

Running: pz6jhkcj.exe; Driver: C:\DOCUME~1\Jonnie\LOCALS~1\Temp\pwtdykob.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xEEC5B19E]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0xEEC5AA1C]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0xEEC5AE60]

SSDT \??\C:\Program Files\Arovax Shield\dtd.sys (Windows Registry Monitor/Arovax) ZwCreateKey [0xF7992140]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0xEEC5A902]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0xEEC5C176]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xEEC5B37C]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateThread [0xEEC5A4D2]

SSDT \??\C:\Program Files\Arovax Shield\dtd.sys (Windows Registry Monitor/Arovax) ZwDeleteKey [0xF79916A0]

SSDT \??\C:\Program Files\Arovax Shield\dtd.sys (Windows Registry Monitor/Arovax) ZwDeleteValueKey [0xF79919A0]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0xEEC5A37E]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0xEEC5BE16]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenFile [0xEEC5B022]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenProcess [0xEEC5A0C8]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0xEEC5ACF6]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenThread [0xEEC5A226]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRenameKey [0xEEC5BC8A]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0xEEC5BFB6]

SSDT \??\C:\Program Files\Arovax Shield\dtd.sys (Windows Registry Monitor/Arovax) ZwSetValueKey [0xF7991D80]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0xEEC5AC90]

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEEA48950]

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0xEEC5A698]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF70718BF]

.rsrc C:\WINDOWS\System32\drivers\afd.sys entry point in ".rsrc" section [0xEEB1FC14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[404] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[404] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[404] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[404] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[404] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[404] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[404] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[404] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[404] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[404] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[536] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[536] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[536] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[536] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[536] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[536] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[536] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[536] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[536] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[536] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgnsx.exe[696] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgnsx.exe[696] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgnsx.exe[696] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgnsx.exe[696] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgnsx.exe[696] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgnsx.exe[696] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgnsx.exe[696] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgnsx.exe[696] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgnsx.exe[696] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgnsx.exe[696] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[744] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[744] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[744] user32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[744] user32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[744] user32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[744] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[744] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[744] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[744] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\iolo\common\lib\ioloServiceManager.exe[744] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\aniServ.exe[764] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 003B4FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\aniServ.exe[764] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 003B4F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\aniServ.exe[764] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 003B1830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\aniServ.exe[764] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 003B1200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\aniServ.exe[764] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 003B1390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\aniServ.exe[764] USER32.dll!EndTask 7E459E75 5 Bytes JMP 003B4BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\aniServ.exe[764] USER32.dll!mouse_event 7E466515 5 Bytes JMP 003B16A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\aniServ.exe[764] USER32.dll!keybd_event 7E466559 5 Bytes JMP 003B1520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\aniServ.exe[764] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 003B48E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\aniServ.exe[764] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 003B4A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[776] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[776] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[776] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[776] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[776] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[776] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[776] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[776] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[776] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[776] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\winlogon.exe[796] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\winlogon.exe[796] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\winlogon.exe[796] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\winlogon.exe[796] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\winlogon.exe[796] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\winlogon.exe[796] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\winlogon.exe[796] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\winlogon.exe[796] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\winlogon.exe[796] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\winlogon.exe[796] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\services.exe[856] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\services.exe[856] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\services.exe[856] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\services.exe[856] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\services.exe[856] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\services.exe[856] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\services.exe[856] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\services.exe[856] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\services.exe[856] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\lsass.exe[868] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\lsass.exe[868] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\lsass.exe[868] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\lsass.exe[868] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\lsass.exe[868] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\lsass.exe[868] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\lsass.exe[868] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\lsass.exe[868] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\lsass.exe[868] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[1008] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[1008] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[1008] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[1008] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[1008] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[1008] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[1008] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[1008] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[1008] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\Ati2evxx.exe[1008] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1048] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1048] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1048] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1048] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1048] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1048] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1048] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1048] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1048] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1048] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1188] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1188] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1188] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1188] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1188] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1188] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1188] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1188] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1188] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F000A

.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0080000A

.text C:\WINDOWS\System32\svchost.exe[1236] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C

.text C:\WINDOWS\System32\svchost.exe[1236] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 0079000A

.text C:\WINDOWS\System32\svchost.exe[1236] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[1236] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[1236] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[1236] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[1236] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[1236] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[1236] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\svchost.exe[1236] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00BC000A

.text C:\WINDOWS\System32\svchost.exe[1236] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1268] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1268] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1268] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1268] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1268] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1268] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1268] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1268] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1268] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1268] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\alg.exe[1276] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\alg.exe[1276] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\alg.exe[1276] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\alg.exe[1276] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\alg.exe[1276] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\alg.exe[1276] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\alg.exe[1276] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\alg.exe[1276] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\alg.exe[1276] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\System32\alg.exe[1276] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1292] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1292] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1292] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1292] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1292] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1292] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1336] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1336] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1336] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1336] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1336] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1336] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1336] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1336] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1336] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgchsvx.exe[1336] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgrsx.exe[1344] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgrsx.exe[1344] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgrsx.exe[1344] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgrsx.exe[1344] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgrsx.exe[1344] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgrsx.exe[1344] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgrsx.exe[1344] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgrsx.exe[1344] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgrsx.exe[1344] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\AVG\AVG9\avgrsx.exe[1344] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1452] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1452] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1452] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1452] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1452] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1452] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1452] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1452] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1540] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1540] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1540] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1540] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1540] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1540] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1540] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1540] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1656] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1656] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1656] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1656] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1656] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1656] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1656] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1656] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1656] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[1656] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Comodo\Firewall\cmdagent.exe[1708] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Comodo\Firewall\cmdagent.exe[1708] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Comodo\Firewall\cmdagent.exe[1708] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Comodo\Firewall\cmdagent.exe[1708] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Comodo\Firewall\cmdagent.exe[1708] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Comodo\Firewall\cmdagent.exe[1708] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Comodo\Firewall\cmdagent.exe[1708] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Comodo\Firewall\cmdagent.exe[1708] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Comodo\Firewall\cmdagent.exe[1708] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Comodo\Firewall\cmdagent.exe[1708] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\spoolsv.exe[1856] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\Explorer.EXE[2060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C9000A

.text C:\WINDOWS\Explorer.EXE[2060] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A

.text C:\WINDOWS\Explorer.EXE[2060] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C8000C

.text C:\WINDOWS\Explorer.EXE[2060] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\Explorer.EXE[2060] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\Explorer.EXE[2060] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\Explorer.EXE[2060] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\Explorer.EXE[2060] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\Explorer.EXE[2060] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\Explorer.EXE[2060] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\Explorer.EXE[2060] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[2104] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Google\Update\GoogleUpdate.exe[2240] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Google\Update\GoogleUpdate.exe[2240] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Google\Update\GoogleUpdate.exe[2240] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Google\Update\GoogleUpdate.exe[2240] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Google\Update\GoogleUpdate.exe[2240] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Google\Update\GoogleUpdate.exe[2240] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Google\Update\GoogleUpdate.exe[2240] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Google\Update\GoogleUpdate.exe[2240] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Google\Update\GoogleUpdate.exe[2240] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Google\Update\GoogleUpdate.exe[2240] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\HPZipm12.exe[2248] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\HPZipm12.exe[2248] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\HPZipm12.exe[2248] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\HPZipm12.exe[2248] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\HPZipm12.exe[2248] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\HPZipm12.exe[2248] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\HPZipm12.exe[2248] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\HPZipm12.exe[2248] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\HPZipm12.exe[2248] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\HPZipm12.exe[2248] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[2336] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[2336] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[2336] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[2336] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[2336] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[2336] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[2336] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[2336] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[2336] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\svchost.exe[2336] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2660] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2660] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2660] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2660] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2660] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2660] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2660] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2660] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2660] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Windows Media Player\WMPNetwk.exe[2660] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Documents and Settings\Jonnie\Desktop\pz6jhkcj.exe[2708] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Documents and Settings\Jonnie\Desktop\pz6jhkcj.exe[2708] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Documents and Settings\Jonnie\Desktop\pz6jhkcj.exe[2708] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Documents and Settings\Jonnie\Desktop\pz6jhkcj.exe[2708] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Documents and Settings\Jonnie\Desktop\pz6jhkcj.exe[2708] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Documents and Settings\Jonnie\Desktop\pz6jhkcj.exe[2708] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Documents and Settings\Jonnie\Desktop\pz6jhkcj.exe[2708] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Documents and Settings\Jonnie\Desktop\pz6jhkcj.exe[2708] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Documents and Settings\Jonnie\Desktop\pz6jhkcj.exe[2708] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Documents and Settings\Jonnie\Desktop\pz6jhkcj.exe[2708] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\rundll32.exe[3624] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\rundll32.exe[3624] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\rundll32.exe[3624] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\rundll32.exe[3624] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\rundll32.exe[3624] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\rundll32.exe[3624] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\rundll32.exe[3624] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\rundll32.exe[3624] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\rundll32.exe[3624] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\rundll32.exe[3624] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\ctfmon.exe[3788] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\ctfmon.exe[3788] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\ctfmon.exe[3788] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\ctfmon.exe[3788] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\ctfmon.exe[3788] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\ctfmon.exe[3788] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\ctfmon.exe[3788] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\ctfmon.exe[3788] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\ctfmon.exe[3788] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\WINDOWS\system32\ctfmon.exe[3788] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Messenger\msmsgs.exe[3864] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10004FF0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Messenger\msmsgs.exe[3864] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 10004F10 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Messenger\msmsgs.exe[3864] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001830 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Messenger\msmsgs.exe[3864] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10001200 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Messenger\msmsgs.exe[3864] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10001390 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Messenger\msmsgs.exe[3864] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004BB0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Messenger\msmsgs.exe[3864] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016A0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Messenger\msmsgs.exe[3864] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001520 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Messenger\msmsgs.exe[3864] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 100048E0 C:\WINDOWS\system32\guard32.dll

.text C:\Program Files\Messenger\msmsgs.exe[3864] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004A50 C:\WINDOWS\system32\guard32.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F7302710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7302770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7302990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7302950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7302950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7302770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F7302710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7302990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7302990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7302950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7302770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F7302710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7302950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F7302710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7302770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7302990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F7302710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7302770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7302950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7302990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7302950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7302770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F7302710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F7302710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F7302770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F7302990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F7302950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7302950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7302990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F7302710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7302770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86B7AAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a64cf0e

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a64cf0e@0024905ae9e8 0x75 0x32 0xB2 0x30 ...

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a64cf0e (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a64cf0e@0024905ae9e8 0x75 0x32 0xB2 0x30 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{457AB9B8-C6AB-7B7E-D0C6-22F5CF38D1F5}

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\drivers\afd.sys suspicious modification

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Thank

Jonnie

OTL.Txt

Extras.Txt

Link to post
Share on other sites

Hello again, GMER shows a nasty rootkit. Before starting to fix this, please consider the following.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Elise

I have run the Combofix application. It took a while and rebooted the machine twice. I hope this is correct.

The log file is as follows:

ComboFix 10-05-16.02 - Jonnie 17/05/2010 22:32:47.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1022.570 [GMT 1:00]

Running from: c:\documents and settings\Jonnie\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users.\documents\settings

c:\program files\INSTALL.LOG

c:\windows\system32\_004312_.tmp.dll

c:\windows\system32\_004313_.tmp.dll

c:\windows\system32\_004314_.tmp.dll

c:\windows\system32\_004315_.tmp.dll

c:\windows\system32\_004322_.tmp.dll

c:\windows\system32\_004323_.tmp.dll

c:\windows\system32\_004324_.tmp.dll

c:\windows\system32\_004325_.tmp.dll

c:\windows\system32\_004326_.tmp.dll

c:\windows\system32\_004327_.tmp.dll

c:\windows\system32\_004328_.tmp.dll

c:\windows\system32\_004329_.tmp.dll

c:\windows\system32\_004330_.tmp.dll

c:\windows\system32\_004331_.tmp.dll

c:\windows\system32\_004332_.tmp.dll

c:\windows\system32\_004333_.tmp.dll

c:\windows\system32\_004334_.tmp.dll

c:\windows\system32\_004335_.tmp.dll

c:\windows\system32\_004336_.tmp.dll

c:\windows\system32\_004338_.tmp.dll

c:\windows\system32\_004341_.tmp.dll

c:\windows\system32\_004342_.tmp.dll

c:\windows\system32\_004343_.tmp.dll

c:\windows\system32\_004344_.tmp.dll

c:\windows\system32\_004345_.tmp.dll

c:\windows\system32\_004346_.tmp.dll

c:\windows\system32\_004347_.tmp.dll

c:\windows\system32\_004348_.tmp.dll

c:\windows\system32\_004349_.tmp.dll

c:\windows\system32\_004350_.tmp.dll

c:\windows\system32\_004351_.tmp.dll

c:\windows\system32\_004352_.tmp.dll

c:\windows\system32\_004353_.tmp.dll

c:\windows\system32\_004354_.tmp.dll

c:\windows\system32\_004355_.tmp.dll

c:\windows\system32\_004356_.tmp.dll

c:\windows\system32\_004357_.tmp.dll

c:\windows\system32\_004358_.tmp.dll

c:\windows\system32\_004359_.tmp.dll

c:\windows\system32\_004360_.tmp.dll

c:\windows\system32\_004361_.tmp.dll

c:\windows\system32\_004362_.tmp.dll

c:\windows\system32\_004363_.tmp.dll

c:\windows\system32\_004364_.tmp.dll

c:\windows\system32\_004365_.tmp.dll

c:\windows\system32\_004366_.tmp.dll

c:\windows\system32\_004367_.tmp.dll

c:\windows\system32\_004368_.tmp.dll

c:\windows\system32\_004369_.tmp.dll

c:\windows\system32\_004370_.tmp.dll

c:\windows\system32\_004371_.tmp.dll

c:\windows\system32\_004372_.tmp.dll

c:\windows\system32\_004373_.tmp.dll

c:\windows\system32\_004374_.tmp.dll

c:\windows\system32\_004375_.tmp.dll

c:\windows\system32\_004376_.tmp.dll

c:\windows\system32\_004377_.tmp.dll

c:\windows\system32\_004378_.tmp.dll

c:\windows\system32\_004381_.tmp.dll

c:\windows\system32\_004382_.tmp.dll

c:\windows\system32\_004383_.tmp.dll

c:\windows\system32\_004384_.tmp.dll

c:\windows\system32\_004385_.tmp.dll

c:\windows\system32\_004386_.tmp.dll

c:\windows\system32\_004387_.tmp.dll

c:\windows\system32\_004389_.tmp.dll

c:\windows\system32\_004390_.tmp.dll

c:\windows\system32\_004391_.tmp.dll

c:\windows\system32\_004392_.tmp.dll

c:\windows\system32\_004394_.tmp.dll

c:\windows\system32\_004395_.tmp.dll

c:\windows\system32\_004396_.tmp.dll

c:\windows\system32\_004397_.tmp.dll

c:\windows\system32\_004399_.tmp.dll

c:\windows\system32\_004400_.tmp.dll

c:\windows\system32\_004401_.tmp.dll

c:\windows\system32\_004402_.tmp.dll

c:\windows\system32\_004403_.tmp.dll

c:\windows\system32\_004404_.tmp.dll

c:\windows\system32\_004405_.tmp.dll

c:\windows\system32\_004407_.tmp.dll

c:\windows\system32\_004408_.tmp.dll

c:\windows\system32\_004409_.tmp.dll

c:\windows\system32\_004410_.tmp.dll

c:\windows\system32\_004411_.tmp.dll

c:\windows\system32\_004412_.tmp.dll

c:\windows\system32\_004413_.tmp.dll

c:\windows\system32\_004414_.tmp.dll

c:\windows\system32\_004415_.tmp.dll

c:\windows\system32\_004416_.tmp.dll

c:\windows\system32\_004417_.tmp.dll

c:\windows\system32\_004418_.tmp.dll

c:\windows\system32\_004420_.tmp.dll

c:\windows\system32\_004421_.tmp.dll

c:\windows\system32\_004422_.tmp.dll

c:\windows\system32\_004423_.tmp.dll

c:\windows\system32\_004425_.tmp.dll

c:\windows\system32\_004427_.tmp.dll

c:\windows\system32\_004428_.tmp.dll

c:\windows\system32\_004429_.tmp.dll

c:\windows\system32\_004430_.tmp.dll

c:\windows\system32\_004431_.tmp.dll

c:\windows\system32\_004432_.tmp.dll

c:\windows\system32\_004433_.tmp.dll

c:\windows\system32\_004435_.tmp.dll

c:\windows\system32\_004436_.tmp.dll

c:\windows\system32\_004437_.tmp.dll

c:\windows\system32\_004438_.tmp.dll

c:\windows\system32\_004439_.tmp.dll

c:\windows\system32\_004440_.tmp.dll

c:\windows\system32\_004441_.tmp.dll

c:\windows\system32\_004442_.tmp.dll

c:\windows\system32\_004444_.tmp.dll

c:\windows\system32\_004445_.tmp.dll

c:\windows\system32\_004447_.tmp.dll

c:\windows\system32\_004449_.tmp.dll

c:\windows\system32\_004450_.tmp.dll

c:\windows\system32\_004454_.tmp.dll

c:\windows\system32\_004455_.tmp.dll

c:\windows\system32\_004457_.tmp.dll

c:\windows\system32\_004460_.tmp.dll

c:\windows\system32\_004462_.tmp.dll

c:\windows\system32\_004463_.tmp.dll

c:\windows\system32\_004464_.tmp.dll

c:\windows\system32\_004465_.tmp.dll

c:\windows\system32\_004468_.tmp.dll

c:\windows\system32\_004469_.tmp.dll

c:\windows\system32\_004470_.tmp.dll

c:\windows\system32\_004471_.tmp.dll

c:\windows\system32\_004472_.tmp.dll

c:\windows\system32\_004477_.tmp.dll

c:\windows\system32\_004479_.tmp.dll

c:\windows\system32\_004480_.tmp.dll

c:\windows\system32\_004726_.tmp.dll

c:\windows\system32\_004727_.tmp.dll

c:\windows\system32\_004728_.tmp.dll

c:\windows\system32\_004729_.tmp.dll

c:\windows\system32\_004736_.tmp.dll

c:\windows\system32\_004737_.tmp.dll

c:\windows\system32\_004738_.tmp.dll

c:\windows\system32\_004740_.tmp.dll

c:\windows\system32\_004741_.tmp.dll

c:\windows\system32\_004744_.tmp.dll

c:\windows\system32\_004745_.tmp.dll

c:\windows\system32\_004747_.tmp.dll

c:\windows\system32\_004748_.tmp.dll

c:\windows\system32\_004749_.tmp.dll

c:\windows\system32\_004751_.tmp.dll

c:\windows\system32\_004754_.tmp.dll

c:\windows\system32\_004755_.tmp.dll

c:\windows\system32\_004759_.tmp.dll

c:\windows\system32\_004760_.tmp.dll

c:\windows\system32\_004762_.tmp.dll

c:\windows\system32\_004765_.tmp.dll

c:\windows\system32\_004767_.tmp.dll

c:\windows\system32\_004768_.tmp.dll

c:\windows\system32\_004769_.tmp.dll

c:\windows\system32\_004770_.tmp.dll

c:\windows\system32\_004773_.tmp.dll

c:\windows\system32\_004774_.tmp.dll

c:\windows\system32\_004775_.tmp.dll

c:\windows\system32\_004776_.tmp.dll

c:\windows\system32\_004777_.tmp.dll

c:\windows\system32\_004782_.tmp.dll

c:\windows\system32\_004784_.tmp.dll

c:\windows\system32\_005311_.tmp.dll

c:\windows\system32\_005312_.tmp.dll

c:\windows\system32\_005313_.tmp.dll

c:\windows\system32\_005314_.tmp.dll

c:\windows\system32\_005321_.tmp.dll

c:\windows\system32\_005322_.tmp.dll

c:\windows\system32\_005323_.tmp.dll

c:\windows\system32\_005325_.tmp.dll

c:\windows\system32\_005326_.tmp.dll

c:\windows\system32\_005329_.tmp.dll

c:\windows\system32\_005330_.tmp.dll

c:\windows\system32\_005332_.tmp.dll

c:\windows\system32\_005333_.tmp.dll

c:\windows\system32\_005334_.tmp.dll

c:\windows\system32\_005336_.tmp.dll

c:\windows\system32\_005339_.tmp.dll

c:\windows\system32\_005340_.tmp.dll

c:\windows\system32\_005344_.tmp.dll

c:\windows\system32\_005345_.tmp.dll

c:\windows\system32\_005347_.tmp.dll

c:\windows\system32\_005350_.tmp.dll

c:\windows\system32\_005352_.tmp.dll

c:\windows\system32\_005353_.tmp.dll

c:\windows\system32\_005354_.tmp.dll

c:\windows\system32\_005355_.tmp.dll

c:\windows\system32\_005358_.tmp.dll

c:\windows\system32\_005359_.tmp.dll

c:\windows\system32\_005360_.tmp.dll

c:\windows\system32\_005361_.tmp.dll

c:\windows\system32\_005362_.tmp.dll

c:\windows\system32\_005367_.tmp.dll

c:\windows\system32\_005369_.tmp.dll

c:\windows\system32\_005370_.tmp.dll

c:\windows\system32\3937891741.dat

Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected

Restored copy from - Kitty had a snack :P

.

((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))

.

2010-05-17 20:44 . 2010-05-17 20:45 -------- d-----w- C:\32788R22FWJFW

2010-05-17 00:13 . 2010-05-17 00:13 -------- d-----w- c:\program files\Sophos

2010-05-14 07:38 . 2010-05-14 07:38 -------- d-----w- c:\program files\RegTweaker

2010-05-14 05:04 . 2010-05-14 05:10 -------- dc-h--w- c:\windows\ie8

2010-05-13 14:32 . 2010-05-13 14:32 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-05-13 14:04 . 2010-05-13 20:19 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-05-13 14:04 . 2010-05-13 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-05-13 14:03 . 2010-05-14 21:31 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-05-10 18:06 . 2004-08-04 12:00 57344 ----a-w- c:\windows\system32\dllcache\h323cc.dll

2010-05-10 18:05 . 2009-02-09 10:20 453120 ----a-w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-05-10 18:04 . 2006-07-21 08:24 72704 ----a-w- c:\windows\system32\dllcache\hlink.dll

2010-05-10 18:03 . 2005-05-04 13:45 78848 ----a-w- c:\windows\system32\dllcache\msiexec.exe

2010-05-10 18:02 . 2009-11-27 17:33 1291264 ----a-w- c:\windows\system32\dllcache\quartz.dll

2010-05-10 18:01 . 2004-08-04 12:00 378368 ----a-w- c:\windows\system32\dllcache\wzcdlg.dll

2010-05-10 18:00 . 2007-02-09 11:10 574464 ----a-w- c:\windows\system32\drivers\ntfs.sys

2010-05-08 07:45 . 2010-05-17 06:54 63488 ----a-w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-05-08 07:45 . 2010-05-08 07:45 52224 ----a-w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-05-08 07:45 . 2010-05-17 06:54 117760 ----a-w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-08 07:44 . 2010-05-08 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-05-08 07:44 . 2010-05-16 11:01 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-05-08 07:44 . 2010-05-08 07:44 -------- d-----w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com

2010-05-04 15:12 . 2010-05-04 15:40 -------- d-----w- c:\program files\DiskInternals

2010-05-04 12:51 . 2010-05-04 12:51 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-04-28 16:40 . 2010-04-28 16:40 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-04-28 16:38 . 2010-04-28 16:38 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-20 18:16 . 2010-04-20 18:16 -------- d-----w- C:\$AVG

2010-04-20 18:13 . 2010-04-28 16:40 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-20 18:11 . 2010-04-20 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-15 20:38 . 2010-04-23 19:34 0 ----a-w- c:\documents and settings\All Users\Application Data\8bAxmrI.dat

2010-05-14 22:44 . 2008-02-26 11:45 -------- d-----w- c:\documents and settings\Jonnie\Application Data\SolidDocuments

2010-05-14 07:29 . 2010-01-06 20:43 -------- d-----w- c:\documents and settings\Jonnie\Application Data\Skype

2010-05-14 07:28 . 2010-01-06 20:46 -------- d-----w- c:\documents and settings\Jonnie\Application Data\skypePM

2010-05-13 12:58 . 2010-05-10 18:01 138368 ----a-w- c:\windows\system32\drivers\afd.sys

2010-05-08 07:43 . 2010-02-21 13:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-05-04 14:12 . 2009-09-03 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 14:39 . 2009-09-03 14:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39 . 2009-09-03 14:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-27 18:16 . 2005-08-17 21:29 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-27 17:59 . 2006-06-01 21:36 -------- d-----w- c:\program files\MySQL

2010-04-27 17:46 . 2005-08-13 11:01 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-04-27 17:42 . 2005-08-13 08:50 -------- d-----w- c:\program files\Hp

2010-04-27 17:42 . 2005-08-13 08:50 -------- d-----w- c:\program files\Hewlett-Packard

2010-04-27 16:39 . 2005-12-08 07:35 -------- d-----w- c:\program files\Google

2010-04-27 16:38 . 2005-08-13 08:47 -------- d-----w- c:\program files\Easy Internet signup

2010-04-26 06:04 . 2005-08-13 08:53 -------- d-----w- c:\program files\QuickTime

2010-04-22 22:55 . 2010-04-13 20:53 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-20 18:15 . 2009-03-26 19:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-04-20 18:15 . 2009-03-26 19:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-04-20 18:15 . 2009-03-29 20:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-04-20 18:09 . 2008-08-17 05:55 -------- d-----w- c:\program files\AVG

2010-04-17 21:59 . 2007-06-29 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-04-17 21:27 . 2010-04-17 21:27 0 ----a-w- c:\windows\nsreg.dat

2010-04-17 01:37 . 2010-04-15 17:12 108687047 --sha-w- c:\windows\system32\12520437d.sys

2010-04-17 01:27 . 2010-04-16 05:11 0 ----a-w- c:\windows\system32\6to4svcx.sys

2010-04-13 23:44 . 2010-04-13 23:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-04-13 20:54 . 2010-04-13 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-13 20:53 . 2010-04-13 20:53 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-04-01 13:17 . 2010-04-01 13:17 2033664 ----a-w- c:\windows\system32\4a83422c.dll

2010-02-24 12:31 . 2010-05-10 18:01 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2004-03-11 12:27 . 2008-08-15 06:11 40960 ----a-w- c:\program files\Uninstall_CDS.exe

.

<pre>
c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Comodo\Firewall\cfp .exe
c:\program files\Hitman Pro 3.5\HitmanPro35 .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSSOverlay]

@="{b75ab0c8-03d5-4592-9821-a48d54d66b14}"

[HKEY_CLASSES_ROOT\CLSID\{b75ab0c8-03d5-4592-9821-a48d54d66b14}]

2006-08-11 14:51 69632 ----a-w- c:\windows\system32\MssShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Arovax Shield"="c:\program files\Arovax Shield\ArovaxShield.exe" [2006-12-27 1200128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\cfp.exe" [2010-04-26 1481984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-04-20 18:15 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/03/2009 20:38 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/04/2010 19:13 242896]

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [22/11/2007 22:37 79096]

R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [22/11/2007 22:37 23672]

R1 dtd;dtd;c:\program files\Arovax Shield\dtd.sys [12/12/2006 15:07 17536]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 68168]

R2 ANISERVICE;Airgo Networks NIC Service;c:\windows\system32\aniServ.exe [30/09/2004 13:16 143360]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [20/04/2010 19:13 308064]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/02/2009 00:23 566120]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/02/2009 00:23 566120]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [13/08/2005 09:38 200192]

S0 vxlbsxs;vxlbsxs; [x]

S2 BrowserProtectedStorage;Computer Browser BrowserProtectedStorage; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/02/2010 08:05 135664]

S2 helpsvcHidServ;Help and Support helpsvcHidServ; [x]

S2 HTTPFilterALG;HTTP SSL HTTPFilterALG; [x]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16.tmp --> c:\windows\system32\16.tmp [?]

.

Contents of the 'Scheduled Tasks' folder

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 07:04]

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 07:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.msn.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.msn.com

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_230B703E03CA4CE3.dll/cmsidewiki.html

Trusted Zone: salvationarmy.org.uk\dominomail

Trusted Zone: salvationarmy.org.uk\sauki2

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab

FF - ProfilePath - c:\documents and settings\Jonnie\Application Data\Mozilla\Firefox\Profiles\ckrlfn2d.default\

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

Notify-dimsntfy - (no file)

AddRemove-46a3e0d5 - c:\windows\system32\46a3e0d5.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-17 23:35

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\16.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,29,25,18,47,b0,c6,40,97,c6,b4,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a0,29,25,18,47,b0,c6,40,97,c6,b4,\

[HKEY_USERS\S-1-5-21-329068152-682003330-2045162316-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{457AB9B8-C6AB-7B7E-D0C6-22F5CF38D1F5}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2956)

c:\windows\system32\MssShellExt.dll

c:\program files\Windows Media Player\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2010-05-17 23:44:17 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-17 22:44

Pre-Run: 7,118,262,272 bytes free

Post-Run: 7,105,204,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E5C9934B00D894AA9AFD0793906A4E89

Please woulf you indicate if we have now fixed the problem?

Many Thanks

Jonnie

Link to post
Share on other sites

Hi Jonnie,

The rootkit is gone, but we have still some other bad stuff there, so lets get rid of that first :)

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

RenV::
c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Comodo\Firewall\cfp .exe
c:\program files\Hitman Pro 3.5\HitmanPro35 .exe
c:\program files\Microsoft Office\Office12\GrooveMonitor .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

RegNull::
[HKEY_USERS\S-1-5-21-329068152-682003330-2045162316-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{457AB9B8-C6AB-7B7E-D0C6-22F5CF38D1F5}*]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Elise

The ComboFix.txt file is listed below.

ComboFix 10-05-16.02 - Jonnie 18/05/2010 17:24:50.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1022.505 [GMT 1:00]

Running from: c:\documents and settings\Jonnie\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jonnie\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))

.

2010-05-17 00:13 . 2010-05-17 00:13 -------- d-----w- c:\program files\Sophos

2010-05-14 07:38 . 2010-05-14 07:38 -------- d-----w- c:\program files\RegTweaker

2010-05-14 05:04 . 2010-05-14 05:10 -------- dc-h--w- c:\windows\ie8

2010-05-13 14:32 . 2010-05-13 14:32 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-05-13 14:04 . 2010-05-13 20:19 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-05-13 14:04 . 2010-05-13 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-05-13 14:03 . 2010-05-18 16:24 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-05-10 18:06 . 2004-08-04 12:00 57344 ----a-w- c:\windows\system32\dllcache\h323cc.dll

2010-05-10 18:05 . 2009-02-09 10:20 453120 ----a-w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-05-10 18:04 . 2006-07-21 08:24 72704 ----a-w- c:\windows\system32\dllcache\hlink.dll

2010-05-10 18:03 . 2005-05-04 13:45 78848 ----a-w- c:\windows\system32\dllcache\msiexec.exe

2010-05-10 18:02 . 2009-11-27 17:33 1291264 ----a-w- c:\windows\system32\dllcache\quartz.dll

2010-05-10 18:01 . 2004-08-04 12:00 378368 ----a-w- c:\windows\system32\dllcache\wzcdlg.dll

2010-05-10 18:00 . 2007-02-09 11:10 574464 ----a-w- c:\windows\system32\drivers\ntfs.sys

2010-05-08 07:44 . 2010-05-08 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-05-08 07:44 . 2010-05-18 16:24 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-05-08 07:44 . 2010-05-08 07:44 -------- d-----w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com

2010-05-04 15:12 . 2010-05-04 15:40 -------- d-----w- c:\program files\DiskInternals

2010-05-04 12:51 . 2010-05-04 12:51 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-04-20 18:16 . 2010-04-20 18:16 -------- d-----w- C:\$AVG

2010-04-20 18:13 . 2010-04-28 16:40 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-20 18:11 . 2010-04-20 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-18 16:24 . 2005-08-13 08:53 -------- d-----w- c:\program files\QuickTime

2010-05-17 06:54 . 2010-05-08 07:45 63488 ----a-w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-05-17 06:54 . 2010-05-08 07:45 117760 ----a-w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-15 20:38 . 2010-04-23 19:34 0 ----a-w- c:\documents and settings\All Users\Application Data\8bAxmrI.dat

2010-05-14 22:44 . 2008-02-26 11:45 -------- d-----w- c:\documents and settings\Jonnie\Application Data\SolidDocuments

2010-05-14 07:29 . 2010-01-06 20:43 -------- d-----w- c:\documents and settings\Jonnie\Application Data\Skype

2010-05-14 07:28 . 2010-01-06 20:46 -------- d-----w- c:\documents and settings\Jonnie\Application Data\skypePM

2010-05-13 12:58 . 2010-05-10 18:01 138368 ----a-w- c:\windows\system32\drivers\afd.sys

2010-05-08 07:45 . 2010-05-08 07:45 52224 ----a-w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-05-08 07:43 . 2010-02-21 13:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-05-04 14:12 . 2009-09-03 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 14:39 . 2009-09-03 14:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39 . 2009-09-03 14:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-28 16:40 . 2010-04-28 16:40 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-04-28 16:38 . 2010-04-28 16:38 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-27 18:16 . 2005-08-17 21:29 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-27 17:59 . 2006-06-01 21:36 -------- d-----w- c:\program files\MySQL

2010-04-27 17:46 . 2005-08-13 11:01 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-04-27 17:42 . 2005-08-13 08:50 -------- d-----w- c:\program files\Hp

2010-04-27 17:42 . 2005-08-13 08:50 -------- d-----w- c:\program files\Hewlett-Packard

2010-04-27 16:39 . 2005-12-08 07:35 -------- d-----w- c:\program files\Google

2010-04-27 16:38 . 2005-08-13 08:47 -------- d-----w- c:\program files\Easy Internet signup

2010-04-22 22:55 . 2010-04-13 20:53 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-20 18:15 . 2009-03-26 19:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-04-20 18:15 . 2009-03-26 19:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-04-20 18:15 . 2009-03-29 20:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-04-20 18:09 . 2008-08-17 05:55 -------- d-----w- c:\program files\AVG

2010-04-17 21:59 . 2007-06-29 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-04-17 21:27 . 2010-04-17 21:27 0 ----a-w- c:\windows\nsreg.dat

2010-04-17 01:37 . 2010-04-15 17:12 108687047 --sha-w- c:\windows\system32\12520437d.sys

2010-04-17 01:27 . 2010-04-16 05:11 0 ----a-w- c:\windows\system32\6to4svcx.sys

2010-04-13 23:44 . 2010-04-13 23:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-04-13 20:54 . 2010-04-13 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-13 20:53 . 2010-04-13 20:53 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-04-01 13:17 . 2010-04-01 13:17 2033664 ----a-w- c:\windows\system32\4a83422c.dll

2010-02-24 12:31 . 2010-05-10 18:01 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2004-03-11 12:27 . 2008-08-15 06:11 40960 ----a-w- c:\program files\Uninstall_CDS.exe

.

<pre>
c:\program files\Comodo\Firewall\cfp .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSSOverlay]

@="{b75ab0c8-03d5-4592-9821-a48d54d66b14}"

[HKEY_CLASSES_ROOT\CLSID\{b75ab0c8-03d5-4592-9821-a48d54d66b14}]

2006-08-11 14:51 69632 ----a-w- c:\windows\system32\MssShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Arovax Shield"="c:\program files\Arovax Shield\ArovaxShield.exe" [2006-12-27 1200128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\cfp.exe" [2010-04-26 1481984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-04-20 18:15 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/03/2009 20:38 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/04/2010 19:13 242896]

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [22/11/2007 22:37 79096]

R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [22/11/2007 22:37 23672]

R1 dtd;dtd;c:\program files\Arovax Shield\dtd.sys [12/12/2006 15:07 17536]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 68168]

R2 ANISERVICE;Airgo Networks NIC Service;c:\windows\system32\aniServ.exe [30/09/2004 13:16 143360]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [20/04/2010 19:13 308064]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/02/2009 00:23 566120]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/02/2009 00:23 566120]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [13/08/2005 09:38 200192]

S0 vxlbsxs;vxlbsxs; [x]

S2 BrowserProtectedStorage;Computer Browser BrowserProtectedStorage; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/02/2010 08:05 135664]

S2 helpsvcHidServ;Help and Support helpsvcHidServ; [x]

S2 HTTPFilterALG;HTTP SSL HTTPFilterALG; [x]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16.tmp --> c:\windows\system32\16.tmp [?]

.

Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 07:04]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 07:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.msn.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.msn.com

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_230B703E03CA4CE3.dll/cmsidewiki.html

Trusted Zone: salvationarmy.org.uk\dominomail

Trusted Zone: salvationarmy.org.uk\sauki2

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab

FF - ProfilePath - c:\documents and settings\Jonnie\Application Data\Mozilla\Firefox\Profiles\ckrlfn2d.default\

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-18 18:14

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\16.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4028)

c:\windows\system32\MssShellExt.dll

c:\program files\Windows Media Player\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2010-05-18 18:22:42 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-18 17:22

ComboFix2.txt 2010-05-17 22:44

Pre-Run: 7,170,236,416 bytes free

Post-Run: 7,129,157,632 bytes free

- - End Of File - - 23FF13FB7AC0550CC289369C87FA080B

I look forward to hearing your reply

Many Thanks

Jonnie

Link to post
Share on other sites

Elise

The latest ComboFix.txt file is below.

ComboFix 10-05-16.02 - Jonnie 18/05/2010 22:59:56.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1022.544 [GMT 1:00]

Running from: c:\documents and settings\Jonnie\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jonnie\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))

.

2010-05-18 21:56 . 2010-05-18 21:56 -------- d-----w- C:\32788R22FWJFW

2010-05-17 00:13 . 2010-05-17 00:13 -------- d-----w- c:\program files\Sophos

2010-05-14 07:38 . 2010-05-14 07:38 -------- d-----w- c:\program files\RegTweaker

2010-05-14 05:04 . 2010-05-14 05:10 -------- dc-h--w- c:\windows\ie8

2010-05-13 14:32 . 2010-05-13 14:32 12872 ----a-w- c:\windows\system32\bootdelete.exe

2010-05-13 14:04 . 2010-05-13 20:19 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-05-13 14:04 . 2010-05-13 14:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-05-13 14:03 . 2010-05-18 16:24 -------- d-----w- c:\program files\Hitman Pro 3.5

2010-05-10 18:06 . 2004-08-04 12:00 57344 ----a-w- c:\windows\system32\dllcache\h323cc.dll

2010-05-10 18:05 . 2009-02-09 10:20 453120 ----a-w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-05-10 18:04 . 2006-07-21 08:24 72704 ----a-w- c:\windows\system32\dllcache\hlink.dll

2010-05-10 18:03 . 2005-05-04 13:45 78848 ----a-w- c:\windows\system32\dllcache\msiexec.exe

2010-05-10 18:02 . 2009-11-27 17:33 1291264 ----a-w- c:\windows\system32\dllcache\quartz.dll

2010-05-10 18:01 . 2004-08-04 12:00 378368 ----a-w- c:\windows\system32\dllcache\wzcdlg.dll

2010-05-10 18:00 . 2007-02-09 11:10 574464 ----a-w- c:\windows\system32\drivers\ntfs.sys

2010-05-08 07:44 . 2010-05-08 07:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-05-08 07:44 . 2010-05-18 16:24 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-05-08 07:44 . 2010-05-08 07:44 -------- d-----w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com

2010-05-04 15:12 . 2010-05-04 15:40 -------- d-----w- c:\program files\DiskInternals

2010-05-04 12:51 . 2010-05-04 12:51 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE

2010-04-20 18:16 . 2010-04-20 18:16 -------- d-----w- C:\$AVG

2010-04-20 18:13 . 2010-04-28 16:40 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-04-20 18:11 . 2010-04-20 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-05-18 16:24 . 2005-08-13 08:53 -------- d-----w- c:\program files\QuickTime

2010-05-17 06:54 . 2010-05-08 07:45 63488 ----a-w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-05-17 06:54 . 2010-05-08 07:45 117760 ----a-w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-05-15 20:38 . 2010-04-23 19:34 0 ----a-w- c:\documents and settings\All Users\Application Data\8bAxmrI.dat

2010-05-14 22:44 . 2008-02-26 11:45 -------- d-----w- c:\documents and settings\Jonnie\Application Data\SolidDocuments

2010-05-14 07:29 . 2010-01-06 20:43 -------- d-----w- c:\documents and settings\Jonnie\Application Data\Skype

2010-05-14 07:28 . 2010-01-06 20:46 -------- d-----w- c:\documents and settings\Jonnie\Application Data\skypePM

2010-05-13 12:58 . 2010-05-10 18:01 138368 ----a-w- c:\windows\system32\drivers\afd.sys

2010-05-08 07:45 . 2010-05-08 07:45 52224 ----a-w- c:\documents and settings\Jonnie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-05-08 07:43 . 2010-02-21 13:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-05-04 14:12 . 2009-09-03 14:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-29 14:39 . 2009-09-03 14:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39 . 2009-09-03 14:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-28 16:40 . 2010-04-28 16:40 242696 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-04-28 16:38 . 2010-04-28 16:38 1689952 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-27 18:16 . 2005-08-17 21:29 -------- d-----w- c:\program files\Common Files\Adobe

2010-04-27 17:59 . 2006-06-01 21:36 -------- d-----w- c:\program files\MySQL

2010-04-27 17:46 . 2005-08-13 11:01 -------- d-----w- c:\program files\Microsoft ActiveSync

2010-04-27 17:42 . 2005-08-13 08:50 -------- d-----w- c:\program files\Hp

2010-04-27 17:42 . 2005-08-13 08:50 -------- d-----w- c:\program files\Hewlett-Packard

2010-04-27 16:39 . 2005-12-08 07:35 -------- d-----w- c:\program files\Google

2010-04-27 16:38 . 2005-08-13 08:47 -------- d-----w- c:\program files\Easy Internet signup

2010-04-22 22:55 . 2010-04-13 20:53 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-20 18:15 . 2009-03-26 19:38 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-04-20 18:15 . 2009-03-26 19:38 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-04-20 18:15 . 2009-03-29 20:25 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-04-20 18:09 . 2008-08-17 05:55 -------- d-----w- c:\program files\AVG

2010-04-17 21:59 . 2007-06-29 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-04-17 21:27 . 2010-04-17 21:27 0 ----a-w- c:\windows\nsreg.dat

2010-04-17 01:37 . 2010-04-15 17:12 108687047 --sha-w- c:\windows\system32\12520437d.sys

2010-04-17 01:27 . 2010-04-16 05:11 0 ----a-w- c:\windows\system32\6to4svcx.sys

2010-04-13 23:44 . 2010-04-13 23:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-04-13 20:54 . 2010-04-13 20:54 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-13 20:53 . 2010-04-13 20:53 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-04-01 13:17 . 2010-04-01 13:17 2033664 ----a-w- c:\windows\system32\4a83422c.dll

2010-02-24 12:31 . 2010-05-10 18:01 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2004-03-11 12:27 . 2008-08-15 06:11 40960 ----a-w- c:\program files\Uninstall_CDS.exe

.

<pre>
c:\program files\Comodo\Firewall\cfp .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MSSOverlay]

@="{b75ab0c8-03d5-4592-9821-a48d54d66b14}"

[HKEY_CLASSES_ROOT\CLSID\{b75ab0c8-03d5-4592-9821-a48d54d66b14}]

2006-08-11 14:51 69632 ----a-w- c:\windows\system32\MssShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Arovax Shield"="c:\program files\Arovax Shield\ArovaxShield.exe" [2006-12-27 1200128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

"COMODO Firewall Pro"="c:\program files\Comodo\Firewall\cfp.exe" [2010-04-26 1481984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-04-20 18:15 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/03/2009 20:38 216200]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/04/2010 19:13 242896]

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [22/11/2007 22:37 79096]

R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [22/11/2007 22:37 23672]

R1 dtd;dtd;c:\program files\Arovax Shield\dtd.sys [12/12/2006 15:07 17536]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [06/05/2010 17:10 68168]

R2 ANISERVICE;Airgo Networks NIC Service;c:\windows\system32\aniServ.exe [30/09/2004 13:16 143360]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [20/04/2010 19:13 308064]

R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/02/2009 00:23 566120]

R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [12/02/2009 00:23 566120]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [13/08/2005 09:38 200192]

S0 vxlbsxs;vxlbsxs; [x]

S2 BrowserProtectedStorage;Computer Browser BrowserProtectedStorage; [x]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/02/2010 08:05 135664]

S2 helpsvcHidServ;Help and Support helpsvcHidServ; [x]

S2 HTTPFilterALG;HTTP SSL HTTPFilterALG; [x]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\16.tmp --> c:\windows\system32\16.tmp [?]

.

Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 07:04]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 07:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.msn.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.msn.com

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_230B703E03CA4CE3.dll/cmsidewiki.html

Trusted Zone: salvationarmy.org.uk\dominomail

Trusted Zone: salvationarmy.org.uk\sauki2

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab

FF - ProfilePath - c:\documents and settings\Jonnie\Application Data\Mozilla\Firefox\Profiles\ckrlfn2d.default\

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-05-18 23:43

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\16.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\msv1_0.dll

- - - - - - - > 'explorer.exe'(3540)

c:\windows\system32\MssShellExt.dll

c:\program files\Windows Media Player\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\windows\system32\rundll32.exe

.

**************************************************************************

.

Completion time: 2010-05-18 23:51:49 - machine was rebooted

ComboFix-quarantined-files.txt 2010-05-18 22:51

ComboFix2.txt 2010-05-17 22:44

Pre-Run: 7,147,913,216 bytes free

Post-Run: 7,106,654,208 bytes free

- - End Of File - - CF0B257B5B5903FCE7E81C4960358280

Many Thanks

Jonnie

Link to post
Share on other sites

Hi Jonnie,

Apparently Comodo doesn't like us trying to replace "their" file, To get rid of this last Vundo file you will have to uninstall/reinstall Comodo Firewall.

When done, please proceed with the following.

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

MALWAREBYTES ANTIMALWARE

-------------------------------------------

Please launch MBAM and update the program before performing a scan.

  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Link to post
Share on other sites

Elise

All instructions followed. The registry entry which started all this was found by Malwarebytes and deleted but I have just checked regedit and the entry is still there. The Malwarebytes log is as follows:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4117

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

19/05/2010 19:56:29

mbam-log-2010-05-19 (19-56-29).txt

Scan type: Full scan (C:\|)

Objects scanned: 202129

Time elapsed: 1 hour(s), 14 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Regards

Jonnie

Link to post
Share on other sites

Hello again,

OTL FIX

------------

We need to run an OTL Fix

  1. Please reopen otlDesktopIcon.png on your desktop.
  2. Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"
    :otl
    O37 - HKU\.DEFAULT\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found
    O37 - HKU\S-1-5-18\...exe [@ = secfile] -- "C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "%1" %* File not found

    :commands
    [emptytemp]


  3. Push runFixbutton.png
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click btnOK.png.
  6. A report will open. Copy and Paste that report in your next reply.

After the reboot, please rerun an MBAM quick scan and see if secfile is still being detected.

Link to post
Share on other sites

Hello Elise

The OTL produced the following log:

All processes killed

========== OTL ==========

Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ deleted successfully.

Registry key HKEY_USERS\.DEFAULT\Software\Classes\secfile\ deleted successfully.

HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!

Registry key HKEY_USERS\S-1-5-18\Software\Classes\.exe\ not found.

Registry key HKEY_USERS\S-1-5-18\Software\Classes\secfile\ not found.

HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Jonnie

->Temp folder emptied: 1903808 bytes

->Temporary Internet Files folder emptied: 727969 bytes

->Java cache emptied: 3611386 bytes

->FireFox cache emptied: 56061239 bytes

->Flash cache emptied: 908 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 49286 bytes

User: NetworkService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 112094 bytes

->Java cache emptied: 12627 bytes

->Flash cache emptied: 10770 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 8462496 bytes

%systemroot%\System32 .tmp files removed: 345677388 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 583 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 117302 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 398.00 mb

OTL by OldTimer - Version 3.2.4.1 log created on 05202010_180343

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

The Malwarebytes found the ave.exefile in the registry again. I instructed it to remove it. The log is as follows:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4117

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

20/05/2010 18:27:23

mbam-log-2010-05-20 (18-27-23).txt

Scan type: Quick scan

Objects scanned: 129926

Time elapsed: 9 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

An inspection through regedit shows that the entry is still in the registry.

Sorry to be such a pain.

Many Thanks

Jonnie

Link to post
Share on other sites

Persistent little one is it :)

Do you have other useraccounts than the one you are using now? If so, please access them and scan with MBAM.

Also, please rerun OTL, make sure under "extra registry" Use Safelist is checked and rescan.

This will create also extra.txt. Please post that in your next reply (do not attach it please, just paste it in the replybox).

Link to post
Share on other sites

Elise

Ok. There is another user called Guest but it is turned off. Do I need to turn it on and then run a scan?

Extra file below:

Extras

OTL Extras logfile created on: 20/05/2010 22:02:37 - Run 3

OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Jonnie\Desktop

Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 345.00 Mb Available Physical Memory | 34.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 6.75 Gb Free Space | 9.06% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: JONNIECOMPAQ

Current User Name: Jonnie

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-329068152-682003330-2045162316-1004\SOFTWARE\Classes\<extension>]

.exe [@ = exefile] -- Reg Error: Key error. File not found

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [browse with XnView] -- "C:\Program Files\XnView\xnview.exe" "%1" (XnView, http://www.xnview.com)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusOverride" = 1

"FirewallOverride" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DisableNotifications" = 1

"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)

"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe" = C:\Program Files\LucasArts\Star Wars Empire at War\GameData\sweaw.exe:*:Enabled:Star Wars: Empire at War -- (Lucasfilm Entertainment Company, Ltd.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{0298C72A-87DF-11D3-8831-00500457F9ED}" = Database Design Samples

"{0298C72B-87DF-11D3-8831-00500457F9ED}" = Software Design Samples

"{02E22217-0E96-4C3F-B831-83AA942B7715}" = UserGuides

"{06CE9412-6714-44AE-A035-F4E9930009E1}" = Advanced Network Diagramming Help

"{0993A7DC-5616-4DBA-A538-E6BFE0C94C1D}" = Directory Services Help

"{0B5E0886-BC91-4E83-BB29-A664ED8F0285}" = Project Schedules Help

"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel

"{0DACEA66-186D-4187-80B7-4D28ABBAE59D}" = Belkin Wireless Client Utility

"{0EE62AB3-0B59-4394-863D-A1C971C75531}" = Flowcharts Samples

"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP620_series" = Canon MP620 series MP Drivers

"{136498DE-6FBD-4F6F-B065-8E24118D351E}" = Internet Diagrams Help

"{16C586A1-4ACB-11D3-8662-00C04F8DBAD9}" = Release Notes

"{172ED890-6982-4CCF-BD23-6949E553B860}" = Save as HTML

"{19601469-5DE4-4B32-B48C-84087D00ECB0}" = Database Wizard Samples

"{19B29943-2A85-11D3-8F74-00C04F8DD7E3}" = Solutions

"{1ACA72C2-8BF5-11D3-8831-00500457F9ED}" = Advanced Network Diagramming Samples

"{1D66C1EB-9FC0-4363-A4B9-E44DDCBACD00}" = Organization Charts

"{1E285B0B-A453-4682-AC38-296949D03697}" = Sample Drawings

"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{2359BD03-A3D2-4EF1-87C0-8D371C33A547}" = Online Documentation

"{241957BD-4436-42B1-ADCF-AE18144358D7}" = Office Layout

"{2438C4A0-A11D-11D3-8832-00500457F9ED}" = UML Specification

"{268FC299-C0BD-4230-9D00-FD7BBB71A2C7}" = Organization Charts Help

"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java 6 Update 20

"{2D329298-7BDD-476B-8F68-AE3F66EB6F8F}" = Flowcharts

"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager

"{31378148-07F5-4210-9F20-AD948EA8CF7C}" =

"{3379BB84-49C2-11D3-80AC-00C04F6B854D}" = Organization Charts Samples

"{3379BB86-49C2-11D3-80AC-00C04F6B854D}" = Network Diagrams Help

"{3388E964-4C4F-11D3-9F66-006008A88EC8}" = Microsoft Visio 2000 (IE)

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{380E3211-4549-42B3-8EE8-2B0561530061}" = Custom Properties Editor

"{390927CA-7D1F-44EB-95FF-FBB4B20822B4}" = Borders and Backgrounds Help

"{3A71AF7E-705C-40D3-9024-B63C00AB1772}" = Program Files Help

"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform

"{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}" = Google Earth

"{3EFEB7E0-49D0-11D3-8F00-00C04F8DD7E3}" = CAD Drawing Display Samples

"{415BD2CC-3EF6-4972-A351-BAF5641AD930}" = Forms and Charts Samples

"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 1.01 A3

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{457791C5-D702-4143-A7B2-2744BE9573F2}" = HP Software Update

"{46D2CC82-BEAE-4E47-A153-008E60E67BA2}" = Release Notes Professional

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{4F31302F-A77C-4759-9803-E02696185089}" = Program Files Professional

"{51196320-99A0-4737-AE71-5BAF9489A855}" = Database Wizard

"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features

"{55B39A89-795A-4E9F-AB38-15AB66125914}" = Borders and Backgrounds

"{5BF9AE5B-D635-4BB6-9229-F863B28F9107}" = Graphics Filters

"{5F51A6F9-A69E-43F1-9410-DC2CA000EEAC}" = Project Schedules Samples

"{60692A39-4C61-11D3-A339-006097B6ECD2}" = Program Files

"{60692A40-4C61-11D3-A339-006097B6ECD2}" = Visio

"{60C8D1EA-CB39-44FF-BECA-9B1457898C9B}" = Office Layout Help

"{62E98CB2-2B1E-4E7D-8C3B-F6E7A3CB14E0}" = Network Diagrams

"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0

"{639B050E-9ADC-44C4-B7FE-BA7DB59D4E4B}" = Forms and Charts

"{63A0A66B-3A50-4D3E-9B88-6459D699C700}" = Internet Diagrams

"{64B51480-3FB3-11D3-A300-006008A88CA8}" = Developing Visio Solutions

"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD

"{69FC7B0F-E59D-418B-A007-13F02DBB002E}" = Advanced Network Diagramming

"{6A4EABDC-B3AA-421D-AB8B-5678293C9235}" = Callouts and Connectors Help

"{6D465A21-46EB-11D3-8660-00C04F8DBAD9}" = Microsoft Office Integration

"{7059BDA7-E1DB-442C-B7A1-6144596720A4}" = HP Update

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{77EB1349-BC9D-4B08-A9EB-B718C1C0DC20}" = Stencil Report Wizard

"{7CF20200-8C00-11D3-8831-00500457F9ED}" = Directory Services Samples

"{7DBFDF21-DE31-4371-A6D2-3BA0E15BFA3B}" = Block Diagrams Samples

"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{8C1D906C-D2DA-4E26-B0CF-EB79EEB1F946}" = Software Design Help

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007

"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007

"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007

"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007

"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007

"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007

"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007

"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD

"{93D1FE53-905C-4EE7-AE18-4B13AC0069AD}" = Shape Explorer Help

"{941C9D64-BA18-495E-A4CB-609C8187A117}" = Shape Explorer

"{94EAA445-8E09-4719-9F30-748EC5E1569F}" = SmartShape Wizard

"{94FB906A-CF42-4128-A509-D353026A607E}" = REALTEK Gigabit and Fast Ethernet NIC Driver

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{96C0E73B-8813-4F4A-9EA1-D407C27AA1A1}" = TIxx21

"{99AE7207-8612-4DBA-A8F8-BAE5C633390D}" = Star Wars Empire at War

"{9BC76CCE-A9EC-4A3A-9B51-D823805E1D1F}" = SolidConverterPDF

"{9D25D3FD-A1DE-4CA0-BE6F-B5F65545DDB6}" = Directory Services

"{9EC41026-8399-47E4-9FE9-CFCCCB71F8C3}" = Property Reporting Wizard

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A27739C8-9769-4ED8-AFF5-7F3C928C5F48}" = Maps Samples

"{A31A5DFC-3439-48FC-99BB-5174168AE471}" = COMODO livePCsupport

"{A4DF8034-28B1-4967-9216-2B2BB435A7C1}" = Program Files Professional Help

"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe

Link to post
Share on other sites

Hi Jonnie,

Can you please rerun MBAM, but now before running the quick scan, make sure that Comodo is turned off.

Comodo has besides the firewall also an inbuild feature that protects the registry and it is possible this undoes MBAM's changes.

You can also manually change your settings in Comodo to disable the registry protection feature.

Please disable Comodo, run MBAM, reboot and after the reboot, verify with another quick scan if the detection came back.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.