Jump to content

Malware infection - need assistance please

bubhead

By bubhead
in Resolved Malware Removal Logs

 Share

Recommended Posts

bubhead

bubhead

Posted
  • Author
Posted

Here's the log from RKUnhooker (it looked like it found lots of stuff but I only scanned, not unhooked):

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #1

==============================================

>Drivers

==============================================

0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3747840 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 61.21 )

0xB95B2000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2318336 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))

0xB981F000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2207744 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 61.21 )

0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2189952 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2189952 bytes

0x804D7000 RAW 2189952 bytes

0x804D7000 WMIxWDM 2189952 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xF7B3A000 pctEFA.sys 675840 bytes (PC Tools, PC Tools Extended File Attributes)

0xBA773000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xB5CC3000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 503808 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)

0xB7DE9000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)

0xB7E80000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xB9317000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xB8060000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xF7840000 pctDS.sys 356352 bytes (PC Tools, PC Tools Data Store)

0xB5BF4000 C:\WINDOWS\System32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xB5613000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xF742B000 PCTCore.sys 249856 bytes (PC Tools, PC Tools KDS Core Driver)

0xB7FB5000 C:\WINDOWS\system32\Drivers\vmm.sys 241664 bytes (Microsoft Corporation, Virtual Machine Monitor)

0xBA711000 timntr.sys 217088 bytes (Acronis, TrueImage Backup Archive Explorer)

0xB6BCE000 C:\WINDOWS\system32\DRIVERS\CtxSbx.sys 196608 bytes (Citrix Systems, Inc., Citrix Application Isolation Environment Driver)

0xB94D2000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xF7588000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xB5FA9000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xBA746000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xB47E3000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xB7F18000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xB8038000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF7492000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xB8012000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xB6116000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xB958E000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xB956A000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xB97E8000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xB7FF0000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xB7F93000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)

0x806EE000 ACPI_HAL 131840 bytes

0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF75B6000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF74B8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xB7E64000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 114688 bytes (Avira GmbH, Avira Driver for RootKit Detection)

0xB953B000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 110592 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)

0xBA642000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF747A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xF7414000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xB9524000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xBA6FC000 snapman.sys 86016 bytes (Acronis, Acronis Snapshot API)

0xB5F6C000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xB6BBA000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 81920 bytes (Avira GmbH, Avira Minifilter Driver)

0xB9556000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xB980B000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xB818C000 C:\WINDOWS\system32\DRIVERS\ComcastSecureBackupShare.sys 77824 bytes (Mozy, Inc., Mozy Change Monitor Filter Driver)

0xB80B9000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xF7401000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF7468000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xB9502000 C:\WINDOWS\system32\DRIVERS\net6im51.sys 69632 bytes (Citrix Systems, Inc., Citrix Secure Access Driver)

0xF7577000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xB9513000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF76F7000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xBA6CC000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xBA69C000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xBA6AC000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xBA6BC000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xB6F91000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xBA034000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xBA68C000 C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys 61440 bytes (Microsoft Corporation, Virtual Machine Network Services Driver)

0xF7637000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xBA67C000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF76D7000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)

0xF7647000 PxHelp20.sys 49152 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xBA65C000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF7657000 sisidex.sys 49152 bytes (Windows ® 2000 DDK provider, SISIDEX Driver)

0xF76C7000 C:\WINDOWS\system32\DRIVERS\cdfdrv.sys 45056 bytes (Citrix Systems, Inc., Trace Kernel Mode Driver)

0xB9FF4000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xBA6DC000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xBA66C000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xBA074000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF7667000 SISAGPX.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS AGPv3.5 Filter)

0xBA084000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF76B7000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)

0xBA6EC000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xF7697000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xBA014000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xB5884000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xF76A7000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF77D7000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF7757000 C:\WINDOWS\System32\DRIVERS\sisnicxp.sys 32768 bytes (SiS Corporation, SiS PCI Fast Ethernet Adapter Driver)

0xF781F000 C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 32768 bytes (Acronis, TrueImage File System Filter)

0xF77EF000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0xF774F000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF775F000 C:\WINDOWS\System32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)

0xF77BF000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)

0xF77F7000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)

0xF7707000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF773F000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)

0xF777F000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF7787000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF77FF000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)

0xF77E7000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)

0xF77DF000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)

0xF77C7000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF7807000 C:\WINDOWS\System32\Drivers\ASPI32.SYS 20480 bytes (Adaptec, ASPI for WIN32 Kernel Driver)

0xF77AF000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)

0xF77CF000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF776F000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF7777000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF7767000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF7747000 C:\WINDOWS\System32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xF780F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xB6C96000 C:\WINDOWS\system32\DRIVERS\ctxpidmn.sys 16384 bytes (Citrix Systems, Inc., Citrix Process Notification Driver)

0xB8213000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xBA5FE000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xB6ACA000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xBA59E000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xB81BB000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xBA5AE000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)

0xB820F000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xBA59A000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xBA5A6000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus® ASPI Shell)

0xBA5CE000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF789B000 sisperf.sys 12288 bytes (Silicon Integrated Systems Corp., SiS Filter Driver)

0xBA5CA000 C:\WINDOWS\System32\DRIVERS\srvkp.sys 12288 bytes (Silicon Integrated Systems Corporation, SiS VGA Driver Manager)

0xF79D9000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)

0xF79CF000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF798B000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)

0xF79CD000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF79D1000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF79AF000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)

0xF79D3000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF79C9000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF79CB000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF7989000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF7A78000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xB81E4000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 4096 bytes (Sonic Solutions, CDR4 CD and DVD Place Holder Driver (see PxHelp))

0xB81E3000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 4096 bytes (Sonic Solutions, CDRAL Place Holder Driver (see PxHelp))

0xB9A3A000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF7A51000 giveio.sys 4096 bytes

0xBA45B000 C:\WINDOWS\system32\mbmiodrvr.sys 4096 bytes (cansoft@livewiredev.com, MBMIO Driver)

0xB81E1000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

0xF7A50000 siside.sys 4096 bytes (Silicon Integrated Systems Corp., SiS PCI Mini IDE Driver)

==============================================

>Stealth

==============================================

0x03F10000 Hidden Image-->LimelightDownloadManager.dll [ EPROCESS 0x89390DA0 ] PID: 2080, 102400 bytes

0x05B20000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 1077248 bytes

0x05AC0000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 126976 bytes

0x03DB0000 Hidden Image-->ADVWindowsClientDll.dll [ EPROCESS 0x89390DA0 ] PID: 2080, 143360 bytes

0x03820000 Hidden Image-->System.XML.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 2060288 bytes

0x04C50000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 266240 bytes

0x049A0000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 270336 bytes

0x05ED0000 Hidden Image-->log4net.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 282624 bytes

0x05660000 Hidden Image-->Interop.MSNETOBJLib.dll [ EPROCESS 0x89390DA0 ] PID: 2080, 28672 bytes

0x04670000 Hidden Image-->System.Data.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 2961408 bytes

0x04ED0000 Hidden Image-->Interop.WMPLib.dll [ EPROCESS 0x89390DA0 ] PID: 2080, 299008 bytes

0x051A0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 307200 bytes

0x03A50000 Hidden Image-->System.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 3190784 bytes

0x06A20000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 421888 bytes

0x037B0000 Hidden Image-->System.configuration.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 438272 bytes

0x01510000 Hidden Image-->Intuit.Spc.Foundations.Portability.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 471040 bytes

0x03E90000 Hidden Image-->ADVWindowsClientAppRoot.dll [ EPROCESS 0x89390DA0 ] PID: 2080, 471040 bytes

0x04A90000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 479232 bytes

0x06520000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 479232 bytes

0x053F0000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 5033984 bytes

0x01480000 Hidden Image-->Intuit.Spc.Foundations.Primary.Logging.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 53248 bytes

0x05950000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 634880 bytes

0x014C0000 Hidden Image-->Intuit.Spc.Foundations.Primary.ExceptionHandling.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 77824 bytes

0x045A0000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x88AA04C8 ] PID: 340, 778240 bytes

0x03720000 Hidden Image-->Intuit.Spc.Foundations.Primary.Config.dll [ EPROCESS 0x88AA04C8 ] PID: 340, 86016 bytes

0x06380000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x88AA04C8 ] PID: 340, 872448 bytes

==============================================

>Files

==============================================

==============================================

>Hooks

==============================================

ntoskrnl.exe+0x00004AA2, Type: Inline - RelativeJump 0x804DBAA2-->804DBAA9 [ntoskrnl.exe]

[1096]spoolsv.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1096]spoolsv.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1096]spoolsv.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1096]spoolsv.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1096]spoolsv.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1096]spoolsv.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1096]spoolsv.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1096]spoolsv.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1148]sched.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1148]sched.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1148]sched.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1148]sched.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1148]sched.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1148]sched.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1148]sched.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1148]sched.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1388]avguard.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1388]avguard.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1388]avguard.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1388]avguard.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1388]avguard.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1388]avguard.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1388]avguard.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1388]avguard.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1416]winlogon.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1416]winlogon.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1416]winlogon.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1416]winlogon.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1416]winlogon.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1416]winlogon.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1416]winlogon.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1416]winlogon.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1444]AppleMobileDeviceService.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1444]AppleMobileDeviceService.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1444]AppleMobileDeviceService.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1444]AppleMobileDeviceService.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1444]AppleMobileDeviceService.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1444]AppleMobileDeviceService.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1444]AppleMobileDeviceService.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1444]AppleMobileDeviceService.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1468]services.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1468]services.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1468]services.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1468]services.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1468]services.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1468]services.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1468]services.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1468]services.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1480]lsass.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1480]lsass.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1480]lsass.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1480]lsass.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1480]lsass.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1480]lsass.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1480]lsass.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1480]lsass.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1672]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1672]svchost.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1672]svchost.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1672]svchost.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1672]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1672]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1672]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1672]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1780]mDNSResponder.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1780]mDNSResponder.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1780]mDNSResponder.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1780]mDNSResponder.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1780]mDNSResponder.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1780]mDNSResponder.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1780]mDNSResponder.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1780]mDNSResponder.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1872]LSSrvc.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1872]LSSrvc.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1872]LSSrvc.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1872]LSSrvc.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1872]LSSrvc.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1872]LSSrvc.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1872]LSSrvc.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1872]LSSrvc.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1924]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1924]svchost.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1924]svchost.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1924]svchost.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1924]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1924]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1924]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1924]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1960]defragActivityMonitor.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1960]defragActivityMonitor.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1960]defragActivityMonitor.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1960]defragActivityMonitor.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1960]defragActivityMonitor.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1960]defragActivityMonitor.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1960]defragActivityMonitor.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1960]defragActivityMonitor.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[1964]HPZipm12.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1964]HPZipm12.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[1964]HPZipm12.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[1964]HPZipm12.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[1964]HPZipm12.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[1964]HPZipm12.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[1964]HPZipm12.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[1964]HPZipm12.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2008]ComcastSecureBackupSharebackup.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2008]ComcastSecureBackupSharebackup.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2008]ComcastSecureBackupSharebackup.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2008]ComcastSecureBackupSharebackup.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2008]ComcastSecureBackupSharebackup.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2008]ComcastSecureBackupSharebackup.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2008]ComcastSecureBackupSharebackup.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2008]ComcastSecureBackupSharebackup.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2028]avgnt.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2028]avgnt.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2028]avgnt.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2028]avgnt.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2028]avgnt.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2028]avgnt.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2028]avgnt.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2028]avgnt.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2080]ADVWindowsClientService.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2080]ADVWindowsClientService.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2080]ADVWindowsClientService.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2080]ADVWindowsClientService.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2080]ADVWindowsClientService.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2080]ADVWindowsClientService.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2080]ADVWindowsClientService.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2080]ADVWindowsClientService.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[208]aDefragService.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[208]aDefragService.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[208]aDefragService.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[208]aDefragService.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[208]aDefragService.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[208]aDefragService.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[208]aDefragService.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[208]aDefragService.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2408]CLIPMT45.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2408]CLIPMT45.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2408]CLIPMT45.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2408]CLIPMT45.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2408]CLIPMT45.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2408]CLIPMT45.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2408]CLIPMT45.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2408]CLIPMT45.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2416]ComcastSecureBackupSharestat.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2416]ComcastSecureBackupSharestat.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2416]ComcastSecureBackupSharestat.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2416]ComcastSecureBackupSharestat.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2416]ComcastSecureBackupSharestat.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2416]ComcastSecureBackupSharestat.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2416]ComcastSecureBackupSharestat.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2416]ComcastSecureBackupSharestat.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2500]hpwuschd2.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2500]hpwuschd2.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2500]hpwuschd2.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2500]hpwuschd2.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2500]hpwuschd2.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2500]hpwuschd2.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2500]hpwuschd2.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2500]hpwuschd2.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2564]CALMAIN.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2564]CALMAIN.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2564]CALMAIN.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2564]CALMAIN.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2564]CALMAIN.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2564]CALMAIN.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2564]CALMAIN.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2564]CALMAIN.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2592]iTunesHelper.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2592]iTunesHelper.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2592]iTunesHelper.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2592]iTunesHelper.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2592]iTunesHelper.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2592]iTunesHelper.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2592]iTunesHelper.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2592]iTunesHelper.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2780]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2780]svchost.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2780]svchost.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2780]svchost.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2780]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2780]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2780]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2780]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2868]aDefragCtrl.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2868]aDefragCtrl.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2868]aDefragCtrl.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2868]aDefragCtrl.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2868]aDefragCtrl.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2868]aDefragCtrl.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2868]aDefragCtrl.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2868]aDefragCtrl.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[2884]dpupdchk.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2884]dpupdchk.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[2884]dpupdchk.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[2884]dpupdchk.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[2884]dpupdchk.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[2884]dpupdchk.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[2884]dpupdchk.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[2884]dpupdchk.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[3104]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[3104]svchost.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[3104]svchost.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[3104]svchost.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[3104]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[3104]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[3104]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[3104]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[340]IntuitUpdateService.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[340]IntuitUpdateService.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[340]IntuitUpdateService.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[340]IntuitUpdateService.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[340]IntuitUpdateService.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[340]IntuitUpdateService.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[340]IntuitUpdateService.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[340]IntuitUpdateService.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[3820]iPodService.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[3820]iPodService.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[3820]iPodService.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[3820]iPodService.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[3820]iPodService.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[3820]iPodService.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[3820]iPodService.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[3820]iPodService.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[4080]ipoint.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[4080]ipoint.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[4080]ipoint.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[4080]ipoint.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[4080]ipoint.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[4080]ipoint.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[4080]ipoint.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[4080]ipoint.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[420]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]

[420]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]

[420]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[420]explorer.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[420]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]

[420]explorer.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[420]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]

[420]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]

[420]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->00000000 [shimeng.dll]

[420]explorer.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[420]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->00000000 [shimeng.dll]

[420]explorer.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[420]explorer.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[420]explorer.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[420]explorer.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[548]CTSVCCDA.EXE-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[548]CTSVCCDA.EXE-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[548]CTSVCCDA.EXE-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[548]CTSVCCDA.EXE-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[548]CTSVCCDA.EXE-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[548]CTSVCCDA.EXE-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[548]CTSVCCDA.EXE-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[548]CTSVCCDA.EXE-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[648]nsverctl.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[648]nsverctl.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[648]nsverctl.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[648]nsverctl.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[648]nsverctl.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[648]nsverctl.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[648]nsverctl.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[648]nsverctl.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[692]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[692]svchost.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[692]svchost.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[692]svchost.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[692]svchost.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[692]svchost.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[692]svchost.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[692]svchost.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[724]nvsvc32.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[724]nvsvc32.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[724]nvsvc32.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[724]nvsvc32.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[724]nvsvc32.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[724]nvsvc32.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[724]nvsvc32.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[724]nvsvc32.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[780]cvpnd.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[780]cvpnd.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[780]cvpnd.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[780]cvpnd.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[780]cvpnd.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[780]cvpnd.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[780]cvpnd.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[780]cvpnd.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[820]IoctlSvc.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[820]IoctlSvc.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[820]IoctlSvc.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[820]IoctlSvc.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[820]IoctlSvc.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[820]IoctlSvc.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[820]IoctlSvc.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[820]IoctlSvc.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

[920]aawservice.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[920]aawservice.exe-->kernel32.dll-->ExitProcess, Type: Inline - RelativeJump 0x7C81CB12-->00000000 [unknown_code_page]

[920]aawservice.exe-->ntdll.dll-->NtOpenKey, Type: Inline - RelativeJump 0x7C90D5CE-->00000000 [unknown_code_page]

[920]aawservice.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump 0x71AB4A07-->00000000 [unknown_code_page]

[920]aawservice.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump 0x71AB676F-->00000000 [unknown_code_page]

[920]aawservice.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71AB4C27-->00000000 [unknown_code_page]

[920]aawservice.exe-->ws2_32.dll-->WSARecv, Type: Inline - RelativeJump 0x71AB4CB5-->00000000 [unknown_code_page]

[920]aawservice.exe-->ws2_32.dll-->WSASend, Type: Inline - RelativeJump 0x71AB68FA-->00000000 [unknown_code_page]

Alan

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hi Alan,

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    ws2_32.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites
bubhead

bubhead

Posted
  • Author
Posted

Here's the log from SystemLook:

SystemLook 04.09.10 by jpshortstuff

Log created at 19:08 on 29/09/2010 by Alan Brown

Administrator - Elevation successful

========== filefind ==========

Searching for "ws2_32.dll"

C:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll -----c- 82944 bytes [01:15 31/08/2008] [05:56 04/08/2004] 2ED0B7F12A60F90092081C50FA0EC2B2

C:\WINDOWS\ERDNT\cache\ws2_32.dll --a---- 82432 bytes [23:57 11/09/2010] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A

C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll ------- 82432 bytes [00:32 03/05/2006] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A

C:\WINDOWS\system32\ws2_32.dll --a---- 82432 bytes [12:00 23/08/2001] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A

C:\WINDOWS\system32\dllcache\ws2_32.dll --a--c- 82432 bytes [12:00 23/08/2001] [00:12 14/04/2008] 2CCC474EB85CEAA3E1FA1726580A3E5A

-= EOF =-

==============================

Are we getting any closer?

Thanks,

Alan

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hi Alan,

We're trying. Your symptoms are a bit baffling considering what the logs are showing. Please uninstall all of the PCTools software for now and we'll do some more checking.

After you have completely removed it then run a new DDS scan and post back those logs.

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=-

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Also run the following.

Download kateskiller.zip onto your Desktop and extract all files.

Click Start>Run and copy/paste the following text in the box below, into the Run box and click OK:

"%userprofile%\Desktop\kateskiller.exe" -l "%userprofile%\Desktop\kates.log" -y

A black DOS window will open - follow the prompts.

When completed, a log called kates.log should be created on your Desktop. Please post the contents in your next reply.

Then, also run REGEDIT and browse to the following key and tell me what is set for AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Thanks

Link to post
Share on other sites
bubhead

bubhead

Posted
  • Author
Posted

Here's the DDS log. The other is attached.

Alan

DDS (Ver_10-03-17.01) - NTFSx86

Run by Alan Brown at 19:23:08.71 on Thu 09/30/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.723 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\Explorer.EXE

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\TrojanHunter 5.1\THGuard.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\NoAds\NoAds.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe

C:\Program Files\SecureBackupShare\ComcastSecureBackupSharestat.exe

C:\Program Files\clipmt40\CLIPMT45.exe

svchost.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\SecureBackupShare\ComcastSecureBackupSharebackup.exe

C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\defragActivityMonitor.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Concentra\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Citrix\Secure Access Client\nsverctl.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\System32\svchost.exe -k netsvcs

c:\program files\avira\antivir desktop\avcenter.exe

C:\Documents and Settings\Alan Brown\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/index.html

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Freecause Toolbar BHO: {614bda1f-9bef-4cd1-bde4-fa4804929b4a} - c:\program files\mypoints toolbar 2.0\Toolbar.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: SnapShotsHelper Class: {bb81c3db-2dea-4ae9-96b3-13e6661ff03b} - c:\program files\snap shots\snapbar.dll

TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File

TB: Snap Shots: {8cd8ea48-d284-477e-b6df-85d1e39d855f} - c:\program files\snap shots\snapbar.dll

TB: MyPoints Point Finder: {89a2510a-b4b6-4683-bec9-1b96700bc7f1} - c:\program files\mypoints toolbar 2.0\Toolbar.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

TB: {E92BEFBA-E79D-4F41-9733-68DA49C4492B} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

uRun: [NoAds] "c:\program files\noads\NoAds.exe"

uRun: [com.codeode.cactusspamfilter] "c:\program files\cactus spam filter 2.13\cactusspamfilter.exe" -minimized

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [THGuard] "c:\program files\trojanhunter 5.1\THGuard.exe"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\alanbr~1\startm~1\programs\startup\clipmate 4.5.lnk - c:\program files\clipmt40\CLIPMT45.exe

StartupFolder: c:\docume~1\alanbr~1\startm~1\programs\startup\desktop weather authority.lnk - c:\program files\common files\desktop weather authority\TrueWeather.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ashampoo magical defrag.lnk - c:\program files\ashampoo\ashampoo magical defrag\bin\aDefragCtrl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secure backup and share status.lnk - c:\program files\securebackupshare\ComcastSecureBackupSharestat.exe

uPolicies-explorer: NoFileAssociate = 0 (0x0)

mPolicies-explorer: NoFileAssociate = 0 (0x0)

IE:

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

Trusted Zone: cvtyapps.com\webapps-pdc

Trusted Zone: intuit.com\ttlc

Trusted Zone: taxactonline.com\www

Trusted Zone: turbotax.com

DPF: {181BCAB2-C89B-4E4B-9E6B-59FA67A426B5} - hxxps://webapps.cvty.com/epa/nsepa.ocx

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab

DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {36299202-09EF-4ABF-ADB9-47C599DBE779} - hxxps://admin.na3.acrobat.com/_a759220994/validator/default/LTAWvalidation.cab

DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab

DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146795585671

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://coventry.webex.com/client/wbs26-vzbprodcn/webex/ieatgpc.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alanbr~1\applic~1\mozilla\firefox\profiles\7lulsbu2.default\

FF - prefs.js: browser.search.selectedEngine - Web Search

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com

FF - prefs.js: keyword.URL - hxxps://www.mypoints.com/emp/u/mysearch.vm?st=mypWeb&fctb.dns=1&q=

FF - component: c:\documents and settings\alan brown\application data\mozilla\firefox\profiles\7lulsbu2.default\extensions\{51ef49d2-624b-4194-8b97-1c468e9b0efe}\components\Engine.dll

FF - component: c:\documents and settings\alan brown\application data\mozilla\firefox\profiles\7lulsbu2.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - component: c:\documents and settings\alan brown\application data\mozilla\firefox\profiles\7lulsbu2.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll

FF - plugin: c:\documents and settings\alan brown\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\alan brown\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\alan brown\application data\mozilla\firefox\profiles\7lulsbu2.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npbrowster.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPCIG.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.03.13c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-16 11608]

R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [2008-7-27 27672]

R1 ComcastSecureBackupShareFilter;ComcastSecureBackupShareFilter;c:\windows\system32\drivers\ComcastSecureBackupShare.sys [2010-3-13 54776]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-16 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-16 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-16 56816]

R2 ComcastSecureBackupSharebackup;Comcast Secure Backup & Share Backup Service;c:\program files\securebackupshare\ComcastSecureBackupSharebackup.exe [2010-2-9 45896]

R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [2008-8-16 22808]

R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [2008-8-16 185880]

R2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2009-3-27 135168]

R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [2009-3-27 73368]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2008-10-4 8704]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2008-10-4 3072]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2007-1-14 39048]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-5-4 189792]

S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\drivers\XLoader.sys [2004-11-26 13696]

=============== Created Last 30 ================

2010-09-15 01:08:14 0 ----a-w- c:\documents and settings\alan brown\defogger_reenable

2010-09-15 01:05:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-15 01:05:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-13 19:12:44 767952 ----a-w- c:\windows\BDTSupport.dll

2010-09-13 19:12:43 882 ----a-w- c:\windows\RegSDImport.xml

2010-09-13 19:12:43 879 ----a-w- c:\windows\RegISSImport.xml

2010-09-13 19:12:43 739280 ----a-w- c:\windows\PCTBDRes.dll

2010-09-13 19:12:43 2074 ----a-w- c:\windows\UDB.zip

2010-09-13 19:12:43 1865680 ----a-w- c:\windows\PCTBDCore.dll

2010-09-13 19:12:43 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-09-13 19:12:43 131 ----a-w- c:\windows\IDB.zip

2010-09-13 19:11:10 728218 ----a-w- c:\windows\system32\drivers\Cat.DB

2010-09-13 19:10:28 0 d-----w- c:\program files\PC Tools Security

2010-09-13 19:10:28 0 d-----w- c:\program files\common files\PC Tools

2010-09-12 17:18:47 0 d-----w- c:\documents and settings\alan brown\DoctorWeb

2010-09-11 23:44:09 0 d-sha-r- C:\cmdcons

2010-09-11 23:28:25 98816 ----a-w- c:\windows\sed.exe

2010-09-11 23:28:25 77312 ----a-w- c:\windows\MBR.exe

2010-09-11 23:28:25 256512 ----a-w- c:\windows\PEV.exe

2010-09-11 23:28:25 161792 ----a-w- c:\windows\SWREG.exe

2010-09-11 15:21:03 0 d-----w- c:\program files\Cactus Spam Filter 3.01

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2008-08-31 02:59:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 19:24:46.45 ===============

Attach.zip

Link to post
Share on other sites
bubhead

bubhead

Posted
  • Author
Posted

Here is the Combofix log:

ComboFix 10-09-27.05 - Alan Brown 09/30/2010 19:31:40.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.713 [GMT -5:00]

Running from: c:\documents and settings\Alan Brown\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Alan Brown\Desktop\CFscript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 )))))))))))))))))))))))))))))))

.

2010-09-16 03:39 . 2010-09-09 01:45 615568 ----a-w- c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

2010-09-16 03:39 . 2010-09-09 01:45 640264 ----a-w- c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-09-15 01:05 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-15 01:05 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-13 19:12 . 2010-08-30 18:57 767952 ----a-w- c:\windows\BDTSupport.dll

2010-09-13 19:12 . 2010-09-02 20:00 739280 ----a-w- c:\windows\PCTBDRes.dll

2010-09-13 19:12 . 2010-09-02 20:00 1865680 ----a-w- c:\windows\PCTBDCore.dll

2010-09-13 19:12 . 2010-08-26 14:30 2074 ----a-w- c:\windows\UDB.zip

2010-09-13 19:12 . 2010-08-23 14:36 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-09-13 19:12 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-09-13 19:10 . 2010-10-01 00:00 -------- d-----w- c:\program files\PC Tools Security

2010-09-13 19:10 . 2010-10-01 00:00 -------- d-----w- c:\program files\Common Files\PC Tools

2010-09-13 19:08 . 2010-09-13 19:09 76704960 ----a-w- c:\documents and settings\All Users\Application Data\PC Tools\DownloadManager\Spyware Doctor8.0\sdsetup_dl.exe

2010-09-12 17:18 . 2010-09-24 02:10 -------- d-----w- c:\documents and settings\Alan Brown\DoctorWeb

2010-09-11 22:24 . 2010-09-13 15:45 63488 ----a-w- c:\documents and settings\Alan Brown\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-09-11 22:24 . 2010-09-11 22:24 52224 ----a-w- c:\documents and settings\Alan Brown\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-09-11 15:21 . 2010-09-11 15:21 -------- d-----w- c:\program files\Cactus Spam Filter 3.01

2010-09-09 00:16 . 2010-06-02 15:28 865792 ----a-w- c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-30 11:22 . 2008-05-03 00:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-09-30 11:22 . 2009-05-14 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-09-29 23:36 . 2009-11-23 21:56 -------- d-----w- c:\program files\Microsoft Silverlight

2010-09-29 11:24 . 2010-09-13 19:11 728218 ----a-w- c:\windows\system32\drivers\Cat.DB

2010-09-24 20:41 . 2010-09-13 00:16 2933110 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll

2010-09-24 20:41 . 2010-09-13 00:16 242038 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll

2010-09-24 20:41 . 2010-09-13 00:16 196982 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll

2010-09-22 23:07 . 2009-05-14 14:32 -------- d-----w- c:\program files\TrojanHunter 5.1

2010-09-21 21:19 . 2010-09-13 00:16 635252 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll

2010-09-17 20:35 . 2010-09-13 00:16 471413 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aepack.dll

2010-09-17 20:35 . 2010-09-13 00:16 1368443 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescript.dll

2010-09-17 20:35 . 2010-09-13 00:16 401780 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aegen.dll

2010-09-17 01:54 . 2009-05-14 00:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-13 15:44 . 2009-05-14 13:06 117760 ----a-w- c:\documents and settings\Alan Brown\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-09-13 15:19 . 2006-05-05 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-09-11 23:53 . 2007-08-31 14:56 -------- d-----w- c:\program files\mypoints

2010-09-11 23:31 . 2009-07-06 22:54 -------- d-----w- c:\documents and settings\Alan Brown\Application Data\ZoomBrowser EX

2010-09-11 22:21 . 2009-05-16 16:48 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-09-11 20:23 . 2006-05-05 03:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-09-05 16:55 . 2009-10-05 19:01 -------- d-----w- c:\documents and settings\Alan Brown\Application Data\HpUpdate

2010-08-31 01:06 . 2006-05-04 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-08-30 18:55 . 2006-05-05 03:22 107 ----a-w- c:\windows\Recorder.dat

2010-08-30 14:46 . 2010-08-30 14:44 -------- d-----w- c:\program files\SpywareBlaster

2010-08-26 21:09 . 2010-08-26 21:09 -------- d-----w- c:\program files\QuickTime

2010-08-18 11:13 . 2006-05-05 02:55 -------- d-----w- c:\documents and settings\Alan Brown\Application Data\Apple Computer

2010-08-17 13:17 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 13:39 . 2010-08-16 13:38 -------- d-----w- c:\program files\iTunes

2010-08-16 13:39 . 2010-08-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-08-16 13:38 . 2010-08-16 13:38 -------- d-----w- c:\program files\iPod

2010-08-16 13:38 . 2007-08-17 00:30 -------- d-----w- c:\program files\Common Files\Apple

2010-08-16 13:24 . 2009-06-04 19:32 -------- d-----w- c:\program files\Bonjour

2010-08-16 13:18 . 2010-08-16 13:18 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-08-14 04:00 . 2007-02-02 09:17 -------- d-----w- c:\program files\Windows Media Connect 2

2010-08-14 03:36 . 2007-09-16 21:40 -------- d-----w- c:\program files\Amazon

2010-08-14 03:36 . 2007-09-16 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon

2010-08-14 03:36 . 2006-05-02 03:06 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-08 23:30 . 2009-05-14 22:53 -------- d-----w- c:\program files\a-squared Free

2010-08-08 02:02 . 2009-05-16 16:48 -------- d-----w- c:\program files\CCleaner

2010-07-29 22:54 . 2010-09-13 00:16 106868 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll

2010-07-22 15:49 . 2002-08-29 08:41 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-04-16 11:05 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-21 21:44 . 2010-09-13 00:16 201081 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeoffice.dll

2008-10-27 16:17 . 2008-10-27 16:17 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2008-10-27 16:17 . 2008-10-27 16:17 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2008-10-27 16:17 . 2008-10-27 16:17 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2008-08-16 23:42 . 2008-08-16 23:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 23:42 . 2008-08-16 23:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 23:42 . 2008-08-16 23:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 23:42 . 2008-08-16 23:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 23:43 . 2008-08-16 23:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 23:42 . 2008-08-16 23:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 23:42 . 2008-08-16 23:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-10-27 16:17 . 2008-10-27 16:17 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

2008-05-21 14:41 . 2008-05-21 14:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 14:41 . 2008-05-21 14:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 14:41 . 2008-05-21 14:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll

2008-06-05 19:58 . 2008-06-05 19:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 23:42 . 2008-08-16 23:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-09-11_23.54.34 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-10-01 00:01 . 2010-10-01 00:01 16384 c:\windows\temp\Perflib_Perfdata_414.dat

+ 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe

- 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe

+ 2010-08-14 04:00 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll

+ 2001-08-23 12:00 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe

- 2010-06-04 06:28 . 2010-09-08 21:44 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

+ 2010-06-04 06:28 . 2010-09-29 11:26 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

- 2002-08-29 08:41 . 2008-04-14 00:12 293376 c:\windows\system32\winsrv.dll

+ 2002-08-29 08:41 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll

- 2002-08-29 08:41 . 2008-04-14 00:12 406016 c:\windows\system32\usp10.dll

+ 2002-08-29 08:41 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll

+ 2006-10-19 03:47 . 2010-03-30 17:24 317440 c:\windows\system32\mp4sdecd.dll

- 2006-10-19 03:47 . 2009-01-31 01:33 317440 c:\windows\system32\MP4SDECD.dll

+ 2006-05-02 02:52 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll

+ 2002-08-29 08:41 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll

- 2002-08-29 08:41 . 2008-04-14 00:12 293376 c:\windows\system32\dllcache\winsrv.dll

- 2002-08-29 08:41 . 2008-04-14 00:12 406016 c:\windows\system32\dllcache\usp10.dll

+ 2002-08-29 08:41 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll

+ 2002-08-29 08:41 . 2010-07-22 15:49 590848 c:\windows\system32\dllcache\rpcrt4.dll

+ 2010-03-30 17:24 . 2010-03-30 17:24 317440 c:\windows\system32\dllcache\mp4sdecd.dll

+ 2008-08-13 11:00 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll

+ 2006-05-05 02:32 . 2010-09-14 21:57 35552200 c:\windows\system32\MRT.exe

+ 2010-09-29 11:24 . 2010-09-29 11:24 20303872 c:\windows\Installer\9d159.msp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]

2009-11-20 23:17 1440768 ----a-w- c:\program files\MyPoints Toolbar 2.0\Toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB81C3DB-2DEA-4AE9-96B3-13E6661FF03B}]

2007-08-16 01:02 380928 ----a-w- c:\program files\Snap Shots\snapbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{8CD8EA48-D284-477E-B6DF-85D1E39D855F}"= "c:\program files\Snap Shots\snapbar.dll" [2007-08-16 380928]

"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-11-20 1440768]

[HKEY_CLASSES_ROOT\clsid\{8cd8ea48-d284-477e-b6df-85d1e39d855f}]

[HKEY_CLASSES_ROOT\Snapbar.SnapShots.1]

[HKEY_CLASSES_ROOT\TypeLib\{F57712B7-CEDB-4C0E-915B-4BB043CEF769}]

[HKEY_CLASSES_ROOT\Snapbar.SnapShots]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]

[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]

[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]

[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{8CD8EA48-D284-477E-B6DF-85D1E39D855F}"= "c:\program files\Snap Shots\snapbar.dll" [2007-08-16 380928]

[HKEY_CLASSES_ROOT\clsid\{8cd8ea48-d284-477e-b6df-85d1e39d855f}]

[HKEY_CLASSES_ROOT\Snapbar.SnapShots.1]

[HKEY_CLASSES_ROOT\TypeLib\{F57712B7-CEDB-4C0E-915B-4BB043CEF769}]

[HKEY_CLASSES_ROOT\Snapbar.SnapShots]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ComcastSecureBackupShare]

@="{72bcb80d-7778-eb4a-ec51-22340ad33e07}"

[HKEY_CLASSES_ROOT\CLSID\{72bcb80d-7778-eb4a-ec51-22340ad33e07}]

2010-06-18 13:48 2224456 ----a-w- c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ComcastSecureBackupShare2]

@="{b723586e-9ca0-5b27-341a-4990a8c342cf}"

[HKEY_CLASSES_ROOT\CLSID\{b723586e-9ca0-5b27-341a-4990a8c342cf}]

2010-06-18 13:48 2224456 ----a-w- c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ComcastSecureBackupShare3]

@="{f614e4c4-b3fa-5249-b9ea-4fe7d38b8cd0}"

[HKEY_CLASSES_ROOT\CLSID\{f614e4c4-b3fa-5249-b9ea-4fe7d38b8cd0}]

2010-06-18 13:48 2224456 ----a-w- c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416]

"NoAds"="c:\program files\NoAds\NoAds.exe" [2006-05-04 122880]

"com.codeode.cactusspamfilter"="c:\program files\Cactus Spam Filter 2.13\cactusspamfilter.exe" [2006-04-30 749568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"THGuard"="c:\program files\TrojanHunter 5.1\THGuard.exe" [2009-05-11 1061536]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-05-14 3784704]

"nwiz"="nwiz.exe" [2004-05-14 831488]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-05-14 81920]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Alan Brown\Start Menu\Programs\Startup\

ClipMate 4.5.lnk - c:\program files\clipmt40\CLIPMT45.exe [2006-5-3 975872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Ashampoo Magical Defrag.lnk - c:\program files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe [2008-7-6 4538672]

Secure Backup and Share Status.lnk - c:\program files\SecureBackupShare\ComcastSecureBackupSharestat.exe [2010-6-18 2374984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoFileAssociate"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoFileAssociate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2007-05-11 03:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\InterVideo\\DVD5\\WinDVD.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=

"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=

"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [7/27/2008 8:14 PM 27672]

R1 ComcastSecureBackupShareFilter;ComcastSecureBackupShareFilter;c:\windows\system32\drivers\ComcastSecureBackupShare.sys [3/13/2010 9:52 PM 54776]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/16/2009 6:33 PM 108289]

R2 ComcastSecureBackupSharebackup;Comcast Secure Backup & Share Backup Service;c:\program files\SecureBackupShare\ComcastSecureBackupSharebackup.exe [2/9/2010 10:02 AM 45896]

R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [8/16/2008 8:51 PM 22808]

R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [8/16/2008 8:51 PM 185880]

R2 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [3/27/2009 10:11 PM 135168]

R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [3/27/2009 10:11 PM 73368]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10/4/2008 11:49 PM 8704]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10/4/2008 11:49 PM 3072]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [1/14/2007 12:26 PM 39048]

S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\drivers\XLoader.sys [11/26/2004 1:13 PM 13696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-11-20 20:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2008-12-01 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job

- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 19:56]

2008-12-01 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/index.html

uInternet Settings,ProxyOverride = *.local

IE:

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

Trusted Zone: cvtyapps.com\webapps-pdc

Trusted Zone: intuit.com\ttlc

Trusted Zone: taxactonline.com\www

Trusted Zone: turbotax.com

DPF: {181BCAB2-C89B-4E4B-9E6B-59FA67A426B5} - hxxps://webapps.cvty.com/epa/nsepa.ocx

DPF: {36299202-09EF-4ABF-ADB9-47C599DBE779} - hxxps://admin.na3.acrobat.com/_a759220994/validator/default/LTAWvalidation.cab

FF - ProfilePath - c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\

FF - prefs.js: browser.search.selectedEngine - Web Search

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com

FF - prefs.js: keyword.URL - hxxps://www.mypoints.com/emp/u/mysearch.vm?st=mypWeb&fctb.dns=1&q=

FF - component: c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{51ef49d2-624b-4194-8b97-1c468e9b0efe}\components\Engine.dll

FF - component: c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - component: c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll

FF - plugin: c:\documents and settings\Alan Brown\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\Alan Brown\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbrowster.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.03.13c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-30 19:44

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1424)

c:\windows\system32\wininet.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(2828)

c:\windows\system32\WININET.dll

c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll

c:\program files\SecureBackupShare\LIBEAY32.dll

c:\program files\NoAds\NoAds.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-30 19:50:19

ComboFix-quarantined-files.txt 2010-10-01 00:50

ComboFix2.txt 2010-09-29 00:24

ComboFix3.txt 2010-09-20 03:00

ComboFix4.txt 2010-09-13 03:27

ComboFix5.txt 2010-10-01 00:30

Pre-Run: 29,491,916,800 bytes free

Post-Run: 29,517,320,192 bytes free

- - End Of File - - A64F2DB2C38B5C30F34C58B3BE6C67AE

=========

Alan

Link to post
Share on other sites
bubhead

bubhead

Posted
  • Author
Posted

Here's the Kateskiller log:

19:55:17:968 1764 scanning threads ...

19:55:18:046 1764 Infected thread was killed in process winlogon.exe with PID 1424

19:55:18:203 1764 Infected thread was killed in process services.exe with PID 1476

19:55:18:328 1764 Infected thread was killed in process lsass.exe with PID 1488

19:55:18:578 1764 Infected thread was killed in process svchost.exe with PID 1680

19:55:18:734 1764 Infected thread was killed in process svchost.exe with PID 1932

19:55:18:890 1764 Infected thread was killed in process aawservice.exe with PID 924

19:55:18:953 1764 Infected thread was killed in process spoolsv.exe with PID 1208

19:55:19:062 1764 Infected thread was killed in process ipoint.exe with PID 1272

19:55:19:375 1764 Infected thread was killed in process hpwuschd2.exe with PID 1344

19:55:19:390 1764 Infected thread was killed in process iTunesHelper.exe with PID 1364

19:55:20:781 1764 Infected thread was killed in process NoAds.exe with PID 1552

19:55:20:781 1764 Infected thread was killed in process ctfmon.exe with PID 1692

19:55:20:890 1764 Infected thread was killed in process aDefragCtrl.exe with PID 1824

19:55:20:968 1764 Infected thread was killed in process ComcastSecureBackupSharestat.exe with PID 1872

19:55:21:015 1764 Infected thread was killed in process CLIPMT45.exe with PID 260

19:55:21:046 1764 Infected thread was killed in process dpupdchk.exe with PID 644

19:55:21:406 1764 Infected thread was killed in process AppleMobileDeviceService.exe with PID 692

19:55:21:843 1764 Infected thread was killed in process aDefragService.exe with PID 716

19:55:21:984 1764 Infected thread was killed in process mDNSResponder.exe with PID 908

19:55:22:031 1764 Infected thread was killed in process ComcastSecureBackupSharebackup.exe with PID 1044

19:55:22:359 1764 Infected thread was killed in process defragActivityMonitor.exe with PID 1696

19:55:22:359 1764 Infected thread was killed in process CTSVCCDA.EXE with PID 1792

19:55:22:406 1764 Infected thread was killed in process cvpnd.exe with PID 2076

19:55:24:906 1764 Infected thread was killed in process explorer.exe with PID 2828

19:55:28:625 1764

19:55:28:625 1764 scanning modules...

19:55:28:656 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1424

19:55:28:656 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1424

19:55:28:656 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1424

19:55:28:687 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1424

19:55:28:687 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1424

19:55:28:687 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1424

19:55:28:687 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1424

19:55:28:687 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1424

19:55:28:687 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1476

19:55:28:687 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1476

19:55:28:687 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1476

19:55:28:703 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1476

19:55:28:703 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1476

19:55:28:734 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1476

19:55:28:734 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1476

19:55:28:734 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1476

19:55:28:734 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1488

19:55:28:734 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1488

19:55:28:734 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1488

19:55:28:765 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1488

19:55:28:765 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1488

19:55:28:765 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1488

19:55:28:765 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1488

19:55:28:765 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1488

19:55:28:765 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1680

19:55:28:765 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1680

19:55:28:765 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1680

19:55:28:781 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1680

19:55:28:781 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1680

19:55:28:812 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1680

19:55:28:812 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1680

19:55:28:812 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1680

19:55:28:812 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1932

19:55:28:812 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1932

19:55:28:812 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1932

19:55:28:843 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1932

19:55:28:843 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1932

19:55:28:843 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1932

19:55:28:843 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1932

19:55:28:843 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1932

19:55:28:843 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 924

19:55:28:875 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 924

19:55:28:875 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 924

19:55:28:875 1764 Spliced function send fixed in ws2_32.dll module of process with PID 924

19:55:28:890 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 924

19:55:28:890 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 924

19:55:28:890 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 924

19:55:28:890 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 924

19:55:28:890 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1208

19:55:28:890 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1208

19:55:28:890 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1208

19:55:28:921 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1208

19:55:28:921 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1208

19:55:28:921 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1208

19:55:28:921 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1208

19:55:28:921 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1208

19:55:28:921 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1272

19:55:28:953 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1272

19:55:28:953 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1272

19:55:28:953 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1272

19:55:28:953 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1272

19:55:28:953 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1272

19:55:28:953 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1272

19:55:28:984 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1272

19:55:28:984 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1280

19:55:28:984 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1280

19:55:28:984 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1280

19:55:28:984 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1280

19:55:29:015 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1280

19:55:29:015 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1280

19:55:29:046 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1280

19:55:29:046 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1280

19:55:29:046 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1300

19:55:29:046 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1300

19:55:29:046 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1300

19:55:29:046 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1300

19:55:29:062 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1300

19:55:29:062 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1300

19:55:29:062 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1300

19:55:29:062 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1300

19:55:29:062 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1344

19:55:29:062 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1344

19:55:29:062 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1344

19:55:29:062 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1344

19:55:29:062 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1344

19:55:29:062 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1344

19:55:29:062 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1344

19:55:29:093 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1344

19:55:29:093 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1364

19:55:29:093 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1364

19:55:29:093 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1364

19:55:29:093 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1364

19:55:29:093 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1364

19:55:29:125 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1364

19:55:29:125 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1364

19:55:29:125 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1364

19:55:29:125 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1552

19:55:29:125 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1552

19:55:29:125 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1552

19:55:29:156 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1552

19:55:29:156 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1552

19:55:29:156 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1552

19:55:29:156 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1552

19:55:29:156 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1552

19:55:29:156 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1692

19:55:29:187 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1692

19:55:29:187 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1692

19:55:29:187 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1692

19:55:29:187 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1692

19:55:29:187 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1692

19:55:29:187 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1692

19:55:29:203 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1692

19:55:29:203 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1824

19:55:29:203 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1824

19:55:29:203 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1824

19:55:29:203 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1824

19:55:29:203 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1824

19:55:29:203 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1824

19:55:29:218 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1824

19:55:29:218 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1824

19:55:29:218 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1872

19:55:29:218 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1872

19:55:29:218 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1872

19:55:29:218 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1872

19:55:29:218 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1872

19:55:29:218 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1872

19:55:29:218 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1872

19:55:29:218 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1872

19:55:29:218 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 260

19:55:29:234 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 260

19:55:29:234 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 260

19:55:29:234 1764 Spliced function send fixed in ws2_32.dll module of process with PID 260

19:55:29:234 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 260

19:55:29:234 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 260

19:55:29:234 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 260

19:55:29:234 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 260

19:55:29:250 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 644

19:55:29:250 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 644

19:55:29:250 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 644

19:55:29:250 1764 Spliced function send fixed in ws2_32.dll module of process with PID 644

19:55:29:250 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 644

19:55:29:250 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 644

19:55:29:250 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 644

19:55:29:250 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 644

19:55:29:250 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 672

19:55:29:250 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 672

19:55:29:265 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 672

19:55:29:265 1764 Spliced function send fixed in ws2_32.dll module of process with PID 672

19:55:29:265 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 672

19:55:29:265 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 672

19:55:29:265 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 672

19:55:29:265 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 672

19:55:29:281 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 692

19:55:29:281 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 692

19:55:29:281 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 692

19:55:29:281 1764 Spliced function send fixed in ws2_32.dll module of process with PID 692

19:55:29:281 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 692

19:55:29:281 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 692

19:55:29:281 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 692

19:55:29:281 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 692

19:55:29:281 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 716

19:55:29:281 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 716

19:55:29:296 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 716

19:55:29:296 1764 Spliced function send fixed in ws2_32.dll module of process with PID 716

19:55:29:296 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 716

19:55:29:296 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 716

19:55:29:296 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 716

19:55:29:296 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 716

19:55:29:296 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 908

19:55:29:296 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 908

19:55:29:296 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 908

19:55:29:296 1764 Spliced function send fixed in ws2_32.dll module of process with PID 908

19:55:29:296 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 908

19:55:29:296 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 908

19:55:29:296 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 908

19:55:29:312 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 908

19:55:29:312 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1044

19:55:29:312 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1044

19:55:29:312 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1044

19:55:29:312 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1044

19:55:29:312 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1044

19:55:29:312 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1044

19:55:29:312 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1044

19:55:29:312 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1044

19:55:29:312 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1696

19:55:29:312 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1696

19:55:29:312 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1696

19:55:29:312 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1696

19:55:29:328 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1696

19:55:29:328 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1696

19:55:29:328 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1696

19:55:29:328 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1696

19:55:29:328 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 1792

19:55:29:328 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 1792

19:55:29:328 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 1792

19:55:29:328 1764 Spliced function send fixed in ws2_32.dll module of process with PID 1792

19:55:29:328 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 1792

19:55:29:328 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 1792

19:55:29:328 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 1792

19:55:29:328 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 1792

19:55:29:328 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 2076

19:55:29:328 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 2076

19:55:29:343 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 2076

19:55:29:343 1764 Spliced function send fixed in ws2_32.dll module of process with PID 2076

19:55:29:343 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 2076

19:55:29:343 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 2076

19:55:29:343 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 2076

19:55:29:343 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 2076

19:55:29:375 1764 Spliced function NtOpenKey fixed in ntdll.dll module of process with PID 2828

19:55:29:375 1764 Spliced function CreateProcessW fixed in kernel32.dll module of process with PID 2828

19:55:29:375 1764 Spliced function ExitProcess fixed in kernel32.dll module of process with PID 2828

19:55:29:375 1764 Spliced function send fixed in ws2_32.dll module of process with PID 2828

19:55:29:375 1764 Spliced function recv fixed in ws2_32.dll module of process with PID 2828

19:55:29:375 1764 Spliced function connect fixed in ws2_32.dll module of process with PID 2828

19:55:29:375 1764 Spliced function WSASend fixed in ws2_32.dll module of process with PID 2828

19:55:29:375 1764 Spliced function WSARecv fixed in ws2_32.dll module of process with PID 2828

19:55:29:390 1764

19:55:29:390 1764 scanning registry ...

19:55:29:406 1764 Registry key (midi9) deleted successfully

19:55:29:406 1764 File (C:\Documents and Settings\Alan Brown\Local Settings\temp\elf.old) deleted successfully

19:55:29:406 1764

19:55:29:406 1764

completed

19:55:29:406 1764 Infected threads: 24

19:55:29:406 1764 Spliced functions: 216

19:55:29:406 1764 Deleted files: 1

19:55:29:406 1764 Fixed registry keys: 1

Alan

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Wow... finally. Please go ahead and UPDATE MBAM and do a Quick Scan with it and post back the log.

Then download a new version of CF and run it again just to make sure (though I think we've finally got it whipped)

Then post back those logs as well as a NEW VEW log which now I hope will no longer show these other items not working.

Also let me know how the system is working, feeling and if your original complaints appear to now be corrected.

  1. Download the Event Viewer Tool by Vino Rosso VEW and save it to your Desktop:
  2. Double-click VEW.exe
  3. Under 'Select log to query', select:
    • Application
    • System

[*]Under 'Select type to list', select:

  • Error

[*] Click the radio button for 'Number of events'

[*]Type 20 in the 1 to 20 box

[*]Then click the Run button.

[*]Notepad will open with the output log.

Please post the Output log in your next reply

Link to post
Share on other sites
bubhead

bubhead

Posted
  • Author
Posted

That registry key (AppInit_DLLs) has a value of "winmm.dll".

Avira has been going crazy today detecting 'TR/Agent.bzl [trojan]'. It detected a total of 69 times but has not since I ran Kateskiller.

Also, the Comcast Backup and Share app started working tonight, Avira once again could update the definitions, Cactus Spam filter is once again working, and MBAM will now start up and update (but I didn't run an MBAM scan until I get the go-ahead from you).

Have we rounded a corner here?

Alan

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Yes we should have it well under control now.

Please look for this file and zip it and attach to your next reply please.

C:\Documents and Settings\Alan Brown\Local Settings\temp\elf.old

You may need to set files to show hidden to get there.

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

Then go ahead and run the CF and MBAM scans as requested.

Thanks.

Link to post
Share on other sites
bubhead

bubhead

Posted
  • Author
Posted

Here's the MBAM log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4725

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/30/2010 9:24:04 PM

mbam-log-2010-09-30 (21-24-04).txt

Scan type: Quick scan

Objects scanned: 152807

Time elapsed: 9 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

=========================

I've got hidden files enabled, and I can't find that elf.old file. That's the one that Avira kept alerting me to.

I'll try the other things later tonight or tomorrow.

Alan

Link to post
Share on other sites
bubhead

bubhead

Posted
  • Author
Posted

Here's the latest CF log:

ComboFix 10-09-30.03 - Alan Brown 09/30/2010 21:42:57.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.600 [GMT -5:00]

Running from: c:\documents and settings\Alan Brown\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2010-09-01 to 2010-10-01 )))))))))))))))))))))))))))))))

.

2010-09-16 03:39 . 2010-09-09 01:45 615568 ----a-w- c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

2010-09-16 03:39 . 2010-09-09 01:45 640264 ----a-w- c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-09-15 01:05 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-15 01:05 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-13 19:12 . 2010-08-30 18:57 767952 ----a-w- c:\windows\BDTSupport.dll

2010-09-13 19:12 . 2010-09-02 20:00 739280 ----a-w- c:\windows\PCTBDRes.dll

2010-09-13 19:12 . 2010-09-02 20:00 1865680 ----a-w- c:\windows\PCTBDCore.dll

2010-09-13 19:12 . 2010-08-26 14:30 2074 ----a-w- c:\windows\UDB.zip

2010-09-13 19:12 . 2010-08-23 14:36 149456 ----a-w- c:\windows\SGDetectionTool.dll

2010-09-13 19:12 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip

2010-09-13 19:10 . 2010-10-01 00:00 -------- d-----w- c:\program files\PC Tools Security

2010-09-13 19:10 . 2010-10-01 00:00 -------- d-----w- c:\program files\Common Files\PC Tools

2010-09-13 19:08 . 2010-09-13 19:09 76704960 ----a-w- c:\documents and settings\All Users\Application Data\PC Tools\DownloadManager\Spyware Doctor8.0\sdsetup_dl.exe

2010-09-12 17:18 . 2010-09-24 02:10 -------- d-----w- c:\documents and settings\Alan Brown\DoctorWeb

2010-09-11 22:24 . 2010-09-13 15:45 63488 ----a-w- c:\documents and settings\Alan Brown\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-09-11 22:24 . 2010-09-11 22:24 52224 ----a-w- c:\documents and settings\Alan Brown\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-09-11 15:21 . 2010-09-11 15:21 -------- d-----w- c:\program files\Cactus Spam Filter 3.01

2010-09-09 00:16 . 2010-06-02 15:28 865792 ----a-w- c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-30 11:22 . 2008-05-03 00:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-09-30 11:22 . 2009-05-14 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2010-09-29 23:36 . 2009-11-23 21:56 -------- d-----w- c:\program files\Microsoft Silverlight

2010-09-29 11:24 . 2010-09-13 19:11 728218 ----a-w- c:\windows\system32\drivers\Cat.DB

2010-09-24 20:41 . 2010-09-13 00:16 2933110 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeheur.dll

2010-09-24 20:41 . 2010-09-13 00:16 242038 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aehelp.dll

2010-09-24 20:41 . 2010-09-13 00:16 196982 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aecore.dll

2010-09-22 23:07 . 2009-05-14 14:32 -------- d-----w- c:\program files\TrojanHunter 5.1

2010-09-21 21:19 . 2010-09-13 00:16 635252 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aerdl.dll

2010-09-17 20:35 . 2010-09-13 00:16 471413 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aepack.dll

2010-09-17 20:35 . 2010-09-13 00:16 1368443 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aescript.dll

2010-09-17 20:35 . 2010-09-13 00:16 401780 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aegen.dll

2010-09-17 01:54 . 2009-05-14 00:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-13 15:44 . 2009-05-14 13:06 117760 ----a-w- c:\documents and settings\Alan Brown\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-09-13 15:19 . 2006-05-05 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-09-11 23:53 . 2007-08-31 14:56 -------- d-----w- c:\program files\mypoints

2010-09-11 23:31 . 2009-07-06 22:54 -------- d-----w- c:\documents and settings\Alan Brown\Application Data\ZoomBrowser EX

2010-09-11 22:21 . 2009-05-16 16:48 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-09-11 20:23 . 2006-05-05 03:35 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-09-05 16:55 . 2009-10-05 19:01 -------- d-----w- c:\documents and settings\Alan Brown\Application Data\HpUpdate

2010-08-31 01:06 . 2006-05-04 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-08-30 18:55 . 2006-05-05 03:22 107 ----a-w- c:\windows\Recorder.dat

2010-08-30 14:46 . 2010-08-30 14:44 -------- d-----w- c:\program files\SpywareBlaster

2010-08-26 21:09 . 2010-08-26 21:09 -------- d-----w- c:\program files\QuickTime

2010-08-18 11:13 . 2006-05-05 02:55 -------- d-----w- c:\documents and settings\Alan Brown\Application Data\Apple Computer

2010-08-17 13:17 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 13:39 . 2010-08-16 13:38 -------- d-----w- c:\program files\iTunes

2010-08-16 13:39 . 2010-08-16 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-08-16 13:38 . 2010-08-16 13:38 -------- d-----w- c:\program files\iPod

2010-08-16 13:38 . 2007-08-17 00:30 -------- d-----w- c:\program files\Common Files\Apple

2010-08-16 13:24 . 2009-06-04 19:32 -------- d-----w- c:\program files\Bonjour

2010-08-16 13:18 . 2010-08-16 13:18 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-08-14 04:00 . 2007-02-02 09:17 -------- d-----w- c:\program files\Windows Media Connect 2

2010-08-14 03:36 . 2007-09-16 21:40 -------- d-----w- c:\program files\Amazon

2010-08-14 03:36 . 2007-09-16 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Amazon

2010-08-14 03:36 . 2006-05-02 03:06 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-08 23:30 . 2009-05-14 22:53 -------- d-----w- c:\program files\a-squared Free

2010-08-08 02:02 . 2009-05-16 16:48 -------- d-----w- c:\program files\CCleaner

2010-07-29 22:54 . 2010-09-13 00:16 106868 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aevdf.dll

2010-07-22 15:49 . 2002-08-29 08:41 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-04-16 11:05 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-21 21:44 . 2010-09-13 00:16 201081 ----a-w- c:\documents and settings\All Users\Application Data\Avira\AntiVir Desktop\FAILSAVE\aeoffice.dll

2008-10-27 16:17 . 2008-10-27 16:17 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2008-10-27 16:17 . 2008-10-27 16:17 125848 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2008-10-27 16:17 . 2008-10-27 16:17 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll

2008-08-16 23:42 . 2008-08-16 23:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll

2008-08-16 23:42 . 2008-08-16 23:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll

2008-08-16 23:42 . 2008-08-16 23:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll

2008-08-16 23:42 . 2008-08-16 23:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll

2008-08-16 23:43 . 2008-08-16 23:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll

2008-08-16 23:42 . 2008-08-16 23:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll

2008-08-16 23:42 . 2008-08-16 23:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll

2008-10-27 16:17 . 2008-10-27 16:17 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

2008-05-21 14:41 . 2008-05-21 14:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll

2008-05-21 14:41 . 2008-05-21 14:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll

2008-05-21 14:41 . 2008-05-21 14:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll

2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll

2008-06-05 19:58 . 2008-06-05 19:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll

2008-08-16 23:42 . 2008-08-16 23:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-09-11_23.54.34 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-10-01 00:01 . 2010-10-01 00:01 16384 c:\windows\temp\Perflib_Perfdata_414.dat

+ 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe

- 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe

+ 2010-08-14 04:00 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll

+ 2001-08-23 12:00 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe

- 2010-06-04 06:28 . 2010-09-08 21:44 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

+ 2010-06-04 06:28 . 2010-09-29 11:26 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll

- 2002-08-29 08:41 . 2008-04-14 00:12 293376 c:\windows\system32\winsrv.dll

+ 2002-08-29 08:41 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll

- 2002-08-29 08:41 . 2008-04-14 00:12 406016 c:\windows\system32\usp10.dll

+ 2002-08-29 08:41 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll

+ 2006-10-19 03:47 . 2010-03-30 17:24 317440 c:\windows\system32\mp4sdecd.dll

- 2006-10-19 03:47 . 2009-01-31 01:33 317440 c:\windows\system32\MP4SDECD.dll

+ 2006-05-02 02:52 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll

+ 2002-08-29 08:41 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll

- 2002-08-29 08:41 . 2008-04-14 00:12 293376 c:\windows\system32\dllcache\winsrv.dll

- 2002-08-29 08:41 . 2008-04-14 00:12 406016 c:\windows\system32\dllcache\usp10.dll

+ 2002-08-29 08:41 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll

+ 2002-08-29 08:41 . 2010-07-22 15:49 590848 c:\windows\system32\dllcache\rpcrt4.dll

+ 2010-03-30 17:24 . 2010-03-30 17:24 317440 c:\windows\system32\dllcache\mp4sdecd.dll

+ 2008-08-13 11:00 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll

+ 2006-05-05 02:32 . 2010-09-14 21:57 35552200 c:\windows\system32\MRT.exe

+ 2010-09-29 11:24 . 2010-09-29 11:24 20303872 c:\windows\Installer\9d159.msp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{614BDA1F-9BEF-4CD1-BDE4-FA4804929B4A}]

2009-11-20 23:17 1440768 ----a-w- c:\program files\MyPoints Toolbar 2.0\Toolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB81C3DB-2DEA-4AE9-96B3-13E6661FF03B}]

2007-08-16 01:02 380928 ----a-w- c:\program files\Snap Shots\snapbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{8CD8EA48-D284-477E-B6DF-85D1E39D855F}"= "c:\program files\Snap Shots\snapbar.dll" [2007-08-16 380928]

"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2009-11-20 1440768]

[HKEY_CLASSES_ROOT\clsid\{8cd8ea48-d284-477e-b6df-85d1e39d855f}]

[HKEY_CLASSES_ROOT\Snapbar.SnapShots.1]

[HKEY_CLASSES_ROOT\TypeLib\{F57712B7-CEDB-4C0E-915B-4BB043CEF769}]

[HKEY_CLASSES_ROOT\Snapbar.SnapShots]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]

[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]

[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]

[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{8CD8EA48-D284-477E-B6DF-85D1E39D855F}"= "c:\program files\Snap Shots\snapbar.dll" [2007-08-16 380928]

[HKEY_CLASSES_ROOT\clsid\{8cd8ea48-d284-477e-b6df-85d1e39d855f}]

[HKEY_CLASSES_ROOT\Snapbar.SnapShots.1]

[HKEY_CLASSES_ROOT\TypeLib\{F57712B7-CEDB-4C0E-915B-4BB043CEF769}]

[HKEY_CLASSES_ROOT\Snapbar.SnapShots]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ComcastSecureBackupShare]

@="{72bcb80d-7778-eb4a-ec51-22340ad33e07}"

[HKEY_CLASSES_ROOT\CLSID\{72bcb80d-7778-eb4a-ec51-22340ad33e07}]

2010-06-18 13:48 2224456 ----a-w- c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ComcastSecureBackupShare2]

@="{b723586e-9ca0-5b27-341a-4990a8c342cf}"

[HKEY_CLASSES_ROOT\CLSID\{b723586e-9ca0-5b27-341a-4990a8c342cf}]

2010-06-18 13:48 2224456 ----a-w- c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ComcastSecureBackupShare3]

@="{f614e4c4-b3fa-5249-b9ea-4fe7d38b8cd0}"

[HKEY_CLASSES_ROOT\CLSID\{f614e4c4-b3fa-5249-b9ea-4fe7d38b8cd0}]

2010-06-18 13:48 2224456 ----a-w- c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 188416]

"NoAds"="c:\program files\NoAds\NoAds.exe" [2006-05-04 122880]

"com.codeode.cactusspamfilter"="c:\program files\Cactus Spam Filter 2.13\cactusspamfilter.exe" [2006-04-30 749568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"THGuard"="c:\program files\TrojanHunter 5.1\THGuard.exe" [2009-05-11 1061536]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-05-14 3784704]

"nwiz"="nwiz.exe" [2004-05-14 831488]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-05-14 81920]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Alan Brown\Start Menu\Programs\Startup\

ClipMate 4.5.lnk - c:\program files\clipmt40\CLIPMT45.exe [2006-5-3 975872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Ashampoo Magical Defrag.lnk - c:\program files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragCtrl.exe [2008-7-6 4538672]

Secure Backup and Share Status.lnk - c:\program files\SecureBackupShare\ComcastSecureBackupSharestat.exe [2010-6-18 2374984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoFileAssociate"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoFileAssociate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2007-05-11 03:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\InterVideo\\DVD5\\WinDVD.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=

"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=

"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 cdfdrv;Cdfdrv;c:\windows\system32\drivers\cdfdrv.sys [7/27/2008 8:14 PM 27672]

R1 ComcastSecureBackupShareFilter;ComcastSecureBackupShareFilter;c:\windows\system32\drivers\ComcastSecureBackupShare.sys [3/13/2010 9:52 PM 54776]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [5/16/2009 6:33 PM 108289]

R2 ComcastSecureBackupSharebackup;Comcast Secure Backup & Share Backup Service;c:\program files\SecureBackupShare\ComcastSecureBackupSharebackup.exe [2/9/2010 10:02 AM 45896]

R2 ctxpidmn;ctxpidmn;c:\windows\system32\drivers\ctxpidmn.sys [8/16/2008 8:51 PM 22808]

R2 CtxSbx;CtxSbx;c:\windows\system32\drivers\CtxSbx.sys [8/16/2008 8:51 PM 185880]

R2 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [3/27/2009 10:11 PM 135168]

R3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys [3/27/2009 10:11 PM 73368]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [10/4/2008 11:49 PM 8704]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [10/4/2008 11:49 PM 3072]

S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [1/14/2007 12:26 PM 39048]

S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\drivers\XLoader.sys [11/26/2004 1:13 PM 13696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-11-20 20:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:34]

2008-12-01 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job

- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 19:56]

2008-12-01 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://my.yahoo.com/index.html

uInternet Settings,ProxyOverride = *.local

IE:

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

Trusted Zone: cvtyapps.com\webapps-pdc

Trusted Zone: intuit.com\ttlc

Trusted Zone: taxactonline.com\www

Trusted Zone: turbotax.com

DPF: {181BCAB2-C89B-4E4B-9E6B-59FA67A426B5} - hxxps://webapps.cvty.com/epa/nsepa.ocx

DPF: {36299202-09EF-4ABF-ADB9-47C599DBE779} - hxxps://admin.na3.acrobat.com/_a759220994/validator/default/LTAWvalidation.cab

FF - ProfilePath - c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\

FF - prefs.js: browser.search.selectedEngine - Web Search

FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com

FF - prefs.js: keyword.URL - hxxps://www.mypoints.com/emp/u/mysearch.vm?st=mypWeb&fctb.dns=1&q=

FF - component: c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{51ef49d2-624b-4194-8b97-1c468e9b0efe}\components\Engine.dll

FF - component: c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - component: c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll

FF - plugin: c:\documents and settings\Alan Brown\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\Alan Brown\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\Alan Brown\Application Data\Mozilla\Firefox\Profiles\7lulsbu2.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npbrowster.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.03.13c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-30 21:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1424)

c:\windows\system32\wininet.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3040)

c:\windows\system32\WININET.dll

c:\program files\SecureBackupShare\ComcastSecureBackupShareshell.dll

c:\program files\SecureBackupShare\LIBEAY32.dll

c:\program files\NoAds\NoAds.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-30 21:56:27

ComboFix-quarantined-files.txt 2010-10-01 02:56

ComboFix2.txt 2010-10-01 00:50

ComboFix3.txt 2010-09-29 00:24

ComboFix4.txt 2010-09-20 03:00

ComboFix5.txt 2010-10-01 02:40

Pre-Run: 29,466,124,288 bytes free

Post-Run: 29,451,808,768 bytes free

- - End Of File - - 10F6235508735397956023D5A39FA8FB

==================================

Here's the VEW log:

Vino's Event Viewer v01c run on Windows XP in English

Report run at 30/09/2010 10:05:28 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Application' Log - error Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'Application' Date/Time: 30/09/2010 10:00:23 PM

Type: error Category: 0

Event: 2006 Source: PerfNet

Unable to read Server Queue performance data from the Server service. No Server Queue performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 30/09/2010 10:00:23 PM

Type: error Category: 0

Event: 2005 Source: PerfNet

Unable to read performance data from the Server service. No Server performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 30/09/2010 10:00:22 PM

Type: error Category: 0

Event: 2006 Source: PerfNet

Unable to read Server Queue performance data from the Server service. No Server Queue performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 30/09/2010 10:00:22 PM

Type: error Category: 0

Event: 2005 Source: PerfNet

Unable to read performance data from the Server service. No Server performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 30/09/2010 7:03:06 PM

Type: error Category: 100

Event: 1000 Source: Application Error

Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Log: 'Application' Date/Time: 30/09/2010 6:21:36 AM

Type: error Category: 0

Event: 0 Source: pctsSvc.exe

The event description cannot be found.

Log: 'Application' Date/Time: 30/09/2010 1:33:05 AM

Type: error Category: 0

Event: 2006 Source: PerfNet

Unable to read Server Queue performance data from the Server service. No Server Queue performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 30/09/2010 1:33:05 AM

Type: error Category: 0

Event: 2005 Source: PerfNet

Unable to read performance data from the Server service. No Server performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 30/09/2010 1:33:05 AM

Type: error Category: 0

Event: 2006 Source: PerfNet

Unable to read Server Queue performance data from the Server service. No Server Queue performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 30/09/2010 1:33:05 AM

Type: error Category: 0

Event: 2005 Source: PerfNet

Unable to read performance data from the Server service. No Server performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 30/09/2010 1:33:04 AM

Type: error Category: 0

Event: 2006 Source: PerfNet

Unable to read Server Queue performance data from the Server service. No Server Queue performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 30/09/2010 1:33:04 AM

Type: error Category: 0

Event: 2005 Source: PerfNet

Unable to read performance data from the Server service. No Server performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 29/09/2010 6:38:26 PM

Type: error Category: 100

Event: 1000 Source: Application Error

Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Log: 'Application' Date/Time: 28/09/2010 10:18:28 PM

Type: error Category: 0

Event: 2006 Source: PerfNet

Unable to read Server Queue performance data from the Server service. No Server Queue performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 28/09/2010 10:18:28 PM

Type: error Category: 0

Event: 2005 Source: PerfNet

Unable to read performance data from the Server service. No Server performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 28/09/2010 10:18:28 PM

Type: error Category: 0

Event: 2006 Source: PerfNet

Unable to read Server Queue performance data from the Server service. No Server Queue performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 28/09/2010 10:18:28 PM

Type: error Category: 0

Event: 2005 Source: PerfNet

Unable to read performance data from the Server service. No Server performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 28/09/2010 10:18:27 PM

Type: error Category: 0

Event: 2006 Source: PerfNet

Unable to read Server Queue performance data from the Server service. No Server Queue performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 28/09/2010 10:18:27 PM

Type: error Category: 0

Event: 2005 Source: PerfNet

Unable to read performance data from the Server service. No Server performance data will be returned in this sample. Error code returned is in data DWORD 0, IOSB.Status is DWORD 1 and the IOSB.Information is DWORD 2.

Log: 'Application' Date/Time: 28/09/2010 8:26:51 PM

Type: error Category: 100

Event: 1000 Source: Application Error

Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'System' Log - error Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'System' Date/Time: 30/09/2010 10:03:07 PM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 30/09/2010 7:02:08 PM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 30/09/2010 6:10:39 AM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 29/09/2010 7:07:08 PM

Type: error Category: 0

Event: 7034 Source: Service Control Manager

The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 29/09/2010 6:50:39 PM

Type: error Category: 0

Event: 7011 Source: Service Control Manager

Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Log: 'System' Date/Time: 29/09/2010 6:39:41 PM

Type: error Category: 0

Event: 7032 Source: Service Control Manager

The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.

Log: 'System' Date/Time: 29/09/2010 6:37:20 PM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 29/09/2010 6:15:54 AM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 28/09/2010 10:20:49 PM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 28/09/2010 10:08:12 PM

Type: error Category: 0

Event: 7011 Source: Service Control Manager

Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

Log: 'System' Date/Time: 28/09/2010 8:25:34 PM

Type: error Category: 0

Event: 7023 Source: Service Control Manager

The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 28/09/2010 8:23:20 PM

Type: error Category: 0

Event: 10005 Source: DCOM

DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 28/09/2010 8:22:56 PM

Type: error Category: 0

Event: 10005 Source: DCOM

DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 28/09/2010 8:19:26 PM

Type: error Category: 0

Event: 10005 Source: DCOM

DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Log: 'System' Date/Time: 28/09/2010 8:19:13 PM

Type: error Category: 0

Event: 7026 Source: Service Control Manager

The following boot-start or system-start driver(s) failed to load: AFD ASPI32 avgio avipbb cdfdrv ComcastSecureBackupShareFilter Fips intelppm IPSec mbmiodrvr MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL ssmdrv Tcpip vmm

Log: 'System' Date/Time: 28/09/2010 8:19:13 PM

Type: error Category: 0

Event: 7001 Source: Service Control Manager

The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 28/09/2010 8:19:13 PM

Type: error Category: 0

Event: 7001 Source: Service Control Manager

The Cisco Systems, Inc. VPN Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 28/09/2010 8:19:13 PM

Type: error Category: 0

Event: 7001 Source: Service Control Manager

The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 28/09/2010 8:19:13 PM

Type: error Category: 0

Event: 7001 Source: Service Control Manager

The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

Log: 'System' Date/Time: 28/09/2010 8:19:13 PM

Type: error Category: 0

Event: 7001 Source: Service Control Manager

The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.

Alan

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Looks pretty good.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 21 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 21 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u21 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

What we need to do now is run this online scan to search for any remnants. It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Also, you need to change all of your passwords, especially FTP passwords and social networking passwords (facebook, twitter etc..) from a known clean computer.

If you own a Website make sure the files are not modified because this one places hidden iframes and extra javascripts in the files also check that no pdf documents are there that may have been infected as well.

This is the infection that you had on your system. http://en.wikipedia.org/wiki/Gumblar

Link to post
Share on other sites
bubhead

bubhead

Posted
  • Author
Posted

Here is the Kaspersky log. The only casualty I've seen so far is Adobe acrobat professional. Looks like I'll need to reinstall. Not bad.

Let me know if there's anything here to be concerned with.

Thanks so much,

Alan

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, October 2, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, October 02, 2010 01:15:27

Records in database: 4273512

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

F:\

G:\

Scan statistics:

Objects scanned: 182951

Threats found: 3

Infected objects found: 5

Suspicious objects found: 0

Scan duration: 09:48:33

File name / Threat / Threats count

C:\Documents and Settings\Alan Brown\Local Settings\Application Data\Identities\{59F25543-3F4C-4513-8100-1180300C969E}\Microsoft\Outlook Express\Sent Items.dbx Infected: Trojan-Spy.HTML.Paylap.cf 1

C:\Program Files\Common Files\Vbox\Common\vboxten-us.vboxlm Infected: Trojan.Win32.AntiAV.gzx 1

C:\Program Files\Pegasys Inc\TMPGEnc DVD Author 1.6\TMPGEncDVDAuthor16.exe Infected: Trojan-PSW.Win32.FakeMSN.nt 1

C:\USMT.TMP\DIR0003.TMP\00000\7CE.DAT Infected: Trojan-Spy.HTML.Paylap.cf 1

G:\Apps\OE and IE settings from old computer\mail backup-alan\Sent Items.dbx Infected: Trojan-Spy.HTML.Paylap.cf 1

Selected area has been scanned.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

You can upload the files below to http://www.virustotal.com/ and have them check, otherwise I'd delete them and reinstall the app if needed.

C:\Program Files\Pegasys Inc\TMPGEnc DVD Author 1.6\TMPGEncDVDAuthor16.exe

C:\USMT.TMP\DIR0003.TMP\00000\7CE.DAT

What is this folder for and what's in it? C:\USMT.TMP\

We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.

Disable your AntiVirus temporarily so that it does not block removal of Combofix.

Press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK

ComboFix /Uninstall

combofix_run_uninstall.png

This will uninstall ComboFix. It will also implement some cleanup procedures.

Re-enable your AntiVirus now.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

============================================

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

  • Microsoft Windows Update -
    To update Windows, click on Start > Windows Update (or Start > All Programs > Windows Update if you are using the new Vista Start Menu). If the Windows Update is not found there, go to this link - http://update.microsoft.com/ .
    This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • SpywareBlaster to help prevent spyware from installing in the first place.
      Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items

    [*]WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

    [*]Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

    [*]MVPS HOST FILE

    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

    [*]ANTIVIRUS SOFTWARE

    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

    [*] Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    [*] http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

    [*] http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

Review the security settings for Internet Explorer here

Securing Your Web Browser

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at the following post: So how did I get infected in the first place?

Link to post
Share on other sites
bubhead

bubhead

Posted
  • Author
Posted

Ron,

I've gotten rid of those programs and files that are suspect.

I've downloaded and installed Winpatrol. It will take some getting used to on that one. I've also installed WOT.

Is there a particular firewall that you would recommend? All I'm running is the Windows firewall and I'm concerned about its effectiveness.

What about a particular antivirus solution? I've used AVG in the past and quit using it after a particular nasty infection that I was able to clean up on my own. Now that this has happened, I'm wondering about the effectiveness of Avira.

Do you recommend letting Spybot's resident feature run in the background? I don't want to have too many things going on and sucking down resources, but I also want to do what I can to avoid this problem in the future.

I'm thinking about taking the time to get organized and do a fresh install of XP at some point in the future to get some of the zing back in my computer, but would like to put back just those programs that will help and get rid of some of the junk.

Thanks so much for your patience and knowledge.

Alan

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

These are my opinions and are not the opinion of the Company - Malwarebytes whom I work for. The results have no scientific or technical data to backup my claims.

Overall most people seem to be happy with Avira AV. I use it off and on myself but on other systems where I need the protection I currently use the paid version of Kaspersky AV along with the Paid version of Malwarebytes and they seem to keep the system pretty well protected.

I use to not like Symantec AV but the new version actually isn't too bad. My wife's computer came with a copy and I was going to remove it but decided to try it out and so far its working well.

On any given day one AV is going to outshine another for some reason or another, being consistent on protection though I think is more key and Kaspersky for quite some time is always one of the top AV products. NOD32 seems to do pretty good as well. Though the interface and usage is often what seems to matter most to many users and if the program interface doesn't work the way one wants then they may opt for another brand.

ZoneAlarm has had high marks for a very good firewall but was purchased by another company and they've made some changes that some users and experts don't seem to like. One issue it has had issues with is being a resource hog and difficult to remove once it was installed so though the firewall does work well there are other issues that may not make it a good choice anymore.

Please see this article here which may help you to make up your mind on what to use. Good luck and let me know if you need anything else otherwise I'll be closing your post soon to help prevent others from posting in it.

http://forums.malwarebytes.org/index.php?showtopic=9365

Yes you're correct. Using too much software can almost be as annoying as the infection. As long as the Spybot is not dragging down the system it should be okay to run it. One of the best methods of protection I think is to use Firefox with NoScript and AdBlock Plus and that too will really help reduce the possibility of a re-infect. Though many people seem to have a hard time learning how to train and use it but if you have the time I'd check it out. Yes, fdisk, format, installing Windows XP is the only thing that will give it back that original Zing - it's just a lot of work to do, but I do it myself on systems quite often.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.