Solved Search Engine hijacked

EMB · 2010/07/03

[Resolved] Search Engine hijacked

Good morning and thank you in advance for your time. I've seen this issue posted elsewhere but the fix seems to be highly specific. When searching the internet I am redirected to random sites (frequently Monster Marketplace, but there are many others).

Here are my logs.

DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86
Run by Mom at 6:13:25.82 on Sat 07/03/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.317 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\8F0KMBD7\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = www.google.com
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://eus.avanquest.com/gotoCart.php?SERIAL_NUM=A112-0273-8A4K-UG1X-3NKA-7JPR&PROD_ID=A112-0273
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {DE1B6629-3757-4A45-98B6-11EDF84F89AA} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe "
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe "
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-17 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-17 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-17 242896]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-17 308064]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-6-24 312152]
R3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [2010-5-15 616064]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 341504]
S1 SBRE;SBRE; [x]
S2 RapportMgmtService;Rapport Management Service; [x]
S3 massfilter;ZTE Mass Storage Filter Driver; [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-6-8 38224]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-3-17 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-3-17 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-3-17 23936]
S3 MTK;Media Technology Kernel Driver; [x]
S3 TFilter;TFilter; [x]

=============== Created Last 30 ================

==================== Find3M ====================

2010-05-15 23:59:22 304160 ----a-w- C:\PA207.DAT
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2007-12-28 20:02:12 287232 ----a-w- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 19:59:30 342528 ----a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 22:53:58 63488 ----a-w- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 22:52:44 32768 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 16:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 16:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 16:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 16:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 16:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE
2008-12-07 04:45:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008120620081207\index.dat

============= FINISH: 6:14:16.70 ===============

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/31/2008 9:57:49 PM
System Uptime: 7/3/2010 5:40:19 AM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0H6405
Processor: Intel(R) Pentium(R) 4 CPU 2.26GHz | Microprocessor | 2261/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 16.399 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 6/17/2010 5:41:38 PM - System Checkpoint
RP2: 6/18/2010 11:48:42 AM - Avg Update
RP3: 6/19/2010 11:55:56 AM - System Checkpoint
RP4: 6/20/2010 12:55:56 PM - System Checkpoint
RP5: 6/21/2010 1:55:55 PM - System Checkpoint
RP6: 6/22/2010 2:25:29 PM - System Checkpoint
RP7: 6/23/2010 8:54:26 PM - System Checkpoint
RP8: 6/24/2010 3:00:19 AM - Software Distribution Service 3.0
RP9: 6/25/2010 5:08:35 AM - System Checkpoint
RP10: 6/25/2010 11:16:19 AM - Avg Update
RP11: 6/26/2010 1:07:26 PM - System Checkpoint
RP12: 6/27/2010 1:30:30 PM - System Checkpoint
RP13: 6/29/2010 3:07:50 PM - System Checkpoint
RP14: 6/30/2010 3:50:53 PM - System Checkpoint
RP15: 7/1/2010 4:49:17 PM - System Checkpoint
RP16: 7/2/2010 7:09:56 PM - System Checkpoint

==== Installed Programs ======================

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.3
Advanced SystemCare 3
AVG Free 9.0
Bejeweled 2 Deluxe
Bewitched
Big Fish Games: Game Manager
Bricks of Camelot
Bubblefish Bob
Canon MP190 series MP Drivers
Crash Analysis Tool
Dell Client Configuration Utility - Powered by Altiris
Dell TrueMobile 2300 Control Utility
Digital Line Detect
Diner Dash
Escape Whisper Valley
Feeding Frenzy
GoGear VIBE Device Manager
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB981793)
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet
IObit Security 360
Java(TM) 6 Update 13
Junk Mail filter update
LimeWire 5.5.10
Luxor
Luxor - Amun Rising
Luxor 2
Mah Jong Quest
Mahjong The Endless Journey
Malwarebytes' Anti-Malware
Media Converter for Philips
Memory Key Boot Utility
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft ASP.NET 2.0 AJAX Extensions 1.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows XP Video Decoder Checkup Utility
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery P.I.(TM) - The New York Fortune
NETGEAR WG111v3 wireless USB 2.0 adapter
Network Magic
OGA Notifier 2.0.0048.0
OMCI
PayPal Plug-In
PC CIF Camer@
PC Fixer
Pharaoh's Secret
Phlinx To Go
Pure Networks Platform
QuickConnect
Sally's Spa
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Shape Shifter
Smart Defrag
SoundMAX
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Word 2007 (KB974631)
Update for Outlook 2007 Junk Email Filter (kb983486)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Water Bugs
WebFldrs XP
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Writer
Windows Media Player 11
Windows PowerShell(TM) 1.0

==== Event Viewer Messages From Past Week ========

7/3/2010 5:41:14 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 00223FF11119 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/2/2010 10:16:40 PM, information: Windows File Protection [64021] - The system file c:\windows\system32\inetsrv\certmap.ocx could not be copied into the DLL cache. The specific error code is 0x000004c7 [The operation was canceled by the user. ]. This file is necessary to maintain system stability.
7/2/2010 10:16:40 PM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is Mom.
7/2/2010 10:16:15 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
6/27/2010 1:27:31 AM, error: Service Control Manager [7001] - The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/26/2010 8:38:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SBRE
6/26/2010 8:38:26 PM, error: Service Control Manager [7001] - The Windows Media Player Network Sharing Service service depends on the Universal Plug and Play Device Host service which failed to start because of the following error: The dependency service or group failed to start.
6/26/2010 8:38:26 PM, error: Service Control Manager [7001] - The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/26/2010 8:38:26 PM, error: Service Control Manager [7000] - The Rapport Management Service service failed to start due to the following error: The system cannot find the path specified.
6/26/2010 8:38:26 PM, error: Service Control Manager [7000] - The MCSTRM service failed to start due to the following error: The system cannot find the file specified.
6/26/2010 8:38:22 PM, error: Print [23] - Printer TinyPDF failed to initialize because a suitable TinyPDF driver could not be found.
6/26/2010 8:38:22 PM, error: Print [23] - Printer Microsoft XPS Document Writer failed to initialize because a suitable Microsoft XPS Document Writer driver could not be found.

==== End Of File ===========================

Any help you can provide would be greatly appreciated. Thank you

Admin. · 2010/07/03

I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them, and read the links above for educational value!

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

A Malware expert will have a look at your log in due course.

EMB · 2010/07/03

Actually, I had uninstalled Limewire. Did you see any others on there? Is the Limewire still able to access my system? I uninstalled via the control panel --> add/remove software application. I thought I got all of it.

broni · 2010/07/03

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

RESTART COMPUTER

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

EMB · 2010/07/04

Malware log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4226

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/4/2010 7:14:24 AM
mbam-log-2010-07-04 (07-14-24).txt

Scan type: Quick scan
Objects scanned: 175700
Time elapsed: 38 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

broni · 2010/07/04

Go on....

EMB · 2010/07/04

GMER log part I

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-04 15:06:45
Windows 5.1.2600 Service Pack 3
Running: i84xkydc[1].exe; Driver: C:\DOCUME~1\Mom\LOCALS~1\Temp\awtdypod.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF687EF80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\IObit\IObit Security 360\is360.exe[612] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 025DB8F9
.text C:\Program Files\IObit\IObit Security 360\is360.exe[612] WS2_32.dll!send 71AB4C27 5 Bytes JMP 025DB485
.text C:\Program Files\IObit\IObit Security 360\is360.exe[612] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 025DB7AA
.text C:\Program Files\IObit\IObit Security 360\is360.exe[612] WS2_32.dll!recv 71AB676F 5 Bytes JMP 025DB564
.text C:\Program Files\IObit\IObit Security 360\is360.exe[612] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 025DB637
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[624] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0082B8F9
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0082B485
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[624] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0082B7AA
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[624] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0082B564
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[624] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0082B637
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1016] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0169B8F9
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1016] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0169B485
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1016] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0169B7AA
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1016] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0169B564
.text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[1016] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0169B637
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[1096] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0127B8F9
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[1096] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0127B485
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[1096] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0127B7AA
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[1096] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0127B564
.text C:\Program Files\Dell\OpenManage\Client\Iap.exe[1096] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0127B637
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01B8BEF8
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 01B8BFC8
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 01B8BA90
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 01B8B9AA
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01B8BCB5
.text C:\Program Files\Internet Explorer\iexplore.exe[1220] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01B8BB60
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1260] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F6B8F9
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1260] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F6B485
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1260] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F6B7AA
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1260] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F6B564
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1260] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F6B637
.text C:\Program Files\IObit\IObit Security 360\IS360srv.exe[1588] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010CB8F9
.text C:\Program Files\IObit\IObit Security 360\IS360srv.exe[1588] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010CB485
.text C:\Program Files\IObit\IObit Security 360\IS360srv.exe[1588] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010CB7AA
.text C:\Program Files\IObit\IObit Security 360\IS360srv.exe[1588] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010CB564
.text C:\Program Files\IObit\IObit Security 360\IS360srv.exe[1588] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010CB637
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 020A0001
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1768] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1768] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text C:\WINDOWS\Explorer.EXE[1768] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FBB8F9
.text C:\WINDOWS\Explorer.EXE[1768] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FBB485
.text C:\WINDOWS\Explorer.EXE[1768] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FBB7AA
.text C:\WINDOWS\Explorer.EXE[1768] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FBB564
.text C:\WINDOWS\Explorer.EXE[1768] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FBB637
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1888] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03A1B8F9
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1888] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03A1B485
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1888] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03A1B7AA
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1888] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03A1B564
.text C:\Program Files\AVG\AVG9\avgwdsvc.exe[1888] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03A1B637
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[2116] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011EB8F9
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[2116] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011EB485
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[2116] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011EB7AA
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[2116] WS2_32.dll!recv 71AB676F 5 Bytes JMP 011EB564
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe[2116] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011EB637
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2476] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\WINDOWS\system32\ctfmon.exe[2476] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AC0001
.text C:\WINDOWS\system32\ctfmon.exe[2476] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2476] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[2476] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\ctfmon.exe[2476] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[2476] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[2476] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\system32\ctfmon.exe[2476] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2528] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0174B8F9
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2528] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0174B485
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2528] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0174B7AA
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2528] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0174B564
.text C:\Program Files\AVG\AVG9\avgnsx.exe[2528] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0174B637
.text C:\WINDOWS\system32\SearchIndexer.exe[2680] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2680] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0B1AB8F9
.text C:\WINDOWS\system32\SearchIndexer.exe[2680] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0B1AB485
.text C:\WINDOWS\system32\SearchIndexer.exe[2680] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0B1AB7AA
.text C:\WINDOWS\system32\SearchIndexer.exe[2680] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0B1AB564
.text C:\WINDOWS\system32\SearchIndexer.exe[2680] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0B1AB637
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E30001
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0111B8F9
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0111B485
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0111B7AA
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0111B564
.text c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[2952] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0111B637
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[2992] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0153B8F9
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[2992] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0153B485
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[2992] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0153B7AA
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[2992] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0153B564
.text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[2992] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0153B637
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3156] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0124B8F9
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3156] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0124B485
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3156] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0124B7AA
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3156] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0124B564
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[3156] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0124B637
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B80001
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0191B8F9
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0191B485
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0191B7AA
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0191B564
.text C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe[3244] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0191B637
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00EB0001
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0047B8F9
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0047B485
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0047B7AA
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0047B564
.text C:\Program Files\Microsoft IntelliType Pro\itype.exe[3352] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0047B637
.text C:\WINDOWS\System32\alg.exe[3428] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C2B8F9
.text C:\WINDOWS\System32\alg.exe[3428] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C2B485
.text C:\WINDOWS\System32\alg.exe[3428] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C2B7AA
.text C:\WINDOWS\System32\alg.exe[3428] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C2B564
.text C:\WINDOWS\System32\alg.exe[3428] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C2B637
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 0056B8F9
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0056B485
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 0056B7AA
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] WS2_32.dll!recv 71AB676F 5 Bytes JMP 0056B564
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3464] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0056B637
.text C:\Program Files\IObit\IObit Security 360\IS360tray.exe[3740] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01B1B8F9
.text C:\Program Files\IObit\IObit Security 360\IS360tray.exe[3740] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01B1B485
.text C:\Program Files\IObit\IObit Security 360\IS360tray.exe[3740] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01B1B7AA
.text C:\Program Files\IObit\IObit Security 360\IS360tray.exe[3740] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01B1B564
.text C:\Program Files\IObit\IObit Security 360\IS360tray.exe[3740] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01B1B637
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI}
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f}
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01230001
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] ADVAPI32.dll!CreateProcessAsUserW 77DEA8A9 6 Bytes JMP 5F100F5A
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] ADVAPI32.dll!CreateProcessWithLogonW 77E15FFD 3 Bytes [FF, 25, 1E]
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E16001 2 Bytes [05, 5F]
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] ADVAPI32.dll!CreateServiceA 77E37211 6 Bytes JMP 5F190F5A
.text C:\Program Files\NETGEAR\WG111v3\WG111v3.exe[3984] ADVAPI32.dll!CreateServiceW 77E373A9 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] WININET.dll!InternetReadFile 3D94654B 3 Bytes JMP 021FBEF8
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] WININET.dll!InternetReadFile + 4 3D94654F 1 Byte [C4]
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] WININET.dll!InternetCloseHandle 3D949088 3 Bytes JMP 021FBFC8
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] WININET.dll!InternetCloseHandle + 4 3D94908C 1 Byte [C4]
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 021FBA90
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 021FB9AA
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 021FBCB5
.text C:\Program Files\Internet Explorer\iexplore.exe[4724] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 021FBB60
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0205BEF8
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0205BFC8
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0205BA90
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 0205B9AA
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0205BCB5
.text C:\Program Files\Internet Explorer\iexplore.exe[4784] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0205BB60
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0240BEF8
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0240BFC8
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0240BA90
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 0240B9AA
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0240BCB5
.text C:\Program Files\Internet Explorer\iexplore.exe[4808] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0240BB60
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 0260BEF8
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] WININET.dll!InternetCloseHandle 3D949088 5 Bytes JMP 0260BFC8
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] WININET.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 0260BA90
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 0260B9AA
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 0260BCB5
.text C:\Program Files\Internet Explorer\iexplore.exe[5044] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 0260BB60

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[4724] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4808] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[5044] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

EMB · 2010/07/04

GMER Log Part II

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{B4FCDE79-9CD1-1EAA-C601-9A5655F73423}\InprocServer32@ activeds.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{B4FCDE79-9CD1-1EAA-C601-9A5655F73423}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{B4FCDE79-9CD1-1EAA-C601-9A5655F73423}\ProgID@ Pathname
Reg HKLM\SOFTWARE\Classes\CLSID\{B4FCDE79-9CD1-1EAA-C601-9A5655F73423}\TypeLib@ {97d25db0-0363-11cf-abc4-02608c9e7553}
Reg HKLM\SOFTWARE\Classes\CLSID\{B4FCDE79-9CD1-1EAA-C601-9A5655F73423}\Version@ 0.0

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 08: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 09: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 12: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 13: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 19: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 20: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 21: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 24: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 25: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 26: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 27: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 28: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 30: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 31: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 34: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 35: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 36: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 38: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 40: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 41: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 42: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 43: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 44: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 45: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 46: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 47: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 48: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 50: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 51: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 52: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 54: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 55: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 56: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 58: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 59: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

broni · 2010/07/04

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

EMB · 2010/07/04

I am unable to run combofix. It says AVG is running (uninstalled) and then says it cannot rename the program to combofix[1] and instructs me to choose another name although I have not tried to rename it in the first place.

broni · 2010/07/04

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator ").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

EMB · 2010/07/04

ComboFix log

After installing and uninstalling AVG again I was able to run ComboFix. Here's the log.

ComboFix 10-07-04.01 - Mom 07/04/2010 20:36:47.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.701 [GMT -4:00]
Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Downloaded Installers

.
((((((((((((((((((((((((( Files Created from 2010-06-05 to 2010-07-05 )))))))))))))))))))))))))))))))
.

2010-07-04 21:54 . 2010-07-04 21:54 -------- d-----w- c:\program files\AVG
2010-07-04 21:53 . 2010-07-04 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-03 09:54 . 2010-07-03 09:54 -------- d-----w- c:\program files\Trend Micro
2010-06-30 13:30 . 2010-06-30 13:30 -------- d-----w- c:\program files\ReflexiveArcade
2010-06-30 13:27 . 2010-06-30 13:27 -------- d-----w- c:\documents and settings\Lawrence.MSHOME\Application Data\EA
2010-06-30 13:20 . 2010-07-04 04:05 -------- d-----w- c:\documents and settings\Lawrence.MSHOME\Application Data\LimeWire
2010-06-28 00:39 . 2010-06-28 00:39 -------- d-----w- c:\documents and settings\Mom\Application Data\Enki Games
2010-06-28 00:23 . 2010-06-28 01:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-28 00:02 . 2010-07-02 19:26 -------- d-----w- c:\program files\BigFish
2010-06-28 00:02 . 2010-06-28 00:02 -------- d-----w- c:\program files\bfgclient
2010-06-28 00:01 . 2010-06-28 00:01 3085800 ----a-w- c:\documents and settings\All Users\Application Data\BigFishGamesCache\Upgrade\Unpack\bfgsetup_s1_l1.exe
2010-06-28 00:01 . 2010-06-28 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-06-27 04:39 . 2010-06-27 04:39 -------- d-----w- c:\documents and settings\Mom\Application Data\PopCapv1000
2010-06-26 00:34 . 2010-06-26 00:34 -------- d-----w- c:\documents and settings\Mom\Application Data\Digital Support
2010-06-26 00:34 . 2010-06-26 00:34 -------- d-----w- c:\program files\Digital Support
2010-06-18 15:53 . 2010-06-18 15:53 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2010-06-11 18:27 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 23:48 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 23:48 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-08 23:48 . 2010-06-08 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-04 19:31 . 2010-03-04 03:05 -------- d-----w- c:\documents and settings\Mom\Application Data\Pharaohs Secret
2010-06-27 17:06 . 2010-01-24 17:46 84 ----a-w- c:\windows\popcinfot.dat
2010-06-27 04:39 . 2009-04-26 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2010-06-25 00:03 . 2010-03-02 01:16 -------- d-----w- c:\documents and settings\Mom\Application Data\IObit
2010-06-25 00:03 . 2010-01-22 02:59 -------- d-----w- c:\program files\IObit
2010-06-17 20:40 . 2009-12-13 02:08 -------- d-----w- c:\program files\Common Files\AntiVirus
2010-06-17 20:34 . 2010-03-05 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-17 20:34 . 2010-03-06 15:07 -------- d--h--r- c:\documents and settings\Mom\Application Data\yahoo!
2010-06-17 20:31 . 2008-12-09 05:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-17 20:30 . 2009-12-25 21:35 -------- d-----w- c:\program files\Philips
2010-06-12 07:19 . 2010-05-22 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-06 02:48 . 2010-05-08 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-06-03 23:50 . 2010-06-03 23:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-06-03 23:49 . 2010-06-03 23:49 -------- d--h--w- c:\program files\CanonBJ
2010-05-23 00:42 . 2010-03-09 01:50 76032 ----a-w- c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-22 23:56 . 2010-05-22 02:58 -------- d-----w- c:\program files\Microsoft Works
2010-05-22 14:39 . 2010-03-04 15:29 76032 ----a-w- c:\documents and settings\Lawrence.MSHOME\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-22 03:01 . 2010-05-22 02:32 -------- d-----w- c:\documents and settings\Mom\Application Data\GetRightToGo
2010-05-22 02:56 . 2010-05-22 02:56 -------- d-----w- c:\program files\Microsoft.NET
2010-05-22 01:42 . 2010-03-04 03:05 -------- d-----w- c:\documents and settings\Mom\Application Data\InstallShield
2010-05-15 23:59 . 2010-05-15 23:59 304160 ----a-w- C:\PA207.DAT
2010-05-15 23:40 . 2010-05-15 23:40 -------- d-----w- c:\program files\Common Files\PAC207
2010-05-15 23:40 . 2010-05-15 23:40 -------- d-----w- c:\program files\PC Camera
2010-05-11 14:58 . 2010-05-11 14:58 -------- d-----w- c:\documents and settings\Lawrence.MSHOME\Application Data\Avanquest
2010-05-09 22:44 . 2010-05-09 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2010-05-09 15:22 . 2010-05-09 14:21 -------- d-----w- c:\documents and settings\Mom\Application Data\ArcSoft
2010-05-09 14:21 . 2009-07-07 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-08 23:25 . 2009-12-25 21:39 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-05-08 23:25 . 2010-05-08 23:24 -------- d-----w- c:\documents and settings\Lawrence.MSHOME\Application Data\ArcSoft
2010-05-08 17:02 . 2010-03-04 03:05 -------- d-----w- c:\documents and settings\Mom\Application Data\Windows Search
2010-05-08 12:27 . 2010-03-04 03:07 -------- d-----w- c:\documents and settings\Lawrence.MSHOME\Application Data\Windows Search
2010-05-08 05:22 . 2009-05-24 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-08 05:01 . 2009-06-24 04:53 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Bytemobile
2010-05-08 04:59 . 2010-03-04 03:05 -------- d-----w- c:\documents and settings\Mom\Application Data\Bytemobile
2010-05-08 04:59 . 2009-06-24 04:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Bytemobile
2010-05-08 04:58 . 2010-03-04 03:05 -------- d-----w- c:\documents and settings\Lawrence.MSHOME\Application Data\Bytemobile
2010-05-08 04:57 . 2010-01-07 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2010-05-08 04:57 . 2009-08-24 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-08 04:57 . 2008-12-18 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-08 04:57 . 2010-01-07 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PoBros
2010-05-08 04:57 . 2010-01-04 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-05-08 04:57 . 2009-08-31 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-05-08 04:57 . 2010-03-10 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2010-05-08 04:57 . 2010-02-19 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2010-05-08 04:12 . 2010-05-08 04:12 -------- d-----w- c:\windows\Fonts\AdvUninstal
2010-05-08 04:12 . 2010-05-08 04:12 -------- d-----w- c:\program files\Common Files\Innovative Solutions
2010-05-07 00:23 . 2009-12-13 02:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Avanquest
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 15:30 . 2010-03-29 00:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-28 13:59 . 2010-04-28 13:59 862872 ----a-w- c:\documents and settings\Lawrence.MSHOME\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe
2010-04-20 18:09 . 2010-05-09 22:44 108544 --s-a-r- c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
2010-04-20 18:07 . 2010-05-09 22:44 180224 --s-a-r- c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-15 23:51 . 2010-04-15 23:51 0 ----a-w- c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-29 68856]
"Advanced SystemCare 3 "= "c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-05-26 2346192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmctxth "= "c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"itype "= "c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 437008]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"IObit Security 360 "= "c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear VIBE Device Manager.lnk]
backup=c:\windows\pss\Philips GoGear VIBE Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ACDaemon "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\NETGEAR\\WG111v3\\WG111v3.exe "=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3521:TCP "= 3521:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop
"3526:TCP "= 3526:TCP:Services
"5552:TCP "= 5552:TCP:Services
"4897:TCP "= 4897:TCP:Services
"8294:TCP "= 8294:TCP:Services
"4644:TCP "= 4644:TCP:Services
"7788:TCP "= 7788:TCP:Services
"3847:TCP "= 3847:TCP:Services
"6194:TCP "= 6194:TCP:Services
"6177:TCP "= 6177:TCP:Services
"6178:TCP "= 6178:TCP:Services
"8041:TCP "= 8041:TCP:Services
"8040:TCP "= 8040:TCP:Services
"5522:TCP "= 5522:TCP:Services
"9544:TCP "= 9544:TCP:Services
"7068:TCP "= 7068:TCP:Services
"7069:TCP "= 7069:TCP:Services
"3554:TCP "= 3554:TCP:Services
"5608:TCP "= 5608:TCP:Services
"1587:TCP "= 1587:TCP:Services
"1674:TCP "= 1674:TCP:Services

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 4:13 PM 38144]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [6/24/2010 7:46 PM 312152]
R3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [5/15/2010 7:40 PM 616064]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 6:02 PM 341504]
S1 SBRE;SBRE; [x]
S2 RapportMgmtService;Rapport Management Service; [x]
S3 massfilter;ZTE Mass Storage Filter Driver; [x]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [3/17/2010 9:10 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [3/17/2010 9:10 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [3/17/2010 9:10 PM 23936]
S3 MTK;Media Technology Kernel Driver; [x]
S3 TFilter;TFilter; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-06-17 18:11]

2010-07-04 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2010-06-17 21:20]

2010-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:50]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:50]

2008-12-24 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 19:56]

2010-06-28 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-06-25 16:57]

2010-07-05 c:\windows\Tasks\User_Feed_Synchronization-{16C4A0D6-9F78-41A8-9EF6-6FD64A3BB799}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]

2010-07-04 c:\windows\Tasks\User_Feed_Synchronization-{64723102-B970-42F0-B2B1-907D4C6AF869}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]

2010-07-04 c:\windows\Tasks\User_Feed_Synchronization-{EFDDE715-A7F7-44F2-9EF4-17D3F8D66D2C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://eus.avanquest.com/gotoCart.php?SERIAL_NUM=A112-0273-8A4K-UG1X-3NKA-7JPR&PROD_ID=A112-0273
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{de1b6629-3757-4a45-98b6-11edf84f89aa} - (no file)
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{DE1B6629-3757-4A45-98B6-11EDF84F89AA} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{21C2286A-629D-49A2-852A-E1BCB1F43310} - (no file)
MSConfigStartUp-VantagePointLite - (no file)
AddRemove-Escape Whisper Valley - c:\program files\PopCap Games\Escape Whisper Valley\PopUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-04 20:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x85CDA78A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7525f28
\Driver\ACPI -> ACPI.sys @ 0xf7498cb8
\Driver\atapi -> ntoskrnl.exe @ 0x805c7abe
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
Completion time: 2010-07-04 20:46:21
ComboFix-quarantined-files.txt 2010-07-05 00:46

Pre-Run: 17,169,760,256 bytes free
Post-Run: 17,338,281,984 bytes free

- - End Of File - - BBCB64C492BCE9CB78F1C3DA822A27BF

broni · 2010/07/04

Very good, but I still want you to run MBR Rootkit Detector

EMB · 2010/07/04

MBR log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

broni · 2010/07/04

Go Start>Run (Vista/7 users "Start search "), type in:
cmd
Click OK (Vista/7 users, hold CTRL and SHIFT keys, press Enter)

At the DOS prompt copy/paste:
"%userprofile%\desktop\mbr.exe" -f (<------make sure you have a space before the -f)
Hit Enter.

Type:
exit
Hit Enter.

Restart the computer normally.

Run the mbr.exe again.
Post new log.

EMB · 2010/07/05

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x04A7D57E
malicious code @ sector 0x04A7D581 !
PE file found in sector at 0x04A7D597 !

broni · 2010/07/05

Very good

Delete your GMER and Combofix files, download fresh ones and post both new logs.

EMB · 2010/07/07

New ComboFix log

ComboFix 10-07-06.03 - Mom 07/07/2010 6:04.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.538 [GMT -4:00]
Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 )))))))))))))))))))))))))))))))
.

2010-07-05 18:31 . 2010-07-05 18:31 -------- d-----w- c:\documents and settings\Lawrence.MSHOME
2010-07-04 21:54 . 2010-07-04 21:54 -------- d-----w- c:\program files\AVG
2010-07-04 21:53 . 2010-07-04 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-03 09:54 . 2010-07-03 09:54 -------- d-----w- c:\program files\Trend Micro
2010-06-30 13:30 . 2010-06-30 13:30 -------- d-----w- c:\program files\ReflexiveArcade
2010-06-28 00:39 . 2010-06-28 00:39 -------- d-----w- c:\documents and settings\Mom\Application Data\Enki Games
2010-06-28 00:23 . 2010-06-28 01:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-28 00:02 . 2010-07-02 19:26 -------- d-----w- c:\program files\BigFish
2010-06-27 04:39 . 2010-06-27 04:39 -------- d-----w- c:\documents and settings\Mom\Application Data\PopCapv1000
2010-06-26 00:34 . 2010-06-26 00:34 -------- d-----w- c:\documents and settings\Mom\Application Data\Digital Support
2010-06-26 00:34 . 2010-06-26 00:34 -------- d-----w- c:\program files\Digital Support
2010-06-18 15:53 . 2010-06-18 15:53 -------- d-----w- c:\documents and settings\HelpAssistant\Tracing
2010-06-11 18:27 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 23:48 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-08 23:48 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-08 23:48 . 2010-06-08 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-05 15:29 . 2010-03-04 03:05 -------- d-----w- c:\documents and settings\Mom\Application Data\Pharaohs Secret
2010-06-27 17:06 . 2010-01-24 17:46 84 ----a-w- c:\windows\popcinfot.dat
2010-06-27 04:39 . 2009-04-26 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2010-06-25 00:03 . 2010-03-02 01:16 -------- d-----w- c:\documents and settings\Mom\Application Data\IObit
2010-06-25 00:03 . 2010-01-22 02:59 -------- d-----w- c:\program files\IObit
2010-06-17 20:40 . 2009-12-13 02:08 -------- d-----w- c:\program files\Common Files\AntiVirus
2010-06-17 20:34 . 2010-03-05 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-17 20:34 . 2010-03-06 15:07 -------- d--h--r- c:\documents and settings\Mom\Application Data\yahoo!
2010-06-17 20:31 . 2008-12-09 05:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-17 20:30 . 2009-12-25 21:35 -------- d-----w- c:\program files\Philips
2010-06-12 07:19 . 2010-05-22 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-06 02:48 . 2010-05-08 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Innovative Solutions
2010-06-03 23:50 . 2010-06-03 23:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-06-03 23:49 . 2010-06-03 23:49 -------- d--h--w- c:\program files\CanonBJ
2010-05-23 00:42 . 2010-03-09 01:50 76032 ----a-w- c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-22 23:56 . 2010-05-22 02:58 -------- d-----w- c:\program files\Microsoft Works
2010-05-22 03:01 . 2010-05-22 02:32 -------- d-----w- c:\documents and settings\Mom\Application Data\GetRightToGo
2010-05-22 02:56 . 2010-05-22 02:56 -------- d-----w- c:\program files\Microsoft.NET
2010-05-22 01:42 . 2010-03-04 03:05 -------- d-----w- c:\documents and settings\Mom\Application Data\InstallShield
2010-05-15 23:59 . 2010-05-15 23:59 304160 ----a-w- C:\PA207.DAT
2010-05-15 23:40 . 2010-05-15 23:40 -------- d-----w- c:\program files\Common Files\PAC207
2010-05-15 23:40 . 2010-05-15 23:40 -------- d-----w- c:\program files\PC Camera
2010-05-09 22:44 . 2010-05-09 22:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2010-05-09 15:22 . 2010-05-09 14:21 -------- d-----w- c:\documents and settings\Mom\Application Data\ArcSoft
2010-05-09 14:21 . 2009-07-07 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-08 23:25 . 2009-12-25 21:39 -------- d--h--w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-05-08 17:02 . 2010-03-04 03:05 -------- d-----w- c:\documents and settings\Mom\Application Data\Windows Search
2010-05-08 04:12 . 2010-05-08 04:12 -------- d-----w- c:\windows\Fonts\AdvUninstal
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-28 15:30 . 2010-03-29 00:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-20 18:09 . 2010-05-09 22:44 108544 --s-a-r- c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
2010-04-20 18:07 . 2010-05-09 22:44 180224 --s-a-r- c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-15 23:51 . 2010-04-15 23:51 0 ----a-w- c:\windows\nsreg.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-07-05_00.44.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-05 18:15 . 2010-07-05 18:15 16384 c:\windows\Temp\usgthrsvc\Perflib_Perfdata_4c4.dat
+ 2010-07-05 18:15 . 2010-07-05 18:15 16384 c:\windows\Temp\Perflib_Perfdata_3e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-29 68856]
"Advanced SystemCare 3 "= "c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-05-26 2346192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nmctxth "= "c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-13 642856]
"itype "= "c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 437008]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"IObit Security 360 "= "c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-7-1 2326528]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Philips GoGear VIBE Device Manager.lnk]
backup=c:\windows\pss\Philips GoGear VIBE Device Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ACDaemon "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\NETGEAR\\WG111v3\\WG111v3.exe "=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3521:TCP "= 3521:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop
"3526:TCP "= 3526:TCP:Services
"5552:TCP "= 5552:TCP:Services
"4897:TCP "= 4897:TCP:Services
"8294:TCP "= 8294:TCP:Services
"4644:TCP "= 4644:TCP:Services
"7788:TCP "= 7788:TCP:Services
"3847:TCP "= 3847:TCP:Services
"6194:TCP "= 6194:TCP:Services
"6177:TCP "= 6177:TCP:Services
"6178:TCP "= 6178:TCP:Services
"8041:TCP "= 8041:TCP:Services
"8040:TCP "= 8040:TCP:Services
"5522:TCP "= 5522:TCP:Services
"9544:TCP "= 9544:TCP:Services
"7068:TCP "= 7068:TCP:Services
"7069:TCP "= 7069:TCP:Services
"3554:TCP "= 3554:TCP:Services
"5608:TCP "= 5608:TCP:Services
"1587:TCP "= 1587:TCP:Services
"1674:TCP "= 1674:TCP:Services
"8599:TCP "= 8599:TCP:Services
"8600:TCP "= 8600:TCP:Services

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 4:13 PM 38144]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [6/24/2010 7:46 PM 312152]
R3 PAC207;PC Camer@;c:\windows\system32\drivers\PFC027.SYS [5/15/2010 7:40 PM 616064]
R3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [12/28/2007 6:02 PM 341504]
S1 SBRE;SBRE; [x]
S2 RapportMgmtService;Rapport Management Service; [x]
S3 massfilter;ZTE Mass Storage Filter Driver; [x]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [3/17/2010 9:10 PM 19712]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [3/17/2010 9:10 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [3/17/2010 9:10 PM 23936]
S3 MTK;Media Technology Kernel Driver; [x]
S3 TFilter;TFilter; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-07-05 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-06-17 18:11]

2010-07-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-11 23:36]

2010-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:50]

2010-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-30 00:50]

2008-12-24 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 19:56]

2010-07-07 c:\windows\Tasks\User_Feed_Synchronization-{16C4A0D6-9F78-41A8-9EF6-6FD64A3BB799}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]

2010-07-07 c:\windows\Tasks\User_Feed_Synchronization-{64723102-B970-42F0-B2B1-907D4C6AF869}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]

2010-07-07 c:\windows\Tasks\User_Feed_Synchronization-{EFDDE715-A7F7-44F2-9EF4-17D3F8D66D2C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://eus.avanquest.com/gotoCart.php?SERIAL_NUM=A112-0273-8A4K-UG1X-3NKA-7JPR&PROD_ID=A112-0273
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-07 06:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1308)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'explorer.exe'(2184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-07 06:11:10
ComboFix-quarantined-files.txt 2010-07-07 10:10
ComboFix2.txt 2010-07-05 18:31
ComboFix3.txt 2010-07-05 00:46

Pre-Run: 16,222,232,576 bytes free
Post-Run: 16,204,869,632 bytes free

- - End Of File - - 75761878A1C5C08BD36369F5C9887E66

broni · 2010/07/07

I still need GMER log.

EMB · 2010/07/07

GMER follow up

It was taking too long to run this morning and I had to leave for work. I'll post this evening when I get home.

Log in or Sign up

Solved Search Engine hijacked

EMB Inactive Thread Starter

Admin. Administrator Administrator Staff

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Search Engine hijacked

EMB Inactive Thread Starter

Admin. Administrator Administrator Staff

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

broni Moderator Malware Analyst

EMB Inactive Thread Starter

Share This Page

Useful Searches