Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

loads of problems. any help appreciated.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: loads of problems. any help appreciated.

Unread postby melboy » February 24th, 2011, 1:40 pm

Ok

Let me know how things are running after this cfscript - It may be that something is still on board blocking access to the online scans - we shall see.

If combofix prompts you to update it at any time please allow it to do so.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    DDS::
    uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=>%s
    
    Registry:: 
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "12957:TCP"=-
    "8353:TCP"=-
    "25318:TCP"=-
    "13950:TCP"=-
    "9546:TCP"=-
    "12152:TCP"=-
    "5995:TCP"=-
    "25518:TCP"=-
    "10233:TCP"=-
    "29402:TCP"=-
    "7559:TCP"=-
    "21691:TCP"=-
    "19733:TCP"=-
    "11067:TCP"=-
    "8502:TCP"=-
    "21920:TCP"=-
    "13894:TCP"=-
    "28068:TCP"=-
    "26858:TCP"=-
    "22339:TCP"=-
    "24350:TCP"=-
    "28480:TCP"=-
    "21969:TCP"=-
    "11331:TCP"=-
    "25992:TCP"=-
    "15468:TCP"=-
    "14036:TCP"=-
    "14155:TCP"=-
    "5124:TCP"=-
    "7134:TCP"=-
    "23009:TCP"=-
    "24166:TCP"=-
    "23292:TCP"=-
    "20584:TCP"=-
    "6065:TCP"=-
    "18474:TCP"=-
    "7285:TCP"=-
    "7402:TCP"=-
    "25407:TCP"=-
    "14551:TCP"=-
    "28505:TCP"=-
    "24293:TCP"=-
    "29076:TCP"=-
    "29481:TCP"=-
    "17012:TCP"=-
    "7150:TCP"=-
    "19352:TCP"=-
    "21696:TCP"=-
    "22556:TCP"=-
    "21231:TCP"=-
    "6463:TCP"=-
    "26658:TCP"=-
    "24964:TCP"=-
    "24270:TCP"=-
    "7310:TCP"=-
    "26726:TCP"=-
    "17799:TCP"=-
    "28735:TCP"=-
    "21313:TCP"=-
    "10343:TCP"=-
    "12245:TCP"=-
    "7677:TCP"=-
    "14022:TCP"=-
    "14576:TCP"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\\windows\\system32\\userinit.exe,"
    
    Folder::
    c:\program files\fnrvobms
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK
Advertisement
Register to Remove

Re: loads of problems. any help appreciated.

Unread postby ciaran » February 24th, 2011, 2:05 pm

ok, here's the log.


ComboFix 11-02-24.01 - jodie and ciaran xxx 24/02/2011 17:51:20.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1917.1428 [GMT 0:00]
Running from: c:\documents and settings\jodie and ciaran xxx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jodie and ciaran xxx\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\dmlconf.dat

.
((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))
.

2011-02-23 17:44 . 2011-02-23 17:44 -------- d-----w- c:\program files\DWG TrueView 2010
2011-02-13 05:25 . 2011-02-13 05:25 664 ----a-w- c:\documents and settings\jodie and ciaran xxx\Local Settings\Application Data\d3d9caps.tmp
2011-02-05 20:11 . 2011-02-05 20:11 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-27 13:58 . 2004-08-12 12:18 5888 ----a-w- c:\windows\system32\drivers\dmload.sys
2010-12-20 18:09 . 2010-12-16 15:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-12-16 15:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2011-02-24_00.16.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-24 17:05 . 2011-02-24 17:05 16384 c:\windows\Temp\Perflib_Perfdata_510.dat
+ 2010-02-16 15:01 . 2011-02-24 10:02 35088 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-02-16 15:01 . 2010-05-12 08:42 35088 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-02-16 15:01 . 2010-05-12 08:42 18704 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\mspicons.exe
+ 2010-02-16 15:01 . 2011-02-24 10:02 18704 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\mspicons.exe
+ 2010-02-16 15:01 . 2011-02-24 10:02 20240 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-02-16 15:01 . 2010-05-12 08:42 20240 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-02-16 15:01 . 2011-02-24 10:02 845584 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\outicon.exe
- 2010-02-16 15:01 . 2010-05-12 08:42 845584 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\outicon.exe
- 2010-02-16 15:01 . 2010-05-12 08:42 217864 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\misc.exe
+ 2010-02-16 15:01 . 2011-02-24 10:02 217864 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\misc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NortonUtilities"="c:\program files\Norton Utilities 14\nu.exe" [2010-08-18 4093288]
"Google Update"="c:\documents and settings\jodie and ciaran xxx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-12-16 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-05-14 29987322]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-28 8491008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-06-19 231888]

c:\documents and settings\romy\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
backupExtension=Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Craft ROBO Status Supervisor.lnk]
backup=c:\windows\pss\Craft ROBO Status Supervisor.lnkCommon Startup
backupExtension=Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jodie and ciaran xxx^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
backupExtension=Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-06-23 20:22 140568 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-06-23 20:23 884696 ------w- c:\program files\Acronis\TrueImageEchoEnterpriseServer\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 13:06 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-28 03:26 8491008 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-11-28 03:26 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-28 03:26 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC Service Utility]
2007-10-09 11:55 821075 ----a-w- c:\program files\SSC Service Utility\ssc_serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-06-23 20:20 1274800 ------w- c:\program files\Acronis\TrueImageEchoEnterpriseServer\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [01/05/2010 14:09 64288]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [19/01/2009 19:04 238080]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/05/2010 16:43 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 15:52 1352832]
S3 qcusbmdm6k;New York Proprietary USB Driver;c:\windows\system32\drivers\qcusbmdm6k.sys [03/05/2009 17:31 65024]
S3 qcusbser6k;New York Diagnostic Port;c:\windows\system32\drivers\qcusbser6k.sys [03/05/2009 17:32 65024]
.
Contents of the 'Scheduled Tasks' folder

2011-02-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 16:55]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 16:43]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 16:43]

2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1326574676-1177238915-1003Core.job
- c:\documents and settings\jodie and ciaran xxx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-16 21:35]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1326574676-1177238915-1003UA.job
- c:\documents and settings\jodie and ciaran xxx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-16 21:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\jodie and ciaran xxx\Application Data\Mozilla\Firefox\Profiles\4lw9vf3t.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?referrer=theme_ign
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=gr ... =937811&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-24 17:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...


C:\ntjiyevg.exe 152500 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,b4,58,1d,ba,3c,99,40,95,b6,ed,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,b4,58,1d,ba,3c,99,40,95,b6,ed,\

[HKEY_USERS\S-1-5-21-436374069-1326574676-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-02-24 18:00:04
ComboFix-quarantined-files.txt 2011-02-24 18:00
ComboFix2.txt 2011-02-24 15:52
ComboFix3.txt 2011-02-24 00:23

Pre-Run: 298,124,402,688 bytes free
Post-Run: 298,110,590,976 bytes free

- - End Of File - - 4A07EEED2BE7E89C671F357687C96161

still can't go to the online scanners. still can't open firefox.
thanks for sticking with it Melboy.
ciaran
Regular Member
 
Posts: 15
Joined: February 19th, 2011, 12:14 pm

Re: loads of problems. any help appreciated.

Unread postby melboy » February 24th, 2011, 2:17 pm

Hi ciaran

As you've uninstalled Norton keep any surfing or downloading to visiting here or downloading only the tools I ask you to.


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Rootkit::
    C:\ntjiyevg.exe
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Gmer

Download GMER Rootkit Scanner from here.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    See image below
    Image
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

-- If GMER crashes or results in a BSoD, please inform me --

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Note: Do not run any programs while Gmer is running.
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: loads of problems. any help appreciated.

Unread postby ciaran » February 24th, 2011, 9:10 pm

hi,
no crashes or BsoD.
here's the ComboFix log


ComboFix 11-02-24.01 - jodie and ciaran xxx 24/02/2011 18:27:24.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1917.1385 [GMT 0:00]
Running from: c:\documents and settings\jodie and ciaran xxx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jodie and ciaran xxx\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Internet Explorer\IEXPLOREmgr.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))
.

2011-02-23 17:44 . 2011-02-23 17:44 -------- d-----w- c:\program files\DWG TrueView 2010
2011-02-13 05:25 . 2011-02-13 05:25 664 ----a-w- c:\documents and settings\jodie and ciaran xxx\Local Settings\Application Data\d3d9caps.tmp
2011-02-05 20:11 . 2011-02-05 20:11 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-27 13:58 . 2004-08-12 12:18 5888 ----a-w- c:\windows\system32\drivers\dmload.sys
2010-12-20 18:09 . 2010-12-16 15:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 18:08 . 2010-12-16 15:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.

((((((((((((((((((((((((((((( SnapShot@2011-02-24_00.16.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-24 17:05 . 2011-02-24 17:05 16384 c:\windows\Temp\Perflib_Perfdata_510.dat
+ 2010-02-16 15:01 . 2011-02-24 10:02 35088 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-02-16 15:01 . 2010-05-12 08:42 35088 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-02-16 15:01 . 2010-05-12 08:42 18704 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\mspicons.exe
+ 2010-02-16 15:01 . 2011-02-24 10:02 18704 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\mspicons.exe
+ 2010-02-16 15:01 . 2011-02-24 10:02 20240 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-02-16 15:01 . 2010-05-12 08:42 20240 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-02-16 15:01 . 2011-02-24 10:02 845584 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\outicon.exe
- 2010-02-16 15:01 . 2010-05-12 08:42 845584 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\outicon.exe
- 2010-02-16 15:01 . 2010-05-12 08:42 217864 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\misc.exe
+ 2010-02-16 15:01 . 2011-02-24 10:02 217864 c:\windows\Installer\{91120000-001A-0000-0000-0000000FF1CE}\misc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NortonUtilities"="c:\program files\Norton Utilities 14\nu.exe" [2010-08-18 4093288]
"Google Update"="c:\documents and settings\jodie and ciaran xxx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-12-16 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-05-14 29987322]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-28 8491008]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-06-19 231888]

c:\documents and settings\romy\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
backupExtension=Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Craft ROBO Status Supervisor.lnk]
backup=c:\windows\pss\Craft ROBO Status Supervisor.lnkCommon Startup
backupExtension=Common Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jodie and ciaran xxx^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
backupExtension=Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-06-23 20:22 140568 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-06-23 20:23 884696 ------w- c:\program files\Acronis\TrueImageEchoEnterpriseServer\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 04:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-01-06 13:06 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-28 03:26 8491008 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-11-28 03:26 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-28 03:26 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC Service Utility]
2007-10-09 11:55 821075 ----a-w- c:\program files\SSC Service Utility\ssc_serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-06-23 20:20 1274800 ------w- c:\program files\Acronis\TrueImageEchoEnterpriseServer\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [01/05/2010 14:09 64288]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [19/01/2009 19:04 238080]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/05/2010 16:43 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 15:52 1352832]
S3 qcusbmdm6k;New York Proprietary USB Driver;c:\windows\system32\drivers\qcusbmdm6k.sys [03/05/2009 17:31 65024]
S3 qcusbser6k;New York Diagnostic Port;c:\windows\system32\drivers\qcusbser6k.sys [03/05/2009 17:32 65024]
.
Contents of the 'Scheduled Tasks' folder

2011-02-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 16:55]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 16:43]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-12 16:43]

2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1326574676-1177238915-1003Core.job
- c:\documents and settings\jodie and ciaran xxx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-16 21:35]

2011-02-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1326574676-1177238915-1003UA.job
- c:\documents and settings\jodie and ciaran xxx\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-16 21:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\jodie and ciaran xxx\Application Data\Mozilla\Firefox\Profiles\4lw9vf3t.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?referrer=theme_ign
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=gr ... =937811&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-24 18:30
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...


c:\documents and settings\jodie and ciaran xxx\Start Menu\Programs\Startup\ntjiyevg.exe 152500 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,b4,58,1d,ba,3c,99,40,95,b6,ed,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,b4,58,1d,ba,3c,99,40,95,b6,ed,\

[HKEY_USERS\S-1-5-21-436374069-1326574676-1177238915-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-02-24 18:32:35
ComboFix-quarantined-files.txt 2011-02-24 18:32
ComboFix2.txt 2011-02-24 18:00
ComboFix3.txt 2011-02-24 15:52
ComboFix4.txt 2011-02-24 00:23

Pre-Run: 298,115,354,624 bytes free
Post-Run: 298,101,075,968 bytes free

- - End Of File - - A86D6F962DE2AF7D0795E65642D4C667


and here's the Gmer log.



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-25 01:00:10
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-e Hitachi_HDP725050GLA360 rev.GM4OA5CA
Running: ov6rzplj.exe; Driver: C:\DOCUME~1\JODIEA~1\LOCALS~1\Temp\pgldqpoc.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA90887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA908BFE]

Code \??\C:\DOCUME~1\JODIEA~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? kaimc.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9C4D360, 0x30AD87, 0xE8000020]
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB65DB280]
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\JODIEA~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe[316] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[348] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\WINDOWS\system32\nvsvc32.exe[620] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\WINDOWS\system32\nvsvc32.exe[620] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\WINDOWS\system32\nvsvc32.exe[620] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
? C:\WINDOWS\System32\smss.exe[880] time/date stamp mismatch;
? C:\WINDOWS\system32\csrss.exe[944] time/date stamp mismatch; unknown module: CSRSRV.dll
.text C:\WINDOWS\system32\csrss.exe[944] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\system32\csrss.exe[944] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\system32\csrss.exe[944] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
? C:\WINDOWS\system32\winlogon.exe[968] time/date stamp mismatch; unknown module: WINMM.dllunknown module: MSGINA.dllunknown module: RASAPI32.dllunknown module: MPR.dllunknown module: AUTHZ.dllunknown module: NDdeApi.dllunknown module: PROFMAP.dllunknown module: SETUPAPI.dllunknown module: VERSION.dllunknown module: WINSTA.dllunknown module: WINTRUST.dll
.text C:\WINDOWS\system32\winlogon.exe[968] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\system32\winlogon.exe[968] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\system32\winlogon.exe[968] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\WINDOWS\system32\winlogon.exe[968] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\WINDOWS\system32\winlogon.exe[968] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\WINDOWS\system32\winlogon.exe[968] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\WINDOWS\system32\winlogon.exe[968] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\WINDOWS\system32\winlogon.exe[968] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\WINDOWS\system32\winlogon.exe[968] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\WINDOWS\system32\winlogon.exe[968] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\WINDOWS\system32\winlogon.exe[968] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\WINDOWS\system32\winlogon.exe[968] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
? C:\WINDOWS\system32\services.exe[1012] time/date stamp mismatch; unknown module: NTDSAPI.dllunknown module: NCObjAPI.DLLunknown module: SCESRV.dllunknown module: umpnpmgr.dll
.text C:\WINDOWS\system32\services.exe[1012] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\system32\services.exe[1012] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\system32\services.exe[1012] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\WINDOWS\system32\services.exe[1012] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\WINDOWS\system32\services.exe[1012] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\WINDOWS\system32\services.exe[1012] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\WINDOWS\system32\services.exe[1012] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\WINDOWS\system32\services.exe[1012] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\WINDOWS\system32\services.exe[1012] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\WINDOWS\system32\services.exe[1012] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\WINDOWS\system32\services.exe[1012] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\WINDOWS\system32\services.exe[1012] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\WINDOWS\system32\lsass.exe[1024] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\system32\lsass.exe[1024] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\system32\lsass.exe[1024] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\WINDOWS\system32\lsass.exe[1024] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2001E19E
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2001E281
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2001E4A9
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2001E170
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2001E355
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2001E247
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2001E2C1
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2001E3FC
.text C:\Program Files\Google\Update\GoogleUpdate.exe[1148] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2001E308
? C:\WINDOWS\system32\svchost.exe[1200] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\system32\svchost.exe[1200] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\WINDOWS\system32\svchost.exe[1200] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
? C:\WINDOWS\system32\svchost.exe[1252] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\WINDOWS\system32\svchost.exe[1252] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2001E19E
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2001E281
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2001E4A9
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2001E170
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2001E355
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2001E247
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2001E2C1
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2001E3FC
.text C:\Program Files\Java\jre6\bin\jqs.exe[1296] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2001E308
? C:\WINDOWS\System32\svchost.exe[1396] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[1396] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\System32\svchost.exe[1396] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\System32\svchost.exe[1396] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\WINDOWS\System32\svchost.exe[1396] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\WINDOWS\System32\svchost.exe[1396] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\WINDOWS\System32\svchost.exe[1396] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\WINDOWS\System32\svchost.exe[1396] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\WINDOWS\System32\svchost.exe[1396] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\WINDOWS\System32\svchost.exe[1396] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\WINDOWS\System32\svchost.exe[1396] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\WINDOWS\System32\svchost.exe[1396] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\WINDOWS\System32\svchost.exe[1396] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!HttpOpenRequestA 630187BC 5 Bytes JMP 2004CF28
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetReadFile 6301AC9D 5 Bytes JMP 2004CE6D
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!HttpSendRequestW 6301F73E 5 Bytes JMP 2004C578
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!HttpOpenRequestW 6301F87B 5 Bytes JMP 2004CF55
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetQueryDataAvailable 6301FEB1 5 Bytes JMP 2004CB4E
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetCloseHandle 63020A61 5 Bytes JMP 2004C5D7
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 2004CF82
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!HttpSendRequestA 6302E822 5 Bytes JMP 2004C543
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetReadFileExW 6303377E 5 Bytes JMP 2004CD52
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetReadFileExA 630337B6 5 Bytes JMP 2004CCAB
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetWriteFile 6307665E 5 Bytes JMP 2004C5AA
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 2004CFA9
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!HttpSendRequestExA 6308A9EE 5 Bytes JMP 2004C4FD
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!HttpSendRequestExW 6308AA47 5 Bytes JMP 2004C4B7
? C:\WINDOWS\system32\svchost.exe[1416] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!HttpOpenRequestA 630187BC 5 Bytes JMP 2001CF28
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!InternetReadFile 6301AC9D 5 Bytes JMP 2001CE6D
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!HttpSendRequestW 6301F73E 5 Bytes JMP 2001C578
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!HttpOpenRequestW 6301F87B 5 Bytes JMP 2001CF55
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!InternetQueryDataAvailable 6301FEB1 5 Bytes JMP 2001CB4E
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!InternetCloseHandle 63020A61 5 Bytes JMP 2001C5D7
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 2001CF82
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!HttpSendRequestA 6302E822 5 Bytes JMP 2001C543
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!InternetReadFileExW 6303377E 5 Bytes JMP 2001CD52
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!InternetReadFileExA 630337B6 5 Bytes JMP 2001CCAB
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!InternetWriteFile 6307665E 5 Bytes JMP 2001C5AA
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 2001CFA9
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!HttpSendRequestExA 6308A9EE 5 Bytes JMP 2001C4FD
.text C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe[1488] WININET.dll!HttpSendRequestExW 6308AA47 5 Bytes JMP 2001C4B7
? C:\WINDOWS\system32\svchost.exe[1520] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\WINDOWS\system32\svchost.exe[1520] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\Program Files\CDBurnerXP\NMSAccessU.exe[1604] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
? C:\WINDOWS\system32\svchost.exe[1624] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\system32\svchost.exe[1624] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\WINDOWS\system32\svchost.exe[1624] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\WINDOWS\system32\spoolsv.exe[1832] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\system32\spoolsv.exe[1832] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\system32\spoolsv.exe[1832] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
? C:\WINDOWS\system32\svchost.exe[1956] time/date stamp mismatch;
.text C:\WINDOWS\system32\svchost.exe[1956] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\system32\svchost.exe[1956] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\system32\svchost.exe[1956] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!HttpOpenRequestA 630187BC 5 Bytes JMP 2004CF28
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!InternetReadFile 6301AC9D 5 Bytes JMP 2004CE6D
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!HttpSendRequestW 6301F73E 5 Bytes JMP 2004C578
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!HttpOpenRequestW 6301F87B 5 Bytes JMP 2004CF55
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!InternetQueryDataAvailable 6301FEB1 5 Bytes JMP 2004CB4E
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!InternetCloseHandle 63020A61 5 Bytes JMP 2004C5D7
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 2004CF82
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!HttpSendRequestA 6302E822 5 Bytes JMP 2004C543
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!InternetReadFileExW 6303377E 5 Bytes JMP 2004CD52
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!InternetReadFileExA 630337B6 5 Bytes JMP 2004CCAB
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!InternetWriteFile 6307665E 5 Bytes JMP 2004C5AA
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 2004CFA9
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!HttpSendRequestExA 6308A9EE 5 Bytes JMP 2004C4FD
.text C:\WINDOWS\system32\svchost.exe[1956] WININET.dll!HttpSendRequestExW 6308AA47 5 Bytes JMP 2004C4B7
.text C:\WINDOWS\system32\svchost.exe[1956] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\WINDOWS\system32\svchost.exe[1956] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\WINDOWS\system32\svchost.exe[1956] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\WINDOWS\system32\svchost.exe[1956] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\WINDOWS\system32\svchost.exe[1956] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\WINDOWS\system32\svchost.exe[1956] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\WINDOWS\system32\svchost.exe[1956] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\WINDOWS\system32\svchost.exe[1956] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\WINDOWS\system32\svchost.exe[1956] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1988] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe[2016] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe[2016] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe[2016] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[2036] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\WINDOWS\System32\alg.exe[2372] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\WINDOWS\System32\alg.exe[2372] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\WINDOWS\System32\alg.exe[2372] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
.text C:\WINDOWS\System32\alg.exe[2372] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2001E19E
.text C:\WINDOWS\System32\alg.exe[2372] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2001E281
.text C:\WINDOWS\System32\alg.exe[2372] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2001E4A9
.text C:\WINDOWS\System32\alg.exe[2372] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2001E170
.text C:\WINDOWS\System32\alg.exe[2372] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2001E355
.text C:\WINDOWS\System32\alg.exe[2372] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2001E247
.text C:\WINDOWS\System32\alg.exe[2372] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2001E2C1
.text C:\WINDOWS\System32\alg.exe[2372] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2001E3FC
.text C:\WINDOWS\System32\alg.exe[2372] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2001E308
? C:\WINDOWS\explorer.exe[2436] time/date stamp mismatch; unknown module: WINMM.dllunknown module: SETUPAPI.dllunknown module: WINSTA.dllunknown module: OLEACC.dllunknown module: BROWSEUI.dllunknown module: OLEAUT32.dllunknown module: SHDOCVW.dllunknown module: UxTheme.dll
.text C:\WINDOWS\explorer.exe[2436] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2004E4C8
.text C:\WINDOWS\explorer.exe[2436] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2004762E
.text C:\WINDOWS\explorer.exe[2436] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2004DE8E
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!HttpOpenRequestA 630187BC 5 Bytes JMP 2004CF28
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!InternetReadFile 6301AC9D 5 Bytes JMP 2004CE6D
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!HttpSendRequestW 6301F73E 5 Bytes JMP 2004C578
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!HttpOpenRequestW 6301F87B 5 Bytes JMP 2004CF55
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!InternetQueryDataAvailable 6301FEB1 5 Bytes JMP 2004CB4E
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!InternetCloseHandle 63020A61 5 Bytes JMP 2004C5D7
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!InternetOpenUrlA 6302DEF0 5 Bytes JMP 2004CF82
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!HttpSendRequestA 6302E822 5 Bytes JMP 2004C543
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!InternetReadFileExW 6303377E 5 Bytes JMP 2004CD52
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!InternetReadFileExA 630337B6 5 Bytes JMP 2004CCAB
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!InternetWriteFile 6307665E 5 Bytes JMP 2004C5AA
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!InternetOpenUrlW 63077347 5 Bytes JMP 2004CFA9
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!HttpSendRequestExA 6308A9EE 5 Bytes JMP 2004C4FD
.text C:\WINDOWS\explorer.exe[2436] WININET.dll!HttpSendRequestExW 6308AA47 5 Bytes JMP 2004C4B7
.text C:\WINDOWS\explorer.exe[2436] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2004E19E
.text C:\WINDOWS\explorer.exe[2436] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2004E281
.text C:\WINDOWS\explorer.exe[2436] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2004E4A9
.text C:\WINDOWS\explorer.exe[2436] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2004E170
.text C:\WINDOWS\explorer.exe[2436] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2004E355
.text C:\WINDOWS\explorer.exe[2436] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2004E247
.text C:\WINDOWS\explorer.exe[2436] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2004E2C1
.text C:\WINDOWS\explorer.exe[2436] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2004E3FC
.text C:\WINDOWS\explorer.exe[2436] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2004E308
.text C:\Documents and Settings\jodie and ciaran xxx\Desktop\ov6rzplj.exe[2472] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\Documents and Settings\jodie and ciaran xxx\Desktop\ov6rzplj.exe[2472] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\Documents and Settings\jodie and ciaran xxx\Desktop\ov6rzplj.exe[2472] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
.text C:\WINDOWS\system32\wscntfy.exe[3240] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\WINDOWS\system32\wscntfy.exe[3240] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\WINDOWS\system32\wscntfy.exe[3240] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 2001E19E
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] WS2_32.dll!recvfrom 71AB2FF7 5 Bytes JMP 2001E281
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 2001E4A9
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] WS2_32.dll!send 71AB4C27 5 Bytes JMP 2001E170
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 2001E355
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] WS2_32.dll!recv 71AB676F 5 Bytes JMP 2001E247
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 2001E2C1
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] WS2_32.dll!WSARecvFrom 71ABF66A 5 Bytes JMP 2001E3FC
.text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[3628] WS2_32.dll!WSASendTo 71AC0AAD 5 Bytes JMP 2001E308
? C:\WINDOWS\System32\svchost.exe[3848] time/date stamp mismatch;
.text C:\WINDOWS\System32\svchost.exe[3848] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\WINDOWS\System32\svchost.exe[3848] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\WINDOWS\System32\svchost.exe[3848] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E
.text C:\WINDOWS\system32\ctfmon.exe[3972] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 2001E4C8
.text C:\WINDOWS\system32\ctfmon.exe[3972] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 2001762E
.text C:\WINDOWS\system32\ctfmon.exe[3972] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 2001DE8E

---- Devices - GMER 1.0.15 ----

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\jodie and ciaran xxx\Start Menu\Programs\Startup\ntjiyevg.exe 152500 bytes executable
File C:\ntjiyevg.exe 152500 bytes executable
File C:\Program Files\fnrvobms\ntjiyevg.exe 152500 bytes executable
File C:\System Volume Information\_restore{953D3D99-A34F-469B-9935-FAAE5DB7EAB3}\RP469\A0254245.dll 104448 bytes executable

---- EOF - GMER 1.0.15 ----
ciaran
Regular Member
 
Posts: 15
Joined: February 19th, 2011, 12:14 pm

Re: loads of problems. any help appreciated.

Unread postby melboy » February 25th, 2011, 5:15 am

Sorry to be the bearer of bad news, but we are chasing our tails on this one.

Combofix has repeatedly removed a file, that whilst not malicious itself, is indicative of a much more serious infection. The removal of a further file in it's last run, plus the return of the files previously removed by MBAM as shown in the GMER scan, confirm that infection. An antivirus scan - should you have been able to run one - would have confimed the amount of infected files.

That infection is Win32/Ramnit.

Win32/Ramnit is a file infector which can infect .exe, .dll and .HTML/HTM files, It opens a backdoor and has IRCBot functionality that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. It may also upload any personal data for use in Identity theft or steal financial/banking data.


The malware injects code in legitimate files and the infected files (which could number in the thousands) may not be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable.


With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS. There is no guarantee this infection can be completely removed. It may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again.


Please read these for more information:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Virut and other Other File Infectors




Some advice for when you reformat:

Link: How to Reformat & Reinstall your Operating System

Make sure you back up any personal files or documents you wish to save before you reformat. If you haven't already done so, I suggest you to start to backup all of your valuable data/documents/pictures/songs/etc..

DO NOT backup any applications/installers and DO NOT backup any exe, .scr, .dll, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab files... These files may be infected. If you back them up and replace them afterwards, it will infect your computer again.

After formatting the HDD and reinstalling the OS, Install an antivirus, straight away before connecting to the internet. Have the installer file for your chosen AV handy on a form of removable media (Flash Drive/CD etc) downloaded using anothe uninfected computer.

Once you have installed an AV and when you connect to the internet, check for updates for your AntiVirus straight away and then make getting Windows updates a priority. Scan any backed up files on removable media by initiating the context menu (right click) scan of your Anti-virus
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: loads of problems. any help appreciated.

Unread postby ciaran » February 25th, 2011, 7:11 am

hi Melboy,
thanks very much for all your time and effort.
whilst, obviously, i am a bit gutted that i will have to format and reinstall, i am still very impressed by the selflessness of the experts on this forum.
the fact that there are people out there willing to give their time and expertise to help people is very pleasing to know.
i will be reading the information you have linked for me here and also following your advice with regards to p2p, cracks, warez etc.
thankyou again and my best wishes to you and all your colleagues here on malwareremoval.com.
ciaran
Regular Member
 
Posts: 15
Joined: February 19th, 2011, 12:14 pm

Re: loads of problems. any help appreciated.

Unread postby melboy » February 25th, 2011, 7:20 am

Hi

You're welcome :)

Below is some general advice/suggestions for programs to install. You may have your own preference for an Antivirus/firewall.

Antivirus
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories.
Suggestions:
  • Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
  • avast! Home Edition - Anti-virus program for Windows. The home edition is freeware for non-commercial users.
  • Microsoft Security Essentials - Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
[Please note that trial pay is not needed to get any product for free.]
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts, system instability and false virus alerts.

  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    Uninstall Tools for Major Antivirus Products

Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.
  • Make Internet Explorer More Secure
    Internet Explorer 8 <<< Recommended Version
    For older versions please read and follow the recommendations at this site
    Internet Explorer7
    Internet Explorer6


Recommended Programs

I would recommend the download and installation of some or all of the following programs, and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.
  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.
  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera
  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
    Suggestions:
    [Please note that trial pay is not needed to get any product for free.]




Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Read these great articles by Tony Klein So How Did I Get Infected In First Place & Computer Security - a short guide to staying safer online. (by Gary R and Wingman)


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: loads of problems. any help appreciated.

Unread postby ciaran » February 25th, 2011, 7:31 am

:)
will definitely try to stay clean and will also give the kids a quick lecture.
there's a lot to go on there. presumably i will still be able to access this thread after it is closed. if so, no need for a reply just close it. if not let me know and i will copy and paste info to read. thanks.
ciaran
ciaran
Regular Member
 
Posts: 15
Joined: February 19th, 2011, 12:14 pm

Re: loads of problems. any help appreciated.

Unread postby melboy » February 25th, 2011, 7:35 am

You will still be able to access the thread but it will be moved to the Archived Hijackthis Posts.

I'll have this closed.

Should you require any further information, questions can always be asked in the General Discussions Forum. :)

viewforum.php?f=26
User avatar
melboy
MRU Expert
MRU Expert
 
Posts: 3670
Joined: July 25th, 2008, 4:25 pm
Location: UK

Re: loads of problems. any help appreciated.

Unread postby Cypher » February 25th, 2011, 7:44 am

As you are going to reformat and reinstall the OS, this topic is now closed.

If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Donations For Malware Removal
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 14959
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware