Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help! reason to believe something isn't right...

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help! reason to believe something isn't right...

Unread postby mstoochn » August 18th, 2010, 4:08 am

Ill just sum up some of my symptoms, and YES i have done a malware bytes virus scan as well as microsoft malware removal but they didn't seem to find anything.

Please note I reinstalled windows only a month back.

Symptoms:
Internet explorer crashing when trying to download a file or a pop up opens (POP UPS DONT SEEM TO BE BLOCKED? Yes.... my A/V is working normal)
When opening firefox or IE, the home page will not usualy load, insted it simply times out my connection..
Conime.exe duplicates itself in the task manager (seen it up to 8x multiplications.... AND YES, YES... I have checked that it is in the proper location and the proper size)

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:08:16 AM, on 18/08/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINDOWS\sttray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\conime.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\Mike\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... B&M=T-1629
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=T-1629
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... B&M=T-1629
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html ... B&M=T-1629
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... B&M=T-1629
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Shaw Secure\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Shaw Secure\ORSP Client\fsorsp.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5795 bytes


Uninstall list:

Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.2
Agere Systems HDA Modem
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Camera Assistant Software for Gateway
Compatibility Pack for the 2007 Office system
F-Secure PSC Prerequisites
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IDT Audio
iTunes
Java(TM) 6 Update 4
LabelPrint
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft Choice Guard
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.8)
MSVCRT
Power2Go 5.0
QuickTime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
REALTEK USB Wireless LAN Driver
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Shaw Secure
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Ventrilo Client
VLC media player 1.1.1
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
World of Warcraft
mstoochn
Regular Member
 
Posts: 17
Joined: July 13th, 2010, 3:52 pm
Advertisement
Register to Remove

Re: Help! reason to believe something isn't right...

Unread postby askey127 » August 21st, 2010, 8:08 am

Hi mstoochn,
You must have done a "repair" install.
Please tell me what language is the Vista installation you have.
Please don't install, remove, or scan with anything while we are cleaning the machine, unless I ask.
-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis. (right click and "Run as administrator" in Vista)
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:

Adobe Reader 8.1.2
Java(TM) 6 Update 4

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
----------------------------------------------
Run Temp File Cleaner
Download Temp File Cleaner and save it to your desktop.
Double click to run it. (Right click and Run as Administrator in Vista)
If you have a lot of junk files to remove, it could take a while, so please be patient and let it finish.
When it's done, if it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
------------------------------------------------------------
Download and Install the latest version of Java Runtime Environment from here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
In the first section on the page, labeled JDK 6 Update 21 (JDK or JRE), click on the button labeled Download JRE. Do NOT choose the button labeled "Download JDK".
Select the Platform Windows and check the box to agree to the license.
Choose the Windows Offline installation version and click on the link.
Download it, choose Save, and save it to your desktop.
Then doubleclick it on your desktop, (or right click and choose "Run as administrator") and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
--------------------------------------------------------
Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.33 are vulnerable.
Go HERE and click on AdbeRdr933_en_US.exe to download the latest version of Adobe Acrobat Reader.
Save this file to your desktop and run it to install the latest version of Adobe Reader.
------------------------------------------------------------
Please download the GMER Rootkit Scanner from Here.
  • Right click the .exe file and chose Run as Administrator. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than the System drive (which is typically C:\)
    • Show All (don't miss this one)
      See image below
      Image
  • Then click the Scan button & wait for it to finish
    **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
Note: Do not run any other programs while Gmer is running.

So we are looking for the answer to the Vista language, and the results from Gmer.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! reason to believe something isn't right...

Unread postby mstoochn » August 21st, 2010, 9:56 pm

Okay so i can't seem to find out exactly what language on windows I have but, it was purchased in canada (english version currently) the only other option is that it MAY be the bilingual, as far as i no, this conime.exe thing is an asian language pack thats utterly annoying me.


EDIT:
After completing a restartafter i posted this topic EVEYTIME I OPEN WINDOWS EXPLORER to access a folder etc.... its trying to close COM surrogate. WTF has happened?! i followed ur instructions exactly.

2nd Edit: Another restart seemed to solve that issue.

I was able to accomplish everything u asked of me.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-21 18:52:55
Windows 6.0.6002 Service Pack 2
Running: exwp80st.exe; Driver: C:\Users\Mike\AppData\Local\Temp\kxldypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateThread [0x8D121E8C]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwLoadDriver [0x8D1221BC]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwMapViewOfSection [0x8D121BCC]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwOpenSection [0x8D1225EE]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwRenameKey [0x8D12388C]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSetSystemInformation [0x8D12243E]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSuspendProcess [0x8D121A4C]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSuspendThread [0x8D121EC0]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwSystemDebugControl [0x8D122042]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwTerminateProcess [0x8D1219A6]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwTerminateThread [0x8D121B06]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwWriteVirtualMemory [0x8D121F86]
SSDT \??\C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys ZwCreateThreadEx [0x8D121EA6]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 221 81CEB984 4 Bytes [8C, 1E, 12, 8D]
.text ntkrnlpa.exe!KeSetEvent + 37D 81CEBAE0 4 Bytes [BC, 21, 12, 8D]
.text ntkrnlpa.exe!KeSetEvent + 3AD 81CEBB10 4 Bytes [CC, 1B, 12, 8D]
.text ntkrnlpa.exe!KeSetEvent + 3FD 81CEBB60 4 Bytes [EE, 25, 12, 8D]
.text ntkrnlpa.exe!KeSetEvent + 515 81CEBC78 4 Bytes JMP 12388C81
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\iTunes\iTunesHelper.exe[356] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 00EF000C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 00EF100C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 00EF200C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 00EF300C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 00EF400C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 00EF500C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 00EFB00C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 00EF800C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 00EF600C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 00EF900C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 00EF700C
.text C:\Program Files\iTunes\iTunesHelper.exe[356] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 00EFA00C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0049000C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0049100C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0049200C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0049300C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0049400C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0049800C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0049600C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0049900C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0049700C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0049500C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0049B00C
.text C:\Program Files\Windows Defender\MSASCui.exe[456] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 0049A00C
.text C:\Windows\system32\wininit.exe[596] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0017000C
.text C:\Windows\system32\wininit.exe[596] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0017100C
.text C:\Windows\system32\wininit.exe[596] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0017200C
.text C:\Windows\system32\wininit.exe[596] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0017300C
.text C:\Windows\system32\wininit.exe[596] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0017400C
.text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0017800C
.text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0017600C
.text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0017900C
.text C:\Windows\system32\wininit.exe[596] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0017700C
.text C:\Windows\system32\wininit.exe[596] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0017500C
.text C:\Windows\system32\wininit.exe[596] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0017A00C
.text C:\Windows\system32\winlogon.exe[672] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 001C000C
.text C:\Windows\system32\winlogon.exe[672] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 001C100C
.text C:\Windows\system32\winlogon.exe[672] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 001C200C
.text C:\Windows\system32\winlogon.exe[672] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 001C300C
.text C:\Windows\system32\winlogon.exe[672] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 001C400C
.text C:\Windows\system32\winlogon.exe[672] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 001C800C
.text C:\Windows\system32\winlogon.exe[672] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 001C600C
.text C:\Windows\system32\winlogon.exe[672] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 001C900C
.text C:\Windows\system32\winlogon.exe[672] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 001C700C
.text C:\Windows\system32\winlogon.exe[672] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 001C500C
.text C:\Windows\system32\winlogon.exe[672] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 001CB00C
.text C:\Windows\system32\winlogon.exe[672] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 001CA00C
.text C:\Windows\system32\lsass.exe[688] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 000E000C
.text C:\Windows\system32\lsass.exe[688] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 000E100C
.text C:\Windows\system32\lsass.exe[688] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 000E200C
.text C:\Windows\system32\lsass.exe[688] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 000E300C
.text C:\Windows\system32\lsass.exe[688] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 000E400C
.text C:\Windows\system32\lsass.exe[688] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 000E800C
.text C:\Windows\system32\lsass.exe[688] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 000E600C
.text C:\Windows\system32\lsass.exe[688] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 000E900C
.text C:\Windows\system32\lsass.exe[688] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 000E700C
.text C:\Windows\system32\lsass.exe[688] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 000E500C
.text C:\Windows\system32\lsass.exe[688] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 000EB00C
.text C:\Windows\system32\lsass.exe[688] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 000EA00C
.text C:\Windows\system32\lsm.exe[696] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0015000C
.text C:\Windows\system32\lsm.exe[696] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0015100C
.text C:\Windows\system32\lsm.exe[696] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0015200C
.text C:\Windows\system32\lsm.exe[696] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0015300C
.text C:\Windows\system32\lsm.exe[696] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0015400C
.text C:\Windows\system32\lsm.exe[696] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0015800C
.text C:\Windows\system32\lsm.exe[696] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0015600C
.text C:\Windows\system32\lsm.exe[696] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0015900C
.text C:\Windows\system32\lsm.exe[696] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0015700C
.text C:\Windows\system32\lsm.exe[696] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0015500C
.text C:\Windows\system32\lsm.exe[696] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0015A00C
.text C:\Windows\system32\SearchFilterHost.exe[704] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0024000C
.text C:\Windows\system32\SearchFilterHost.exe[704] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0024100C
.text C:\Windows\system32\SearchFilterHost.exe[704] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0024200C
.text C:\Windows\system32\SearchFilterHost.exe[704] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0024300C
.text C:\Windows\system32\SearchFilterHost.exe[704] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0024400C
.text C:\Windows\system32\SearchFilterHost.exe[704] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0024800C
.text C:\Windows\system32\SearchFilterHost.exe[704] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0024600C
.text C:\Windows\system32\SearchFilterHost.exe[704] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0024900C
.text C:\Windows\system32\SearchFilterHost.exe[704] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0024700C
.text C:\Windows\system32\SearchFilterHost.exe[704] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0024500C
.text C:\Windows\system32\SearchFilterHost.exe[704] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0024B00C
.text C:\Windows\system32\SearchFilterHost.exe[704] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 0024A00C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0024000C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0024100C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0024200C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0024300C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0024400C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0024500C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0024A00C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0024800C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0024600C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0024900C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0024700C
.text C:\Users\Mike\Downloads\exwp80st.exe[784] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 0024B00C
.text C:\Windows\system32\svchost.exe[840] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0013000C
.text C:\Windows\system32\svchost.exe[840] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0013100C
.text C:\Windows\system32\svchost.exe[840] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0013200C
.text C:\Windows\system32\svchost.exe[900] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 000A000C
.text C:\Windows\system32\svchost.exe[900] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 000A100C
.text C:\Windows\system32\svchost.exe[900] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 000A200C
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0145000C
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0145100C
.text C:\Windows\System32\svchost.exe[944] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0145200C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0098000C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0098100C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0098200C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0098300C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0098400C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0098500C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0098B00C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0098800C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0098600C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0098900C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0098700C
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[984] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 0098A00C
.text C:\Windows\system32\Ati2evxx.exe[1044] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 003D000C
.text C:\Windows\system32\Ati2evxx.exe[1044] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 003D100C
.text C:\Windows\system32\Ati2evxx.exe[1044] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 003D200C
.text C:\Windows\system32\Ati2evxx.exe[1044] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 003D300C
.text C:\Windows\system32\Ati2evxx.exe[1044] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 003D400C
.text C:\Windows\system32\Ati2evxx.exe[1044] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 003D500C
.text C:\Windows\system32\Ati2evxx.exe[1044] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 003DB00C
.text C:\Windows\system32\Ati2evxx.exe[1044] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 003D800C
.text C:\Windows\system32\Ati2evxx.exe[1044] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 003D600C
.text C:\Windows\system32\Ati2evxx.exe[1044] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 003D900C
.text C:\Windows\system32\Ati2evxx.exe[1044] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 003D700C
.text C:\Windows\system32\Ati2evxx.exe[1044] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 003DA00C
.text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0087000C
.text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0087100C
.text C:\Windows\System32\svchost.exe[1100] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0087200C
.text C:\Windows\System32\svchost.exe[1140] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0113000C
.text C:\Windows\System32\svchost.exe[1140] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0113100C
.text C:\Windows\System32\svchost.exe[1140] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0113200C
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 00E2000C
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 00E2100C
.text C:\Windows\system32\svchost.exe[1152] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 00E2200C
.text C:\Windows\system32\svchost.exe[1260] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0007000C
.text C:\Windows\system32\svchost.exe[1260] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0007100C
.text C:\Windows\system32\svchost.exe[1260] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0007200C
.text C:\Program Files\Shaw Secure\Common\FSM32.EXE[1304] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0360000C
.text C:\Program Files\Shaw Secure\Common\FSM32.EXE[1304] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0360100C
.text C:\Program Files\Shaw Secure\Common\FSM32.EXE[1304] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0360200C
.text C:\Windows\system32\svchost.exe[1320] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 00D2000C
.text C:\Windows\system32\svchost.exe[1320] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 00D2100C
.text C:\Windows\system32\svchost.exe[1320] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 00D2200C
.text C:\Windows\system32\Ati2evxx.exe[1380] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 015C000C
.text C:\Windows\system32\Ati2evxx.exe[1380] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 015C100C
.text C:\Windows\system32\Ati2evxx.exe[1380] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 015C200C
.text C:\Windows\system32\Ati2evxx.exe[1380] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 015C300C
.text C:\Windows\system32\Ati2evxx.exe[1380] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 015C400C
.text C:\Windows\system32\Ati2evxx.exe[1380] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 015C500C
.text C:\Windows\system32\Ati2evxx.exe[1380] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 015CB00C
.text C:\Windows\system32\Ati2evxx.exe[1380] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 015C800C
.text C:\Windows\system32\Ati2evxx.exe[1380] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 015C600C
.text C:\Windows\system32\Ati2evxx.exe[1380] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 015C900C
.text C:\Windows\system32\Ati2evxx.exe[1380] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 015C700C
.text C:\Windows\system32\Ati2evxx.exe[1380] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 015CA00C
.text C:\Windows\system32\svchost.exe[1580] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 008B000C
.text C:\Windows\system32\svchost.exe[1580] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 008B100C
.text C:\Windows\system32\svchost.exe[1580] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 008B200C
.text C:\WINDOWS\sttray.exe[1616] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 003E000C
.text C:\WINDOWS\sttray.exe[1616] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 003E100C
.text C:\WINDOWS\sttray.exe[1616] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 003E200C
.text C:\WINDOWS\sttray.exe[1616] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 003E300C
.text C:\WINDOWS\sttray.exe[1616] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 003E400C
.text C:\WINDOWS\sttray.exe[1616] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 003E500C
.text C:\WINDOWS\sttray.exe[1616] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 003EB00C
.text C:\WINDOWS\sttray.exe[1616] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 003E800C
.text C:\WINDOWS\sttray.exe[1616] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 003E600C
.text C:\WINDOWS\sttray.exe[1616] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 003E900C
.text C:\WINDOWS\sttray.exe[1616] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 003E700C
.text C:\WINDOWS\sttray.exe[1616] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 003EA00C
.text C:\Windows\system32\Dwm.exe[1904] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 00D2000C
.text C:\Windows\system32\Dwm.exe[1904] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 00D2100C
.text C:\Windows\system32\Dwm.exe[1904] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 00D2200C
.text C:\Windows\system32\Dwm.exe[1904] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 00D2300C
.text C:\Windows\system32\Dwm.exe[1904] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 00D2400C
.text C:\Windows\system32\Dwm.exe[1904] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 00D2800C
.text C:\Windows\system32\Dwm.exe[1904] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 00D2600C
.text C:\Windows\system32\Dwm.exe[1904] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 00D2900C
.text C:\Windows\system32\Dwm.exe[1904] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 00D2700C
.text C:\Windows\system32\Dwm.exe[1904] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 00D2500C
.text C:\Windows\system32\Dwm.exe[1904] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 00D2B00C
.text C:\Windows\system32\Dwm.exe[1904] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 00D2A00C
.text C:\Windows\system32\taskeng.exe[1912] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 00E0000C
.text C:\Windows\system32\taskeng.exe[1912] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 00E0100C
.text C:\Windows\system32\taskeng.exe[1912] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 00E0200C
.text C:\Windows\system32\taskeng.exe[1912] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 00E0300C
.text C:\Windows\system32\taskeng.exe[1912] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 00E0400C
.text C:\Windows\system32\taskeng.exe[1912] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 00E0800C
.text C:\Windows\system32\taskeng.exe[1912] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 00E0600C
.text C:\Windows\system32\taskeng.exe[1912] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 00E0900C
.text C:\Windows\system32\taskeng.exe[1912] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 00E0700C
.text C:\Windows\system32\taskeng.exe[1912] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 00E0500C
.text C:\Windows\system32\taskeng.exe[1912] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 00E0B00C
.text C:\Windows\system32\taskeng.exe[1912] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 00E0A00C
.text C:\Windows\system32\svchost.exe[1948] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0077000C
.text C:\Windows\system32\svchost.exe[1948] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0077100C
.text C:\Windows\system32\svchost.exe[1948] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0077200C
.text C:\Windows\Explorer.EXE[1964] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 01DE000C
.text C:\Windows\Explorer.EXE[1964] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 01DE100C
.text C:\Windows\Explorer.EXE[1964] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 01DE200C
.text C:\Windows\Explorer.EXE[1964] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 01DE300C
.text C:\Windows\Explorer.EXE[1964] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 01DE400C
.text C:\Windows\Explorer.EXE[1964] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 01DE800C
.text C:\Windows\Explorer.EXE[1964] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 01DE600C
.text C:\Windows\Explorer.EXE[1964] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 01DE900C
.text C:\Windows\Explorer.EXE[1964] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 01DE700C
.text C:\Windows\Explorer.EXE[1964] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 01DE500C
.text C:\Windows\Explorer.EXE[1964] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 01DEB00C
.text C:\Windows\Explorer.EXE[1964] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 01DEA00C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0038000C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0038100C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0038200C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0038300C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0038400C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0038800C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0038600C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0038900C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0038700C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0038500C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0038B00C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2076] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 0038A00C
.text C:\Windows\system32\taskeng.exe[2176] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 001A000C
.text C:\Windows\system32\taskeng.exe[2176] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 001A100C
.text C:\Windows\system32\taskeng.exe[2176] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 001A200C
.text C:\Windows\system32\taskeng.exe[2176] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 001A300C
.text C:\Windows\system32\taskeng.exe[2176] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 001A400C
.text C:\Windows\system32\taskeng.exe[2176] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 001A800C
.text C:\Windows\system32\taskeng.exe[2176] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 001A600C
.text C:\Windows\system32\taskeng.exe[2176] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 001A900C
.text C:\Windows\system32\taskeng.exe[2176] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 001A700C
.text C:\Windows\system32\taskeng.exe[2176] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 001A500C
.text C:\Windows\system32\taskeng.exe[2176] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 001AB00C
.text C:\Windows\system32\taskeng.exe[2176] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 001AA00C
.text C:\Windows\system32\agrsmsvc.exe[2440] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0020000C
.text C:\Windows\system32\agrsmsvc.exe[2440] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0020100C
.text C:\Windows\system32\agrsmsvc.exe[2440] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0020200C
.text C:\Windows\system32\agrsmsvc.exe[2440] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0020300C
.text C:\Windows\system32\agrsmsvc.exe[2440] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0020400C
.text C:\Windows\system32\agrsmsvc.exe[2440] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0020800C
.text C:\Windows\system32\agrsmsvc.exe[2440] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0020600C
.text C:\Windows\system32\agrsmsvc.exe[2440] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0020900C
.text C:\Windows\system32\agrsmsvc.exe[2440] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0020700C
.text C:\Windows\system32\agrsmsvc.exe[2440] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0020500C
.text C:\Windows\system32\agrsmsvc.exe[2440] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0020B00C
.text C:\Windows\system32\agrsmsvc.exe[2440] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 0020A00C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0022000C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0022100C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0022200C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0022300C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0022400C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0022800C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0022600C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0022900C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0022700C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0022500C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0022B00C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2472] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 0022A00C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0016000C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0016100C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0016200C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0016300C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0016400C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0016800C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0016600C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0016900C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0016700C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0016500C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0016B00C
.text C:\Program Files\Bonjour\mDNSResponder.exe[2488] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 0016A00C
.text C:\Windows\system32\svchost.exe[2668] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0019000C
.text C:\Windows\system32\svchost.exe[2668] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0019100C
.text C:\Windows\system32\svchost.exe[2668] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0019200C
.text C:\Windows\system32\svchost.exe[2812] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 002F000C
.text C:\Windows\system32\svchost.exe[2812] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 002F100C
.text C:\Windows\system32\svchost.exe[2812] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 002F200C
.text C:\Windows\System32\svchost.exe[2852] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 001C000C
.text C:\Windows\System32\svchost.exe[2852] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 001C100C
.text C:\Windows\System32\svchost.exe[2852] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 001C200C
.text C:\Windows\system32\SearchIndexer.exe[2888] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 00F5000C
.text C:\Windows\system32\SearchIndexer.exe[2888] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 00F5100C
.text C:\Windows\system32\SearchIndexer.exe[2888] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 00F5200C
.text C:\Windows\system32\SearchIndexer.exe[2888] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 00F5300C
.text C:\Windows\system32\SearchIndexer.exe[2888] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 00F5400C
.text C:\Windows\system32\SearchIndexer.exe[2888] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 00F5800C
.text C:\Windows\system32\SearchIndexer.exe[2888] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 00F5600C
.text C:\Windows\system32\SearchIndexer.exe[2888] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 00F5900C
.text C:\Windows\system32\SearchIndexer.exe[2888] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 00F5700C
.text C:\Windows\system32\SearchIndexer.exe[2888] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 00F5500C
.text C:\Windows\system32\SearchIndexer.exe[2888] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 00F5B00C
.text C:\Windows\system32\SearchIndexer.exe[2888] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 00F5A00C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0015000C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0015100C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0015200C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0015300C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0015400C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0015800C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0015600C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0015900C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0015700C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0015500C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0015B00C
.text C:\Windows\system32\SearchProtocolHost.exe[3076] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 0015A00C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 012C000C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 012C100C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 012C200C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 012C300C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 012C400C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 012C800C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 012C600C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 012C900C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 012C700C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 012C500C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 012CB00C
.text C:\Windows\system32\wbem\wmiprvse.exe[3496] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 012CA00C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] ntdll.dll!NtCreateProcess 77394494 5 Bytes JMP 0019000C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] ntdll.dll!NtCreateProcessEx 773944A4 5 Bytes JMP 0019100C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] ntdll.dll!NtCreateUserProcess 77395804 5 Bytes JMP 0019200C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] kernel32.dll!LoadLibraryExW 771A9109 5 Bytes JMP 0019300C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] kernel32.dll!TerminateThread 771C41F7 5 Bytes JMP 0019400C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] ADVAPI32.dll!CloseServiceHandle 772882A5 5 Bytes JMP 0019800C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] ADVAPI32.dll!OpenServiceW 77288354 5 Bytes JMP 0019600C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] ADVAPI32.dll!CreateServiceW 772A9EB4 5 Bytes JMP 0019900C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] ADVAPI32.dll!ControlService 772A9FB8 5 Bytes JMP 0019700C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] USER32.dll!SetWindowsHookExW 76C787AD 5 Bytes JMP 0019500C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] USER32.dll!DdeConnect 76CB9A1F 5 Bytes JMP 0019B00C
.text C:\Program Files\iPod\bin\iPodService.exe[3580] ole32.dll!CoCreateInstanceEx 75D49EE9 5 Bytes JMP 0019A00C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 31: copy of MBR

---- EOF - GMER 1.0.15 ----
mstoochn
Regular Member
 
Posts: 17
Joined: July 13th, 2010, 3:52 pm

Re: Help! reason to believe something isn't right...

Unread postby askey127 » August 22nd, 2010, 12:41 pm

mstoochn,
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or an infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE F-SECURE ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a blue Imagesign.
    • right click it-> select Unload.
    • The F-Secure sign should now be surrounded by a red striked through circle (looking like this: Image)
    F-Secure Guard is now disabled.
  • Now start ComboFix (zzz.exe). Right click and choose "Run as administrator".
  • Start the Scan and follow any prompts.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.
Re-enable your antivirus.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! reason to believe something isn't right...

Unread postby mstoochn » August 22nd, 2010, 8:45 pm

ComboFix 10-08-22.05 - Mike 22/08/2010 17:29:38.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2429.1590 [GMT -7:00]
Running from: c:\users\Mike\Desktop\zzz.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-23 00:36 . 2010-08-23 00:36 -------- d-----w- c:\users\Mike\AppData\Local\temp
2010-08-23 00:36 . 2010-08-23 00:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-22 01:17 . 2010-08-22 01:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-22 01:11 . 2010-08-22 01:11 -------- d-----w- c:\program files\Common Files\Java
2010-08-22 01:10 . 2010-08-22 01:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-18 01:34 . 2010-08-18 01:54 -------- d-----w- c:\users\Mike\AppData\Roaming\Apple Computer
2010-08-18 01:34 . 2010-08-18 01:34 -------- d-----w- c:\users\Mike\AppData\Local\Apple Computer
2010-08-18 01:33 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-08-18 01:33 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-08-18 01:33 . 2010-08-18 01:33 -------- dc----w- c:\windows\system32\DRVSTORE
2010-08-18 01:32 . 2010-08-18 01:32 -------- d-----w- c:\program files\iPod
2010-08-18 01:32 . 2010-08-18 01:33 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-18 01:32 . 2010-08-18 01:33 -------- d-----w- c:\program files\iTunes
2010-08-18 01:30 . 2010-08-18 01:31 -------- d-----w- c:\program files\QuickTime
2010-08-18 01:30 . 2010-08-18 01:32 -------- d-----w- c:\programdata\Apple Computer
2010-08-18 01:29 . 2010-08-18 01:29 -------- d-----w- c:\users\Mike\AppData\Local\Apple
2010-08-18 01:29 . 2010-08-18 01:29 -------- d-----w- c:\program files\Apple Software Update
2010-08-18 01:26 . 2010-08-18 01:26 -------- d-----w- c:\program files\Bonjour
2010-08-18 01:25 . 2010-08-18 01:38 -------- d-----w- c:\programdata\Apple
2010-08-18 01:25 . 2010-08-18 01:32 -------- d-----w- c:\program files\Common Files\Apple
2010-08-17 01:34 . 2010-08-17 01:34 -------- d-----w- c:\users\Mike\AppData\Roaming\Malwarebytes
2010-08-17 01:34 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 01:34 . 2010-08-17 01:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 01:34 . 2010-08-17 01:34 -------- d-----w- c:\programdata\Malwarebytes
2010-08-17 01:34 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-12 18:05 . 2010-06-26 06:02 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-08-12 18:05 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-12 18:05 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-08-12 18:04 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 18:04 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 18:03 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 18:01 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 18:01 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 18:01 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 18:01 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 18:01 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-06 04:19 . 2010-08-06 04:19 680 ----a-w- c:\users\Mike\AppData\Local\d3d9caps.dat
2010-07-28 06:21 . 2010-07-28 06:22 -------- d-----w- c:\users\Mike\AppData\Roaming\vlc
2010-07-28 06:20 . 2010-07-28 06:20 -------- d-----w- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 01:10 . 2010-07-14 23:35 -------- d-----w- c:\program files\Java
2010-08-14 01:03 . 2010-07-14 23:32 -------- d-----w- c:\programdata\Microsoft Help
2010-08-14 01:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-21 23:30 . 2010-07-21 23:30 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-20 20:04 . 2010-07-20 03:11 -------- d-----w- c:\users\Mike\AppData\Roaming\Ventrilo
2010-07-20 03:10 . 2010-07-20 03:10 -------- d-----w- c:\program files\Ventrilo
2010-07-20 03:09 . 2010-07-20 03:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-16 01:55 . 2010-07-16 00:39 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-07-15 20:12 . 2010-07-15 20:12 -------- d-----w- c:\programdata\Blizzard
2010-07-15 18:35 . 2010-07-15 18:35 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-15 07:19 . 2010-07-15 07:19 -------- d-----w- c:\program files\Windows Portable Devices
2010-07-15 07:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-07-15 07:18 . 2010-07-15 07:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-07-15 05:18 . 2010-07-14 23:34 -------- d-----w- c:\program files\Microsoft.NET
2010-07-15 05:10 . 2010-07-14 22:58 70744 ----a-w- c:\users\Mike\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-15 04:14 . 2010-07-15 04:14 -------- d-----w- c:\program files\Microsoft
2010-07-15 04:14 . 2010-07-15 04:13 -------- d-----w- c:\program files\Windows Live
2010-07-15 04:14 . 2010-07-15 04:14 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-14 23:59 . 2010-07-14 23:59 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-14 23:55 . 2010-07-14 23:34 -------- d-----w- c:\program files\Shaw Secure
2010-07-14 23:55 . 2010-07-14 23:35 35792 ----a-w- c:\windows\system32\drivers\fses.sys
2010-07-14 23:46 . 2010-07-14 23:35 41256 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-07-14 23:40 . 2010-07-14 23:16 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-14 23:37 . 2010-07-14 23:37 -------- d-----w- c:\programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
2010-07-14 23:37 . 2010-07-14 23:37 -------- d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2010-07-14 23:35 . 2010-07-14 23:35 0 ----a-w- c:\windows\system32\drivers\Gateway_T-1629_N-A_N1B83A1046538.MRK
2010-07-14 23:35 . 2010-07-14 23:33 -------- d-----w- c:\programdata\f-secure
2010-07-14 23:33 . 2010-07-14 23:33 -------- d-----w- c:\programdata\fssg
2010-07-14 23:31 . 2010-07-14 23:30 -------- d-----w- c:\program files\CyberLink
2010-07-14 23:21 . 2010-07-14 23:21 -------- d-----w- c:\program files\Camera Assistant Software for Gateway
2010-07-14 23:21 . 2010-07-14 23:20 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver
2010-07-14 23:19 . 2010-07-14 23:19 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-07-14 23:19 . 2010-07-14 23:19 -------- d-----w- c:\program files\Synaptics
2010-07-14 23:19 . 2010-07-14 23:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-14 23:17 . 2010-07-14 23:16 -------- d-----w- c:\program files\IDT
2010-07-14 23:15 . 2010-07-14 23:15 -------- d-----w- c:\program files\Realtek
2010-07-14 23:15 . 2010-07-14 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-14 23:14 . 2010-07-14 23:13 -------- d-----w- c:\program files\ATI Technologies
2010-07-14 23:13 . 2010-07-14 23:41 -------- d-----w- c:\programdata\WildTangent
2010-07-14 23:12 . 2010-07-14 23:27 -------- d-----w- c:\program files\Microsoft Works
2010-07-14 23:12 . 2010-07-14 23:12 -------- d-----w- c:\program files\ATI
2010-07-14 23:10 . 2010-07-14 23:07 -------- d-----w- c:\programdata\Symantec
2010-07-14 23:05 . 2010-07-14 23:40 -------- d-----w- c:\programdata\Napster
2010-07-14 23:00 . 2010-07-14 23:00 -------- d-----w- c:\users\Mike\AppData\Roaming\ATI
2010-07-14 22:59 . 2010-07-14 22:59 -------- d-----w- c:\users\Mike\AppData\Roaming\Symantec
2010-07-14 22:58 . 2010-07-14 22:58 -------- d-----w- c:\users\Mike\AppData\Roaming\SampleView
2010-07-14 22:52 . 2010-07-14 22:52 -------- d-sh--we c:\programdata\Templates
2010-07-14 22:52 . 2010-07-14 22:52 -------- d-sh--we c:\programdata\Start Menu
2010-07-14 22:52 . 2010-07-14 22:52 -------- d-sh--we c:\programdata\Favorites
2010-07-14 22:52 . 2010-07-14 22:52 -------- d-sh--we c:\programdata\Documents
2010-07-14 22:52 . 2010-07-14 22:52 -------- d-sh--we c:\programdata\Desktop
2010-06-26 06:05 . 2010-08-12 18:06 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 18:06 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 18:06 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-26 17:06 . 2010-07-15 00:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-07-15 00:16 289792 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"SigmatelSysTrayApp"="sttray.exe" [2007-07-27 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-06-29 23:12 638976 ----a-w- c:\program files\Camera Assistant Software for Gateway\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):f5,b3,5d,6a,e9,23,cb,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [2010-08-10 56992]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2009-08-05 39776]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2009-08-05 25184]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2010-07-14 41256]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [2009-08-05 68064]
S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2010-07-14 35792]
S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-08-05 71040]
S1 fsvista;F-Secure Vista Support Driver;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys [2009-08-05 12384]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2010-08-03 124072]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2010-03-31 350720]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html ... B&M=T-1629
mStart Page = hxxp://www.gateway.com/g/startpage.html ... B&M=T-1629
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\ooerifvt.default\
FF - component: c:\program files\Shaw Secure\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_04\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-22 17:36
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Mike\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\shaw secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(656)
c:\program files\shaw secure\hips\fshook32.dll
.
Completion time: 2010-08-22 17:38:48
ComboFix-quarantined-files.txt 2010-08-23 00:38

Pre-Run: 162,014,248,960 bytes free
Post-Run: 161,952,141,312 bytes free

- - End Of File - - 5A8F7D82D62B73E54049A315FCDC1390
mstoochn
Regular Member
 
Posts: 17
Joined: July 13th, 2010, 3:52 pm

Re: Help! reason to believe something isn't right...

Unread postby askey127 » August 23rd, 2010, 2:38 pm

mstoochn,
------------------------------------------------------------
Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to your Desktop. It will create a new folder.
  • Inside the new folder, if you have XP, double click ERUNT.exe. If you have Vista, right click ERUNT.exe and choose "Run as administrator"
  • OK all the prompts to back up your registry to the default location.
Note: If you ever need to restore your registry later, you would go to the default backup folder and start ERDNT.exe
(The default backup folder is C:\Windows\ERDNT\ and the backups are saved according to date stamp)
-----------------------------------------------------------
Disable Windows Defender
Go to Start > All Programs > Windows Defender.
Click on the Tools menu, click General Settings, Scroll down to Real-Time Protection Options section and Deactivate the Real-Time Protection system.

Then, in the toolbar across the top there is a little downpointing arrow next to the question mark icon.
Click on that, get a drop down list. One of the options is to exit Windows Defender.
Click on that, and there will be a pop up asking if you are sure you want to exit. Click Yes/OK.
-------------------------------------------------------------
Run A CF SCript
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    Folder::
    c:\programdata\Symantec
    c:\users\Mike\AppData\Roaming\Symantec
    c:\program files\Common Files\Symantec Shared
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! reason to believe something isn't right...

Unread postby mstoochn » August 23rd, 2010, 2:43 pm

do i also disable F-secure? or just Win defender
mstoochn
Regular Member
 
Posts: 17
Joined: July 13th, 2010, 3:52 pm

Re: Help! reason to believe something isn't right...

Unread postby askey127 » August 23rd, 2010, 2:54 pm

You only need to do Defender.
Should work OK with F_Secure running.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! reason to believe something isn't right...

Unread postby mstoochn » August 23rd, 2010, 8:58 pm

ComboFix 10-08-23.01 - Mike 23/08/2010 17:46:47.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2429.1569 [GMT -7:00]
Running from: c:\users\Mike\Desktop\zzz.exe
Command switches used :: c:\users\Mike\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
c:\programdata\Symantec
c:\programdata\Symantec\LiveUpdate\LuRegManifests\CIDS.lrm
c:\programdata\Symantec\LiveUpdate\LuRegManifests\ISIDSGroupDelete.lrm
c:\programdata\Symantec\LiveUpdate\LuRegManifests\Pif.lrm
c:\programdata\Symantec\LiveUpdate\LuRegManifests\PifLoc.lrm
c:\programdata\Symantec\LiveUpdate\LuRegManifests\SRTSP.lrm
c:\programdata\Symantec\LiveUpdate\LuRegManifests\SymEvent.lrm
c:\programdata\Symantec\LiveUpdate\LuRegManifests\SymNetDrv.lrm
c:\programdata\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
c:\programdata\Symantec\LiveUpdate\Settings.LiveUpdate
c:\users\Mike\AppData\Roaming\Symantec

.
((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))
.

2010-08-24 00:54 . 2010-08-24 00:54 -------- d-----w- c:\users\Mike\AppData\Local\temp
2010-08-24 00:54 . 2010-08-24 00:54 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-24 00:54 . 2010-08-24 00:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-23 00:27 . 2010-08-23 00:38 -------- d-----w- C:\zzz
2010-08-22 01:17 . 2010-08-22 01:18 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-22 01:11 . 2010-08-22 01:11 -------- d-----w- c:\program files\Common Files\Java
2010-08-22 01:10 . 2010-08-22 01:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-18 01:34 . 2010-08-18 01:54 -------- d-----w- c:\users\Mike\AppData\Roaming\Apple Computer
2010-08-18 01:34 . 2010-08-18 01:34 -------- d-----w- c:\users\Mike\AppData\Local\Apple Computer
2010-08-18 01:33 . 2009-05-18 20:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-08-18 01:33 . 2008-04-17 19:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-08-18 01:33 . 2010-08-18 01:33 -------- dc----w- c:\windows\system32\DRVSTORE
2010-08-18 01:32 . 2010-08-18 01:32 -------- d-----w- c:\program files\iPod
2010-08-18 01:32 . 2010-08-18 01:33 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-18 01:32 . 2010-08-18 01:33 -------- d-----w- c:\program files\iTunes
2010-08-18 01:30 . 2010-08-18 01:31 -------- d-----w- c:\program files\QuickTime
2010-08-18 01:30 . 2010-08-18 01:32 -------- d-----w- c:\programdata\Apple Computer
2010-08-18 01:29 . 2010-08-18 01:29 -------- d-----w- c:\users\Mike\AppData\Local\Apple
2010-08-18 01:29 . 2010-08-18 01:29 -------- d-----w- c:\program files\Apple Software Update
2010-08-18 01:26 . 2010-08-18 01:26 -------- d-----w- c:\program files\Bonjour
2010-08-18 01:25 . 2010-08-18 01:38 -------- d-----w- c:\programdata\Apple
2010-08-18 01:25 . 2010-08-18 01:32 -------- d-----w- c:\program files\Common Files\Apple
2010-08-17 01:34 . 2010-08-17 01:34 -------- d-----w- c:\users\Mike\AppData\Roaming\Malwarebytes
2010-08-17 01:34 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 01:34 . 2010-08-17 01:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 01:34 . 2010-08-17 01:34 -------- d-----w- c:\programdata\Malwarebytes
2010-08-17 01:34 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-12 18:05 . 2010-06-26 06:02 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-08-12 18:05 . 2010-05-27 20:08 81920 ----a-w- c:\windows\system32\iccvid.dll
2010-08-12 18:05 . 2010-06-11 16:16 274944 ----a-w- c:\windows\system32\schannel.dll
2010-08-12 18:04 . 2010-06-21 13:37 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-08-12 18:04 . 2010-06-18 17:31 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-08-12 18:03 . 2010-06-11 16:15 1248768 ----a-w- c:\windows\system32\msxml3.dll
2010-08-12 18:01 . 2010-06-08 17:35 3600768 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-12 18:01 . 2010-06-08 17:35 3548040 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-12 18:01 . 2010-06-18 15:04 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-12 18:01 . 2010-06-18 15:04 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-12 18:01 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-06 04:19 . 2010-08-06 04:19 680 ----a-w- c:\users\Mike\AppData\Local\d3d9caps.dat
2010-07-28 06:21 . 2010-07-28 06:22 -------- d-----w- c:\users\Mike\AppData\Roaming\vlc
2010-07-28 06:20 . 2010-07-28 06:20 -------- d-----w- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 01:10 . 2010-07-14 23:35 -------- d-----w- c:\program files\Java
2010-08-14 01:03 . 2010-07-14 23:32 -------- d-----w- c:\programdata\Microsoft Help
2010-08-14 01:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-21 23:30 . 2010-07-21 23:30 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-20 20:04 . 2010-07-20 03:11 -------- d-----w- c:\users\Mike\AppData\Roaming\Ventrilo
2010-07-20 03:10 . 2010-07-20 03:10 -------- d-----w- c:\program files\Ventrilo
2010-07-20 03:09 . 2010-07-20 03:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-16 01:55 . 2010-07-16 00:39 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-07-15 20:12 . 2010-07-15 20:12 -------- d-----w- c:\programdata\Blizzard
2010-07-15 18:35 . 2010-07-15 18:35 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-15 07:19 . 2010-07-15 07:19 -------- d-----w- c:\program files\Windows Portable Devices
2010-07-15 07:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-07-15 07:18 . 2010-07-15 07:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-07-15 06:38 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-07-15 05:18 . 2010-07-14 23:34 -------- d-----w- c:\program files\Microsoft.NET
2010-07-15 05:10 . 2010-07-14 22:58 70744 ----a-w- c:\users\Mike\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-15 04:14 . 2010-07-15 04:14 -------- d-----w- c:\program files\Microsoft
2010-07-15 04:14 . 2010-07-15 04:13 -------- d-----w- c:\program files\Windows Live
2010-07-15 04:14 . 2010-07-15 04:14 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-07-14 23:59 . 2010-07-14 23:59 -------- d-----w- c:\program files\Common Files\Windows Live
2010-07-14 23:55 . 2010-07-14 23:34 -------- d-----w- c:\program files\Shaw Secure
2010-07-14 23:55 . 2010-07-14 23:35 35792 ----a-w- c:\windows\system32\drivers\fses.sys
2010-07-14 23:46 . 2010-07-14 23:35 41256 ----a-w- c:\windows\system32\drivers\fsbts.sys
2010-07-14 23:40 . 2010-07-14 23:16 -------- d-----w- c:\program files\Common Files\InstallShield
2010-07-14 23:37 . 2010-07-14 23:37 -------- d-----w- c:\programdata\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}
2010-07-14 23:37 . 2010-07-14 23:37 -------- d-----w- c:\program files\Activation Assistant for the 2007 Microsoft Office suites
2010-07-14 23:35 . 2010-07-14 23:35 0 ----a-w- c:\windows\system32\drivers\Gateway_T-1629_N-A_N1B83A1046538.MRK
2010-07-14 23:35 . 2010-07-14 23:33 -------- d-----w- c:\programdata\f-secure
2010-07-14 23:33 . 2010-07-14 23:33 -------- d-----w- c:\programdata\fssg
2010-07-14 23:31 . 2010-07-14 23:30 -------- d-----w- c:\program files\CyberLink
2010-07-14 23:21 . 2010-07-14 23:21 -------- d-----w- c:\program files\Camera Assistant Software for Gateway
2010-07-14 23:21 . 2010-07-14 23:20 -------- d-----w- c:\program files\REALTEK USB Wireless LAN Driver
2010-07-14 23:19 . 2010-07-14 23:19 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2010-07-14 23:19 . 2010-07-14 23:19 -------- d-----w- c:\program files\Synaptics
2010-07-14 23:17 . 2010-07-14 23:16 -------- d-----w- c:\program files\IDT
2010-07-14 23:15 . 2010-07-14 23:15 -------- d-----w- c:\program files\Realtek
2010-07-14 23:15 . 2010-07-14 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-14 23:14 . 2010-07-14 23:13 -------- d-----w- c:\program files\ATI Technologies
2010-07-14 23:13 . 2010-07-14 23:41 -------- d-----w- c:\programdata\WildTangent
2010-07-14 23:12 . 2010-07-14 23:27 -------- d-----w- c:\program files\Microsoft Works
2010-07-14 23:12 . 2010-07-14 23:12 -------- d-----w- c:\program files\ATI
2010-07-14 23:05 . 2010-07-14 23:40 -------- d-----w- c:\programdata\Napster
2010-07-14 23:00 . 2010-07-14 23:00 -------- d-----w- c:\users\Mike\AppData\Roaming\ATI
2010-07-14 22:58 . 2010-07-14 22:58 -------- d-----w- c:\users\Mike\AppData\Roaming\SampleView
2010-07-14 22:52 . 2010-07-14 22:52 -------- d-sh--we c:\programdata\Templates
2010-07-14 22:52 . 2010-07-14 22:52 -------- d-sh--we c:\programdata\Start Menu
2010-07-14 22:52 . 2010-07-14 22:52 -------- d-sh--we c:\programdata\Favorites
2010-07-14 22:52 . 2010-07-14 22:52 -------- d-sh--we c:\programdata\Documents
2010-07-14 22:52 . 2010-07-14 22:52 -------- d-sh--we c:\programdata\Desktop
2010-06-26 06:05 . 2010-08-12 18:06 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-12 18:06 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-12 18:06 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-26 17:06 . 2010-07-15 00:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-07-15 00:16 289792 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"F-Secure Manager"="c:\program files\Shaw Secure\Common\FSM32.EXE" [2009-08-05 199264]
"F-Secure TNB"="c:\program files\Shaw Secure\FSGUI\TNBUtil.exe" [2009-08-05 2349664]
"SigmatelSysTrayApp"="sttray.exe" [2007-07-27 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-06-29 23:12 638976 ----a-w- c:\program files\Camera Assistant Software for Gateway\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):f5,b3,5d,6a,e9,23,cb,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 F-Secure Filter;F-Secure File System Filter;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys [2009-08-05 39776]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys [2009-08-05 25184]
S0 fsbts;fsbts;c:\windows\system32\Drivers\fsbts.sys [2010-07-14 41256]
S1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Shaw Secure\HIPS\drivers\fshs.sys [2009-08-05 68064]
S1 FSES;F-Secure Email Scanning Driver;c:\windows\system32\drivers\fses.sys [2010-07-14 35792]
S1 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2009-08-05 71040]
S1 fsvista;F-Secure Vista Support Driver;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys [2009-08-05 12384]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys [2010-08-03 124072]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\Shaw Secure\ORSP Client\fsorsp.exe [2010-08-23 58024]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2010-03-31 350720]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html ... B&M=T-1629
mStart Page = hxxp://www.gateway.com/g/startpage.html ... B&M=T-1629
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Shaw Secure\FSPS\program\FSLSP.DLL
FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\ooerifvt.default\
FF - component: c:\program files\Shaw Secure\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 17:54
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\program files\shaw secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(600)
c:\program files\shaw secure\hips\fshook32.dll
.
Completion time: 2010-08-23 17:56:43
ComboFix-quarantined-files.txt 2010-08-24 00:56
ComboFix2.txt 2010-08-23 00:38

Pre-Run: 159,950,082,048 bytes free
Post-Run: 159,924,969,472 bytes free

- - End Of File - - C0B47841A88A28DF1B0FAFB90D9F90A2
mstoochn
Regular Member
 
Posts: 17
Joined: July 13th, 2010, 3:52 pm

Re: Help! reason to believe something isn't right...

Unread postby askey127 » August 24th, 2010, 5:59 am

mstoochn,
--------------------------------------------
TDSSKiller
  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Double-click the tdsskiller Folder on your desktop.
  • Right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy (Ctrl+C) the text line from the codebox below (don't include the word "Code").
    Code: Select all
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Open a new Notepad file. Paste (Ctrl+V) the line into the Notepad text. Save the file to your desktop as "TDSS.bat" (Include the quote marks).
  • Right click the TDSS.bat file on your desktop and choose "Run as administrator"
  • It is important that you run this once and only once!
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply

If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! reason to believe something isn't right...

Unread postby mstoochn » August 25th, 2010, 3:43 am

2010/08/25 00:41:56.0018 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23
2010/08/25 00:41:56.0018 ================================================================================
2010/08/25 00:41:56.0018 SystemInfo:
2010/08/25 00:41:56.0018
2010/08/25 00:41:56.0018 OS Version: 6.0.6002 ServicePack: 2.0
2010/08/25 00:41:56.0018 Product type: Workstation
2010/08/25 00:41:56.0018 ComputerName: MIKE-PC
2010/08/25 00:41:56.0018 UserName: Mike
2010/08/25 00:41:56.0018 Windows directory: C:\Windows
2010/08/25 00:41:56.0018 System windows directory: C:\Windows
2010/08/25 00:41:56.0018 Processor architecture: Intel x86
2010/08/25 00:41:56.0018 Number of processors: 2
2010/08/25 00:41:56.0018 Page size: 0x1000
2010/08/25 00:41:56.0018 Boot type: Normal boot
2010/08/25 00:41:56.0018 ================================================================================
2010/08/25 00:42:12.0174 Initialize success
2010/08/25 00:42:19.0237 ================================================================================
2010/08/25 00:42:19.0237 Scan started
2010/08/25 00:42:19.0237 Mode: Manual;
2010/08/25 00:42:19.0237 ================================================================================
2010/08/25 00:42:20.0737 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/08/25 00:42:20.0815 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2010/08/25 00:42:20.0956 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2010/08/25 00:42:21.0003 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2010/08/25 00:42:21.0034 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2010/08/25 00:42:21.0096 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/08/25 00:42:21.0206 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
2010/08/25 00:42:21.0346 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2010/08/25 00:42:21.0393 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/08/25 00:42:21.0424 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2010/08/25 00:42:21.0471 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2010/08/25 00:42:21.0503 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2010/08/25 00:42:21.0534 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2010/08/25 00:42:21.0565 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2010/08/25 00:42:21.0643 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2010/08/25 00:42:21.0674 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2010/08/25 00:42:21.0721 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/08/25 00:42:21.0768 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/08/25 00:42:21.0987 atikmdag (e46f2fb11cfe13187a4e3ef512c0d226) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/08/25 00:42:22.0159 AtiPcie (4aa1eb65481c392955939e735d27118b) C:\Windows\system32\DRIVERS\AtiPcie.sys
2010/08/25 00:42:22.0237 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/08/25 00:42:22.0284 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2010/08/25 00:42:22.0346 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/08/25 00:42:22.0393 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/08/25 00:42:22.0409 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/08/25 00:42:22.0456 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/08/25 00:42:22.0503 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/08/25 00:42:22.0549 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/08/25 00:42:22.0581 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/08/25 00:42:22.0628 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/08/25 00:42:22.0815 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/08/25 00:42:22.0893 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/08/25 00:42:22.0924 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2010/08/25 00:42:22.0971 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/08/25 00:42:23.0128 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/08/25 00:42:23.0159 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2010/08/25 00:42:23.0174 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/08/25 00:42:23.0206 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2010/08/25 00:42:23.0253 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2010/08/25 00:42:23.0299 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/08/25 00:42:23.0362 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/08/25 00:42:23.0440 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/08/25 00:42:23.0487 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/08/25 00:42:23.0596 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/08/25 00:42:23.0690 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/08/25 00:42:23.0768 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2010/08/25 00:42:23.0815 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2010/08/25 00:42:23.0893 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/08/25 00:42:23.0987 F-Secure Filter (d4980588ed87f8bb16be43ddd0fbd5fe) C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSfilter.sys
2010/08/25 00:42:24.0034 F-Secure Gatekeeper (59cb82e8506071335e5aecabe630032f) C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsgk.sys
2010/08/25 00:42:24.0096 F-Secure HIPS (f5aca65237c7511d5803cdc5e7003d75) C:\Program Files\Shaw Secure\HIPS\drivers\fshs.sys
2010/08/25 00:42:24.0128 F-Secure Recognizer (6ce1195511533c9359f91a9e63792f5e) C:\Program Files\Shaw Secure\Anti-Virus\Win2K\FSrec.sys
2010/08/25 00:42:24.0237 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/08/25 00:42:24.0299 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2010/08/25 00:42:24.0331 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/08/25 00:42:24.0378 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/08/25 00:42:24.0393 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/08/25 00:42:24.0440 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/08/25 00:42:24.0487 fsbts (a0a3484e4b8c70989380a51f814dcad1) C:\Windows\system32\Drivers\fsbts.sys
2010/08/25 00:42:24.0565 FSES (c5e2c835074cf73655fcdd3273a3bbf5) C:\Windows\system32\drivers\fses.sys
2010/08/25 00:42:24.0612 FSFW (7c54f491c35e74cb0a81ba7ec5af7b2f) C:\Windows\system32\drivers\fsdfw.sys
2010/08/25 00:42:24.0706 fsvista (f4a1769bd7a3f073c492663e6a7decd1) C:\Program Files\Shaw Secure\Anti-Virus\minifilter\fsvista.sys
2010/08/25 00:42:24.0753 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/08/25 00:42:24.0784 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2010/08/25 00:42:24.0815 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2010/08/25 00:42:24.0893 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
2010/08/25 00:42:24.0956 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/08/25 00:42:25.0018 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/08/25 00:42:25.0049 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/08/25 00:42:25.0096 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/08/25 00:42:25.0143 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2010/08/25 00:42:25.0190 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/08/25 00:42:25.0237 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2010/08/25 00:42:25.0284 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/08/25 00:42:25.0393 ialm (8318e04a6455ced1020bcc5039b62cfa) C:\Windows\system32\DRIVERS\ialmnt5.sys
2010/08/25 00:42:25.0471 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2010/08/25 00:42:25.0518 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/08/25 00:42:25.0612 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2010/08/25 00:42:25.0643 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/08/25 00:42:25.0706 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/08/25 00:42:25.0831 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2010/08/25 00:42:25.0893 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/08/25 00:42:25.0924 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/08/25 00:42:25.0956 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2010/08/25 00:42:26.0018 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/08/25 00:42:26.0049 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/08/25 00:42:26.0081 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/08/25 00:42:26.0096 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/08/25 00:42:26.0159 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2010/08/25 00:42:26.0253 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/08/25 00:42:26.0331 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/08/25 00:42:26.0409 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2010/08/25 00:42:26.0424 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2010/08/25 00:42:26.0471 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2010/08/25 00:42:26.0518 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/08/25 00:42:26.0549 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2010/08/25 00:42:26.0612 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2010/08/25 00:42:26.0659 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/08/25 00:42:26.0721 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/08/25 00:42:26.0753 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/08/25 00:42:26.0784 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/08/25 00:42:26.0831 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/08/25 00:42:26.0878 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2010/08/25 00:42:26.0909 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/08/25 00:42:26.0940 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/08/25 00:42:26.0971 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/08/25 00:42:27.0018 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/08/25 00:42:27.0065 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/08/25 00:42:27.0081 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/08/25 00:42:27.0128 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2010/08/25 00:42:27.0143 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2010/08/25 00:42:27.0206 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/08/25 00:42:27.0253 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/08/25 00:42:27.0315 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/08/25 00:42:27.0346 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/08/25 00:42:27.0362 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/08/25 00:42:27.0471 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/08/25 00:42:27.0534 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/08/25 00:42:27.0612 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/08/25 00:42:27.0643 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/08/25 00:42:27.0737 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/08/25 00:42:27.0815 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/08/25 00:42:27.0878 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/08/25 00:42:27.0909 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/08/25 00:42:27.0956 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/08/25 00:42:27.0987 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/08/25 00:42:28.0034 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/08/25 00:42:28.0284 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/08/25 00:42:28.0612 NETw2v32 (6e9edc1020b319e7676387b8cdf2398c) C:\Windows\system32\DRIVERS\NETw2v32.sys
2010/08/25 00:42:29.0003 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/08/25 00:42:29.0065 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/08/25 00:42:29.0112 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/08/25 00:42:29.0268 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/08/25 00:42:29.0315 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/08/25 00:42:29.0346 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/08/25 00:42:29.0378 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2010/08/25 00:42:29.0409 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2010/08/25 00:42:29.0456 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2010/08/25 00:42:29.0549 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/08/25 00:42:29.0628 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/08/25 00:42:29.0721 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/08/25 00:42:29.0784 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/08/25 00:42:29.0909 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/08/25 00:42:29.0971 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2010/08/25 00:42:30.0065 pcmcia (b7c5a8769541900f6dfa6fe0c5e4d513) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/08/25 00:42:30.0190 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/08/25 00:42:30.0409 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/08/25 00:42:30.0456 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2010/08/25 00:42:30.0534 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/08/25 00:42:30.0612 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2010/08/25 00:42:30.0674 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/08/25 00:42:30.0706 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/08/25 00:42:30.0753 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/08/25 00:42:30.0784 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/08/25 00:42:30.0831 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/08/25 00:42:30.0909 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/08/25 00:42:30.0971 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/08/25 00:42:31.0003 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/08/25 00:42:31.0049 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2010/08/25 00:42:31.0065 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/08/25 00:42:31.0128 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/08/25 00:42:31.0206 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/08/25 00:42:31.0253 RTL8169 (53892cbd9735a80712ee9439268344b4) C:\Windows\system32\DRIVERS\Rtlh86.sys
2010/08/25 00:42:31.0315 RTL8187B (661af6a63dff9f23b1dc3fb7b3e7a917) C:\Windows\system32\DRIVERS\RTL8187B.sys
2010/08/25 00:42:31.0378 RTSTOR (6e7f2054faedbe766034aa8a185213ec) C:\Windows\system32\drivers\RTSTOR.SYS
2010/08/25 00:42:31.0409 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/08/25 00:42:31.0503 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2010/08/25 00:42:31.0549 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/08/25 00:42:31.0612 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/08/25 00:42:31.0659 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/08/25 00:42:31.0690 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/08/25 00:42:31.0753 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2010/08/25 00:42:31.0784 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2010/08/25 00:42:31.0815 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2010/08/25 00:42:31.0846 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/08/25 00:42:31.0893 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2010/08/25 00:42:31.0924 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2010/08/25 00:42:31.0956 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2010/08/25 00:42:32.0003 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/08/25 00:42:32.0049 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/08/25 00:42:32.0112 srv (96a5e2c642af8f591a7366429809506b) C:\Windows\system32\DRIVERS\srv.sys
2010/08/25 00:42:32.0174 srv2 (71da2d64880c97e5ffc3c81761632751) C:\Windows\system32\DRIVERS\srv2.sys
2010/08/25 00:42:32.0206 srvnet (0c5ab1892ae0fa504218db094bf6d041) C:\Windows\system32\DRIVERS\srvnet.sys
2010/08/25 00:42:32.0284 STHDA (9b33aa7f98d54747b486fe33d4903278) C:\Windows\system32\drivers\stwrt.sys
2010/08/25 00:42:32.0362 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/08/25 00:42:32.0424 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/08/25 00:42:32.0534 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/08/25 00:42:32.0565 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/08/25 00:42:32.0628 SynTP (1f452f22df0c00dd2529867e1ea0dc25) C:\Windows\system32\DRIVERS\SynTP.sys
2010/08/25 00:42:32.0753 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/08/25 00:42:32.0815 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/08/25 00:42:32.0862 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/08/25 00:42:32.0893 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/08/25 00:42:32.0924 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/08/25 00:42:32.0971 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/08/25 00:42:33.0034 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/08/25 00:42:33.0096 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/08/25 00:42:33.0143 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/08/25 00:42:33.0159 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/08/25 00:42:33.0190 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2010/08/25 00:42:33.0268 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/08/25 00:42:33.0315 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2010/08/25 00:42:33.0362 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2010/08/25 00:42:33.0393 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/08/25 00:42:33.0424 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/08/25 00:42:33.0456 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/08/25 00:42:33.0534 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
2010/08/25 00:42:33.0581 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/08/25 00:42:33.0628 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/08/25 00:42:33.0674 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/08/25 00:42:33.0737 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/08/25 00:42:33.0768 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2010/08/25 00:42:33.0799 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2010/08/25 00:42:33.0831 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/08/25 00:42:33.0862 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/08/25 00:42:33.0909 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2010/08/25 00:42:33.0940 UVCFTR (7b8424bbaafbc127c8f55ad6007d6d6b) C:\Windows\system32\Drivers\UVCFTR_S.SYS
2010/08/25 00:42:34.0003 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/08/25 00:42:34.0018 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/08/25 00:42:34.0049 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2010/08/25 00:42:34.0081 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2010/08/25 00:42:34.0112 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2010/08/25 00:42:34.0143 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/08/25 00:42:34.0206 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/08/25 00:42:34.0237 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/08/25 00:42:34.0284 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2010/08/25 00:42:34.0346 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/08/25 00:42:34.0393 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/25 00:42:34.0440 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/25 00:42:34.0503 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2010/08/25 00:42:34.0549 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/08/25 00:42:34.0690 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
2010/08/25 00:42:34.0768 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/08/25 00:42:34.0831 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/08/25 00:42:34.0893 yukonwlh (7d1f3b131d503ef43ee594b5a2b9b427) C:\Windows\system32\DRIVERS\yk60x86.sys
2010/08/25 00:42:34.0940 ================================================================================
2010/08/25 00:42:34.0940 Scan finished
2010/08/25 00:42:34.0940 ================================================================================
2010/08/25 00:42:42.0346 Deinitialize success
mstoochn
Regular Member
 
Posts: 17
Joined: July 13th, 2010, 3:52 pm

Re: Help! reason to believe something isn't right...

Unread postby askey127 » August 25th, 2010, 5:49 am

mstoochn,
That looks OK.
How is the machine behaving?
We can disable conime.exe from starting, if that is the only difficulty remaining.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! reason to believe something isn't right...

Unread postby mstoochn » August 25th, 2010, 1:25 pm

it's still failing to load webpages from time to time but i have no idea what that is. "connection timed out" apon opening firefox or attempted to click the "email" tab on windows messager

and conime is still multiplying the crap out of itself, it seems anytime i run a program (only multiples once per program) it duplicates itself... for instance:

Start up machine: conime.exe 56k
open fire fox: (browse for 20 mins ) conime.exe 726k
open msn: (chat) conime.exe 54k
even after after typing this message it copied again... conime.exe 54k
mstoochn
Regular Member
 
Posts: 17
Joined: July 13th, 2010, 3:52 pm

Re: Help! reason to believe something isn't right...

Unread postby askey127 » August 25th, 2010, 2:10 pm

mstoochn,

-----------------------------------------------------------
Please download the Registry Search Tool from here (scroll down-there are also other tools on the page):
http://www.billsway.com/vbspage/
Unzip it to a convenient location such as your Desktop.
Make sure that your Antivirus / OS allows the use of the .vbs scripts. If prompted, make sure to allow the script.
Double click regsearch.vbsor Right-click and choose "Run as administrator"
Copy / Paste the following line into the Search Box:

loadconime

then hit Ok
It may take a while to run.
It will tell you when it's done and offer to have you look at the file.
Say Yes, and when it opens copy/paste the content in your reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Help! reason to believe something isn't right...

Unread postby mstoochn » August 26th, 2010, 5:12 pm

Today i was asked to update my acrobat reader, as the above post said, any version previous to 9.33 in vulnerable. according to my computer, it updated to 9.0?

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "loadconime" 26/08/2010 2:10:03 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-19\Console]
"LoadConIme"=dword:00000001

[HKEY_USERS\S-1-5-20\Console]
"LoadConIme"=dword:00000001

[HKEY_USERS\S-1-5-21-3140623818-799828971-3352836501-1000\Console]
"LoadConIme"=dword:00000001
mstoochn
Regular Member
 
Posts: 17
Joined: July 13th, 2010, 3:52 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware