PDA

View Full Version : stuborn browser hijack - moz & i.e. - some help would be appreciated, thx :)


oldskool
2010-06-03, 04:46
Have tried full scans with avast, malwarebytes, spybot & lavasoft ad-ware all with latest updates but none will remove the parasite.

Heres my DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by marcus at 3:43:25.40 on Thu 06/03/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.670 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\tsnpstd3.exe
C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe
C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\WinZip\WZQKPICK.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\marcus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Shell=Explorer.exe
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [ProcComCmd] c:\windows\system32\wfsjeher.exe
uRun: [procact] c:\windows\system32\defabexm.exe
uRun: [NSeries.PCSync] c:\program files\nokia\nseries pc suite\system utilities\PcSync2.exe /NoDialog
uRun: [{597CF0BC-F4C0-668B-3E2E-E23D4EFE5C26}] "c:\documents and settings\marcus\application data\pyubaz\cyag.exe"
mRun: [RecoverFromReboot] c:\windows\temp\RecoverFromReboot.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Matrox Powerdesk] c:\windows\system32\pdesk\PDesk.exe /Autolaunch
mRun: [nForce Tray Options] sstray.exe /r
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NSLauncher] c:\program files\nokia\nokia software launcher\NSLauncher.exe /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
StartupFolder: c:\docume~1\marcus\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\marcus\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d7050v5\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sataraid.lnk - c:\program files\silicon image\siisataraid\SATARaid.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: vfenkw.dll, hieuwt.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Hosts: 66.98.148.65 auto.search.msn.es
================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marcus\applic~1\mozilla\firefox\profiles\6ru1ampx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.oldskoolprovider.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\marcus\application data\mozilla\firefox\profiles\6ru1ampx.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: XUL Cache: {F47E77E5-536D-4C5B-AB69-56F8DE956621} - c:\documents and settings\marcus\local settings\application data\{F47E77E5-536D-4C5B-AB69-56F8DE956621}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-4 64288]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2008-5-21 89749]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-5-1 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-5-1 138680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-5-21 38144]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-12-8 54752]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-5-1 352920]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2009-5-1 238848]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-2-7 127496]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-5-1 254040]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2010-05-27 17:23:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-13 12:46:54 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

==================== Find3M ====================

2010-06-03 00:33:15 2608 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-27 17:23:06 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 3:44:44.09 ===============
Blade81
2010-06-07, 14:41
Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Post attach.txt contents too.
oldskool
2010-06-07, 15:09
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-07 13:58:55
Windows 5.1.2600 Service Pack 2
Running: test.exe; Driver: C:\DOCUME~1\marcus\LOCALS~1\Temp\uwxcapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF4E106B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF4E10574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF4E10A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF4E1014C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF4E1064E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF4E1008C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF4E100F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF4E1076E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF4E1072E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF4E108AE]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF790549E]
.rsrc C:\WINDOWS\system32\DRIVERS\i8042prt.sys entry point in ".rsrc" section [0xF7969294]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.exe[464] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.exe[464] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00A7000A
.text C:\WINDOWS\Explorer.exe[464] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00A0000C
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00CCFB8E
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00CCFD57
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 00CCFDFE
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] USER32.dll!TranslateMessage 7E418BF6 3 Bytes JMP 00CD49D2
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] USER32.dll!TranslateMessage + 4 7E418BFA 1 Byte [82]
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00CD4B14
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 00CD2C49
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 00CD2AAE
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 00CD2D55
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 00CD2C91
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 00CD2B07
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 00CD2D24
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 00CD2CD5
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 00CD2A55
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 00CD2BA8
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00CD2F45
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WS2_32.dll!send 71AB428A 5 Bytes JMP 00CC3A84
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00CC3AAA
.text C:\Documents and Settings\marcus\Desktop\test.exe[676] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00CC3A47
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0026FB8E
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0026FD57
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 0026FDFE
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 002749D2
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00274B14
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WS2_32.dll!send 71AB428A 5 Bytes JMP 00263A84
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00263AAA
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00263A47
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00272F45
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 00272C49
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 00272AAE
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 00272D55
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 00272C91
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 00272B07
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 00272D24
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 00272CD5
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 00272A55
.text C:\Program Files\WinZip\WZQKPICK.EXE[960] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 00272BA8
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 04C5FB8E
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 04C5FD57
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 04C5FDFE
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 04C649D2
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 04C64B14
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 04C62C49
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 04C62AAE
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 04C62D55
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 04C62C91
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 04C62B07
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 04C62D24
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 04C62CD5
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 04C62A55
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 04C62BA8
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 04C62F45
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WS2_32.dll!send 71AB428A 5 Bytes JMP 04C53A84
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 04C53AAA
.text C:\WINDOWS\system32\PDesk\PDesk.exe[1216] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 04C53A47
.text C:\WINDOWS\system32\sstray.exe[1228] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0027FB8E
.text C:\WINDOWS\system32\sstray.exe[1228] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0027FD57
.text C:\WINDOWS\system32\sstray.exe[1228] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 0027FDFE
.text C:\WINDOWS\system32\sstray.exe[1228] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 002849D2
.text C:\WINDOWS\system32\sstray.exe[1228] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00284B14
.text C:\WINDOWS\system32\sstray.exe[1228] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 00282C49
.text C:\WINDOWS\system32\sstray.exe[1228] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 00282AAE
.text C:\WINDOWS\system32\sstray.exe[1228] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 00282D55
.text C:\WINDOWS\system32\sstray.exe[1228] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 00282C91
.text C:\WINDOWS\system32\sstray.exe[1228] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 00282B07
.text C:\WINDOWS\system32\sstray.exe[1228] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 00282D24
.text C:\WINDOWS\system32\sstray.exe[1228] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 00282CD5
.text C:\WINDOWS\system32\sstray.exe[1228] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 00282A55
.text C:\WINDOWS\system32\sstray.exe[1228] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 00282BA8
.text C:\WINDOWS\system32\sstray.exe[1228] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00282F45
.text C:\WINDOWS\system32\sstray.exe[1228] WS2_32.dll!send 71AB428A 5 Bytes JMP 00273A84
.text C:\WINDOWS\system32\sstray.exe[1228] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00273AAA
.text C:\WINDOWS\system32\sstray.exe[1228] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00273A47
.text C:\WINDOWS\system32\rundll32.exe[1236] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 001BFB8E
.text C:\WINDOWS\system32\rundll32.exe[1236] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001BFD57
.text C:\WINDOWS\system32\rundll32.exe[1236] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 001BFDFE
.text C:\WINDOWS\system32\rundll32.exe[1236] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 001C49D2
.text C:\WINDOWS\system32\rundll32.exe[1236] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 001C4B14
.text C:\WINDOWS\system32\rundll32.exe[1236] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 001C2C49
.text C:\WINDOWS\system32\rundll32.exe[1236] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 001C2AAE
.text C:\WINDOWS\system32\rundll32.exe[1236] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 001C2D55
.text C:\WINDOWS\system32\rundll32.exe[1236] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 001C2C91
.text C:\WINDOWS\system32\rundll32.exe[1236] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 001C2B07
.text C:\WINDOWS\system32\rundll32.exe[1236] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 001C2D24
.text C:\WINDOWS\system32\rundll32.exe[1236] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 001C2CD5
.text C:\WINDOWS\system32\rundll32.exe[1236] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 001C2A55
.text C:\WINDOWS\system32\rundll32.exe[1236] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 001C2BA8
.text C:\WINDOWS\system32\rundll32.exe[1236] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 001C2F45
.text C:\WINDOWS\system32\rundll32.exe[1236] WS2_32.dll!send 71AB428A 5 Bytes JMP 001B3A84
.text C:\WINDOWS\system32\rundll32.exe[1236] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 001B3AAA
.text C:\WINDOWS\system32\rundll32.exe[1236] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 001B3A47
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0117FB8E
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0117FD57
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 0117FDFE
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 011849D2
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 01184B14
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 01182F45
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 01182C49
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 01182AAE
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 01182D55
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 01182C91
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 01182B07
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 01182D24
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 01182CD5
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 01182A55
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 01182BA8
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WS2_32.dll!send 71AB428A 5 Bytes JMP 01173A84
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 01173AAA
.text C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe[1272] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01173A47
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 007A000A
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1296] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0079000C
.text C:\WINDOWS\System32\svchost.exe[1296] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 008F000A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0027FB8E
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0027FD57
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 0027FDFE
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 002849D2
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00284B14
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 00282C49
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 00282AAE
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 00282D55
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 00282C91
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 00282B07
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 00282D24
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 00282CD5
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 00282A55
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 00282BA8
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00282F45
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WS2_32.dll!send 71AB428A 5 Bytes JMP 00273A84
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00273AAA
.text C:\Program Files\Java\jre6\bin\jusched.exe[1404] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00273A47
.text C:\WINDOWS\tsnpstd3.exe[1448] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0027FB8E
.text C:\WINDOWS\tsnpstd3.exe[1448] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0027FD57
.text C:\WINDOWS\tsnpstd3.exe[1448] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 0027FDFE
.text C:\WINDOWS\tsnpstd3.exe[1448] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 002849D2
.text C:\WINDOWS\tsnpstd3.exe[1448] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00284B14
.text C:\WINDOWS\tsnpstd3.exe[1448] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 00282C49
.text C:\WINDOWS\tsnpstd3.exe[1448] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 00282AAE
.text C:\WINDOWS\tsnpstd3.exe[1448] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 00282D55
.text C:\WINDOWS\tsnpstd3.exe[1448] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 00282C91
.text C:\WINDOWS\tsnpstd3.exe[1448] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 00282B07
.text C:\WINDOWS\tsnpstd3.exe[1448] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 00282D24
.text C:\WINDOWS\tsnpstd3.exe[1448] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 00282CD5
.text C:\WINDOWS\tsnpstd3.exe[1448] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 00282A55
.text C:\WINDOWS\tsnpstd3.exe[1448] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 00282BA8
.text C:\WINDOWS\tsnpstd3.exe[1448] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00282F45
.text C:\WINDOWS\tsnpstd3.exe[1448] WS2_32.dll!send 71AB428A 5 Bytes JMP 00273A84
.text C:\WINDOWS\tsnpstd3.exe[1448] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00273AAA
.text C:\WINDOWS\tsnpstd3.exe[1448] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00273A47
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 003AFB8E
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 003AFD57
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 003AFDFE
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 003B49D2
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 003B4B14
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WS2_32.dll!send 71AB428A 5 Bytes JMP 003A3A84
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 003A3AAA
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 003A3A47
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 003B2F45
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 003B2C49
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 003B2AAE
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 003B2D55
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 003B2C91
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 003B2B07
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 003B2D24
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 003B2CD5
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 003B2A55
.text C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe[1524] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 003B2BA8
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 00C4FB8E
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00C4FD57
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 00C4FDFE
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 00C549D2
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00C54B14
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C43A84
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00C43AAA
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C43A47
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00C52F45
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 00C52C49
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 00C52AAE
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 00C52D55
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 00C52C91
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 00C52B07
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 00C52D24
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 00C52CD5
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 00C52A55
.text C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe[1644] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 00C52BA8
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 0036FB8E
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0036FD57
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 0036FDFE
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 003749D2
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 00374B14
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WS2_32.dll!send 71AB428A 5 Bytes JMP 00363A84
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00363AAA
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00363A47
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 00372F45
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 00372C49
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 00372AAE
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 00372D55
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 00372C91
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 00372B07
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 00372D24
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 00372CD5
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 00372A55
.text C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe[1876] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 00372BA8
.text C:\WINDOWS\system32\wscntfy.exe[2688] ntdll.dll!NtCreateThread 7C90D7D2 5 Bytes JMP 001AFB8E
.text C:\WINDOWS\system32\wscntfy.exe[2688] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 001AFD57
.text C:\WINDOWS\system32\wscntfy.exe[2688] kernel32.dll!GetFileAttributesExW 7C8110F5 5 Bytes JMP 001AFDFE
.text C:\WINDOWS\system32\wscntfy.exe[2688] USER32.dll!TranslateMessage 7E418BF6 5 Bytes JMP 001B49D2
.text C:\WINDOWS\system32\wscntfy.exe[2688] USER32.dll!GetClipboardData 7E430D7A 5 Bytes JMP 001B4B14
.text C:\WINDOWS\system32\wscntfy.exe[2688] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 001B2C49
.text C:\WINDOWS\system32\wscntfy.exe[2688] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 001B2AAE
.text C:\WINDOWS\system32\wscntfy.exe[2688] WININET.dll!HttpQueryInfoA 771C79A2 5 Bytes JMP 001B2D55
.text C:\WINDOWS\system32\wscntfy.exe[2688] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 001B2C91
.text C:\WINDOWS\system32\wscntfy.exe[2688] WININET.dll!HttpSendRequestExW 771CE999 5 Bytes JMP 001B2B07
.text C:\WINDOWS\system32\wscntfy.exe[2688] WININET.dll!InternetQueryDataAvailable 771D8A17 5 Bytes JMP 001B2D24
.text C:\WINDOWS\system32\wscntfy.exe[2688] WININET.dll!InternetReadFileExA 771F839E 5 Bytes JMP 001B2CD5
.text C:\WINDOWS\system32\wscntfy.exe[2688] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 001B2A55
.text C:\WINDOWS\system32\wscntfy.exe[2688] WININET.dll!HttpSendRequestExA 772120A1 5 Bytes JMP 001B2BA8
.text C:\WINDOWS\system32\wscntfy.exe[2688] CRYPT32.dll!PFXImportCertStore 77AEF748 5 Bytes JMP 001B2F45
.text C:\WINDOWS\system32\wscntfy.exe[2688] WS2_32.dll!send 71AB428A 5 Bytes JMP 001A3A84
.text C:\WINDOWS\system32\wscntfy.exe[2688] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 001A3AAA
.text C:\WINDOWS\system32\wscntfy.exe[2688] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 001A3A47

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[900] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003A0002
IAT C:\WINDOWS\system32\services.exe[900] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003A0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 87356EE4

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxklpppqlr.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001060a97383 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxxdpamdib.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060a97383
Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\001060a97383 (not active ControlSet)
Reg HKLM\SOFTWARE\Classes\CLSID\{094B2BCB-5F41-A489-844CA2903E1BF922}\{1B79708C-954D-DA8B-5F143B07D51E051A}\{8065E7BA-FA41-5074-25B3B36277F50BBE}
Reg HKLM\SOFTWARE\Classes\CLSID\{094B2BCB-5F41-A489-844CA2903E1BF922}\{1B79708C-954D-DA8B-5F143B07D51E051A}\{8065E7BA-FA41-5074-25B3B36277F50BBE}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}
Reg HKLM\SOFTWARE\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{564572D7-BA6B-A81E-17332C14105A24EF}\{35AC4256-1B84-66D8-7C4583AC3B4AA35B}\{791C0703-8CF5-813B-67470F66B09458B3}
Reg HKLM\SOFTWARE\Classes\CLSID\{564572D7-BA6B-A81E-17332C14105A24EF}\{35AC4256-1B84-66D8-7C4583AC3B4AA35B}\{791C0703-8CF5-813B-67470F66B09458B3}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7FAFFD5B-ECA5-8590-06385EB5239D555A}\{E5D513A6-5530-C183-13C6195B3F88B339}\{5B7495F9-FD9A-8C8C-FD87354974961E7A}
Reg HKLM\SOFTWARE\Classes\CLSID\{7FAFFD5B-ECA5-8590-06385EB5239D555A}\{E5D513A6-5530-C183-13C6195B3F88B339}\{5B7495F9-FD9A-8C8C-FD87354974961E7A}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}
Reg HKLM\SOFTWARE\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DAB5C844-BE4A-29F4-AD8FABA4C17947A0}\{6913C59A-116F-5212-1A8157F10917C9CC}\{8C3FE3F0-4F1D-5A94-937677A4B6D15CAE}
Reg HKLM\SOFTWARE\Classes\CLSID\{DAB5C844-BE4A-29F4-AD8FABA4C17947A0}\{6913C59A-116F-5212-1A8157F10917C9CC}\{8C3FE3F0-4F1D-5A94-937677A4B6D15CAE}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\i8042prt.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----
Blade81
2010-06-07, 17:02
Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
oldskool
2010-06-07, 18:20
DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by marcus at 17:22:10.98 on Mon 06/07/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.514 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe
C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\marcus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [NSeries.PCSync] c:\program files\nokia\nseries pc suite\system utilities\PcSync2.exe /NoDialog
uRun: [{597CF0BC-F4C0-668B-3E2E-E23D4EFE5C26}] "c:\documents and settings\marcus\application data\pyubaz\cyag.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Matrox Powerdesk] c:\windows\system32\pdesk\PDesk.exe /Autolaunch
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NSLauncher] c:\program files\nokia\nokia software launcher\NSLauncher.exe /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
StartupFolder: c:\docume~1\marcus\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\marcus\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d7050v5\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sataraid.lnk - c:\program files\silicon image\siisataraid\SATARaid.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\marcus\applic~1\mozilla\firefox\profiles\6ru1ampx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.oldskoolprovider.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\marcus\application data\mozilla\firefox\profiles\6ru1ampx.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-4 64288]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2008-5-21 89749]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-5-1 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-1 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-5-1 138680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-5-21 38144]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-12-8 54752]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-5-1 352920]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2009-5-1 238848]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-2-7 127496]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-5-1 254040]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1314704]

=============== Created Last 30 ================

2010-06-07 15:28:25 0 d-sha-r- C:\cmdcons
2010-06-07 15:24:13 98816 ----a-w- c:\windows\sed.exe
2010-06-07 15:24:13 77312 ----a-w- c:\windows\MBR.exe
2010-06-07 15:24:13 256512 ----a-w- c:\windows\PEV.exe
2010-06-07 15:24:13 161792 ----a-w- c:\windows\SWREG.exe
2010-05-27 17:23:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-13 12:46:54 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

==================== Find3M ====================

2010-06-06 19:48:28 2608 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-27 17:23:06 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

============= FINISH: 17:22:31.81 ===============

COMBO:

ComboFix 10-06-06.05 - marcus 06/07/2010 17:13:00.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.551 [GMT 1:00]
Running from: c:\documents and settings\marcus\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-06-03 02:31 . 2010-06-03 02:31 -------- d-----w- c:\program files\ERUNT
2010-05-27 17:23 . 2010-05-27 17:23 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-27 17:20 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-13 22:31 . 2010-05-13 22:31 655360 ----a-w- c:\documents and settings\marcus\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll
2010-05-13 22:31 . 2010-05-13 22:31 282624 ----a-w- c:\documents and settings\marcus\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll
2010-05-13 22:31 . 2010-05-13 22:31 208896 ----a-w- c:\documents and settings\marcus\Application Data\Spotify\Gracenote\gnsdk_dsp.dll
2010-05-13 12:46 . 2010-05-27 17:20 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-12 13:33 . 2010-05-12 13:35 1482752 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_octgao_09.27dbd220adee9f16140622d34764fadb.dll
2010-05-12 13:33 . 2010-05-12 13:33 1626112 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_flightzone.120e06d45a565cdc8a97a294773b7eb8.dll
2010-05-12 13:33 . 2010-05-12 13:33 213090 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mptleaderboard.5a678c57a8ed645b49592a1121fd619f.dll
2010-05-12 13:33 . 2010-05-12 13:33 524560 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_tggg.f8ba0ccac248b6026b2705996790640a.dll
2010-05-12 13:08 . 2010-05-12 13:08 307300 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjackplugin.0b33c40e992b0cec60ff557d251457d2.dll
2010-05-12 13:07 . 2010-05-12 13:07 335976 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvtabletournamentlobby.fc620794b1b18938b640573c722b3922.dll
2010-05-12 13:04 . 2010-05-12 13:04 311398 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjacktourxxx.96f2985eb296e0eeb1592aacd45d6e4c.dll
2010-05-12 13:04 . 2010-05-12 13:04 233472 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjstrategyui1.5a2f52359fe99e4484435bbaf8f92b30.dll
2010-05-12 13:04 . 2010-05-12 13:04 589824 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjgoldplugin.794fbb37693eb8ea0687d012b6697332.dll
2010-05-12 13:04 . 2010-05-12 13:04 512000 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjgoldxxx.098a7b3de069b4b076bd8c2cc92131be.dll
2010-05-12 13:04 . 2010-05-12 13:04 225280 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjgoldautoplayplugin.9e04124b2f25d98a562d14260b995f0c.dll
2010-05-12 13:04 . 2010-05-12 13:04 126976 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mhbjstrategyui1.95a00a7e6658ab8736067b646ccd9783.dll
2010-05-12 13:04 . 2010-05-12 13:04 233472 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjgoldstatsplugin.67546387f1af1fe46f021dbce8a072f4.dll
2010-05-12 13:04 . 2010-05-12 13:04 147456 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bjstrategylogic1.cae96e5e68740973929725d2ac549cc0.dll
2010-05-12 13:04 . 2010-05-12 13:04 413696 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mhbjgoldplugin.5d832144ec1b88e6caeb7446bbe13d54.dll
2010-05-12 13:04 . 2010-05-12 13:04 225280 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mhbjgoldxxx.042cb38dc856800dc292666302eb33ed.dll
2010-05-12 13:00 . 2010-05-12 13:00 163840 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\goldseries_euroroulette.c04add4a4ccdfa99acf5bc9050a74d69.dll
2010-05-12 13:00 . 2010-05-12 13:00 53342 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\blplugin.43df87da33698c32bca7a2698484452d.dll
2010-05-12 13:00 . 2010-05-12 13:00 412685 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\goldseries_roulette.1edb0f45625215829abaaca345d96e06.dll
2010-05-11 11:29 . 2010-05-11 11:29 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-09 04:46 . 2010-05-09 04:46 -------- d-----w- c:\documents and settings\marcus\Local Settings\Application Data\cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 15:59 . 2009-03-17 09:13 -------- d-----w- c:\documents and settings\marcus\Application Data\Asdyz
2010-06-07 15:20 . 2008-05-28 15:33 -------- d-----w- c:\documents and settings\marcus\Application Data\Skype
2010-06-07 15:01 . 2008-05-28 15:35 -------- d-----w- c:\documents and settings\marcus\Application Data\skypePM
2010-06-06 20:29 . 2008-05-21 23:49 -------- d-----w- c:\documents and settings\marcus\Application Data\uTorrent
2010-06-06 20:20 . 2008-05-21 23:49 -------- d-----w- c:\program files\uTorrent
2010-06-06 19:49 . 2010-02-25 07:19 -------- d-----w- c:\documents and settings\marcus\Application Data\vlc
2010-06-06 19:48 . 2008-05-01 19:05 2608 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-03 01:04 . 2008-04-29 17:47 -------- d-----w- c:\program files\Google
2010-06-03 00:09 . 2008-04-29 22:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-03 00:00 . 2009-09-15 19:40 -------- d-----w- c:\program files\Full Tilt Poker
2010-06-02 23:37 . 2010-04-02 01:27 -------- d-----w- c:\documents and settings\marcus\Application Data\dvdcss
2010-05-28 09:36 . 2008-05-14 01:32 -------- d-----w- c:\program files\PartyGaming
2010-05-27 17:23 . 2010-02-04 06:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-27 17:20 . 2008-05-01 15:32 -------- d-----w- c:\program files\Lavasoft
2010-05-20 15:20 . 2008-08-15 12:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-13 22:36 . 2009-06-12 18:36 -------- d-----w- c:\documents and settings\marcus\Application Data\Spotify
2010-05-12 13:00 . 2009-03-20 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\MGS
2010-04-29 14:39 . 2008-08-15 12:17 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2008-08-15 12:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 15:11 . 2008-06-11 14:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 07:59 . 2010-04-11 07:59 -------- d-----w- c:\program files\Common Files\StarCam
2010-04-11 05:34 . 2009-12-16 15:54 -------- d-----r- c:\program files\Skype
2010-04-11 05:32 . 2010-04-11 05:32 -------- d-----w- c:\program files\Common Files\Skype
2010-04-11 05:32 . 2008-05-28 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-30 15:36 . 2009-11-27 18:26 79488 ----a-w- c:\documents and settings\marcus\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-26 09:33 . 2010-04-15 01:11 1496064 ----a-w- c:\documents and settings\marcus\Application Data\Mozilla\Firefox\Profiles\6ru1ampx.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 09:33 . 2010-04-15 01:11 43008 ----a-w- c:\documents and settings\marcus\Application Data\Mozilla\Firefox\Profiles\6ru1ampx.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 09:33 . 2010-04-15 01:11 339456 ----a-w- c:\documents and settings\marcus\Application Data\Mozilla\Firefox\Profiles\6ru1ampx.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 09:32 . 2010-04-15 01:11 346112 ----a-w- c:\documents and settings\marcus\Application Data\Mozilla\Firefox\Profiles\6ru1ampx.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NSeries.PCSync"="c:\program files\Nokia\NSeries PC Suite\System Utilities\PcSync2.exe" [2007-02-23 1716224]
"{597CF0BC-F4C0-668B-3E2E-E23D4EFE5C26}"="c:\documents and settings\marcus\Application Data\Pyubaz\cyag.exe" [2009-06-08 133621]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Matrox Powerdesk"="c:\windows\system32\PDesk\PDesk.exe" [2004-09-14 684032]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"NSLauncher"="c:\program files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 3100672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-01 136600]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2006-07-07 262144]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
ofecr.exe [2010-5-21 133179]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
awviaz.exe [2010-5-21 133179]

c:\documents and settings\marcus\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5\Belkinwcui.exe [2009-5-21 1564672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
SATARaid.lnk - c:\program files\Silicon Image\SiISATARaid\SATARaid.exe [2008-5-6 598069]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-6-6 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave"=DrvTrNTm.dll
"mixer"=DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\Belkin\\F5D7050v5\\Belkinwcui.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/4/2010 4:56 AM 64288]
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [5/21/2008 2:47 PM 89749]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/1/2008 3:48 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/1/2008 3:48 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [5/21/2009 7:32 PM 38144]
R3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [5/1/2009 1:15 PM 238848]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2/7/2009 12:18 AM 127496]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 4:52 PM 1314704]
.
Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 02:56]

2010-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-06-07 c:\windows\Tasks\avast! Antivirus.job
- c:\progra~1\ALWILS~1\Avast4\ashAvast.exe [2008-05-01 16:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\marcus\Application Data\Mozilla\Firefox\Profiles\6ru1ampx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.oldskoolprovider.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\marcus\Application Data\Mozilla\Firefox\Profiles\6ru1ampx.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-07 17:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{094B2BCB-5F41-A489-844CA2903E1BF922}\{1B79708C-954D-DA8B-5F143B07D51E051A}\{8065E7BA-FA41-5074-25B3B36277F50BBE}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,a9,1b,b9,
a5,89,06,88,40,19,fa,e3,2b,f6,39,ab,b3,b0,78,4a,df,d8,18,b2,a9,2e,24,84,15,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{564572D7-BA6B-A81E-17332C14105A24EF}\{35AC4256-1B84-66D8-7C4583AC3B4AA35B}\{791C0703-8CF5-813B-67470F66B09458B3}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,a9,1b,b9,
a5,89,06,88,40,19,fa,e3,2b,f6,39,ab,b3,b0,78,4a,df,d8,18,b2,a9,2e,24,84,15,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7FAFFD5B-ECA5-8590-06385EB5239D555A}\{E5D513A6-5530-C183-13C6195B3F88B339}\{5B7495F9-FD9A-8C8C-FD87354974961E7A}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,a9,1b,b9,
a5,89,06,88,40,19,fa,e3,2b,f6,39,ab,b3,b0,78,4a,df,d8,18,b2,a9,2e,24,84,15,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DAB5C844-BE4A-29F4-AD8FABA4C17947A0}\{6913C59A-116F-5212-1A8157F10917C9CC}\{8C3FE3F0-4F1D-5A94-937677A4B6D15CAE}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(820)
c:\windows\system32\PDesk\PDKERNEL.DLL
c:\windows\system32\PDesk\PDTOOLS.DLL
c:\windows\system32\PDesk\PDRESENG.DLL
.
Completion time: 2010-06-07 17:19:34
ComboFix-quarantined-files.txt 2010-06-07 16:19
ComboFix2.txt 2010-06-07 16:07

Pre-Run: 3,902,238,720 bytes free
Post-Run: 3,875,028,992 bytes free

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 1436DB22F7DDC34802BAF70A063818F2
Blade81
2010-06-07, 21:12
Hi again,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:



Open notepad and copy/paste the text in the quotebox below into it:



http://forums.spybot.info/showthread.php?t=57778
Collect::
c:\documents and settings\marcus\application data\pyubaz\cyag.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\ofecr.exe
c:\documents and settings\Guest\Start Menu\Programs\Startup\awviaz.exe
DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
uRun: [{597CF0BC-F4C0-668B-3E2E-E23D4EFE5C26}] "c:\documents and settings\marcus\application data\pyubaz\cyag.exe"
Folder::
c:\documents and settings\marcus\Application Data\uTorrent
c:\program files\uTorrent
c:\documents and settings\marcus\Application Data\Pyubaz
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{094B2BCB-5F41-A489-844CA2903E1BF922}\{1B79708C-954D-DA8B-5F143B07D51E051A}\{8065E7BA-FA41-5074-25B3B36277F50BBE}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1159B246-0933-86DB-AD593C3CB7051897}\{4B332D01-174C-E53B-FFAF1A8AAD861E31}\{3A54BA3C-24AD-210D-6C7EF9C90D2B01E7}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{564572D7-BA6B-A81E-17332C14105A24EF}\{35AC4256-1B84-66D8-7C4583AC3B4AA35B}\{791C0703-8CF5-813B-67470F66B09458B3}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7FAFFD5B-ECA5-8590-06385EB5239D555A}\{E5D513A6-5530-C183-13C6195B3F88B339}\{5B7495F9-FD9A-8C8C-FD87354974961E7A}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{969D404C-EC53-A9AF-A02B8ED8C194B4B8}\{49CEC6C1-E90A-6C40-7DC9D5345834AD37}\{B3C560DA-C3C9-1298-A5CC78F93CD65657}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DAB5C844-BE4A-29F4-AD8FABA4C17947A0}\{6913C59A-116F-5212-1A8157F10917C9CC}\{8C3FE3F0-4F1D-5A94-937677A4B6D15CAE}*]



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.



Download ATF (Atribune Temp File) Cleanerİ by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
tashi
2010-06-14, 16:32
oldskool this thread has been archived due to inactivity.

As it has been four days or more since your last post, and the helper assisting you posted a response to which you did not reply, your topic will not be re-opened. If you still require help, please start a new topic and include a DDS log with a link to your previous thread.

Please do not add any logs that might have been requested previously, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start your own topic.

Thank you Blade81. :)