Hi! need help... multiple iexpore.exe on task manager.. tnx

Solved
By meloxicam10
Apr 8, 2011
Topic Status:
Not open for further replies.
  1. i have lots of iexplore.exe on my task manager. i tried to look for tips around, while i got hold a bunch of malwares and viruses... i still have the problem and its killing my memory. so i finally decided to look for some expert's intervention. tnx so much
  2. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Welcome aboard [​IMG]

    While IE open? Which IE version?
  3. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    internet explorer 8... yes, upon opening IE, 3 or more IE.exe are popping up at the task manager. i was never aware of it before until i seemed to be running low of memory always and networking seems to be very sluggish. i tried different spyware and malware removers and bumped into handful of trojans... but the problems persists... tnx for the immediate reply
  4. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    You have to watch it closely, because IE8, not like previous IE versions will open 2 iexplore.exe processes from the get go and another process for each opened tab.
  5. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    ah... so how would i know i don't have the same problem with other peeps? i feel like there's something wrong with my system because i used to surf fast and it doesn't hang even if i have multiple programs up (Vista home basic)...
  6. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    If you feel, your computer may be infected....

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  7. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    hi! here are the logs you requested. tnx in advance

    Attached Files:

  8. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5363

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019

    4/9/2011 3:24:15 PM
    mbam-log-2011-04-09 (15-24-15).txt

    Scan type: Quick scan
    Objects scanned: 140631
    Time elapsed: 3 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  9. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-04-09 15:17:55
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000060 Hitachi_ rev.P22O
    Running: myffbimt.exe; Driver: C:\Users\User\AppData\Local\Temp\kgldapob.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\taskeng.exe[2752] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\taskeng.exe[2752] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [87, 71]
    .text C:\Windows\system32\taskeng.exe[2752] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\taskeng.exe[2752] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [8D, 71]
    .text C:\Windows\system32\taskeng.exe[2752] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\taskeng.exe[2752] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [84, 71]
    .text C:\Windows\system32\taskeng.exe[2752] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\taskeng.exe[2752] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [8A, 71]
    .text C:\Windows\system32\taskeng.exe[2752] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\taskeng.exe[2752] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [90, 71]
    .text C:\Windows\system32\taskeng.exe[2752] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 1F, 00]
    .text C:\Windows\system32\taskeng.exe[2752] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 71940F5A
    .text C:\Windows\system32\taskeng.exe[2752] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71970F5A
    .text C:\Windows\system32\taskeng.exe[2752] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 719D0F5A
    .text C:\Windows\system32\taskeng.exe[2752] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 71A30F5A
    .text C:\Windows\system32\taskeng.exe[2752] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 719A0F5A
    .text C:\Windows\system32\taskeng.exe[2752] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 71A00F5A
    .text C:\Windows\system32\taskeng.exe[2752] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71AC0F5A
    .text C:\Windows\system32\taskeng.exe[2752] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\taskeng.exe[2752] USER32.dll!SendInput + 4 75B82F79 2 Bytes [A5, 71]
    .text C:\Windows\system32\taskeng.exe[2752] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A90F5A
    .text C:\Windows\system32\taskeng.exe[2752] WS2_32.dll!connect 771740D9 6 Bytes JMP 71820F5A
    .text C:\Windows\system32\taskeng.exe[2752] WS2_32.dll!WSALookupServiceNextW 7717455D 6 Bytes JMP 71790F5A
    .text C:\Windows\system32\taskeng.exe[2752] WS2_32.dll!WSALookupServiceBeginW 77174E93 6 Bytes JMP 717C0F5A
    .text C:\Windows\system32\taskeng.exe[2752] WS2_32.dll!WSALookupServiceEnd 77175564 6 Bytes JMP 71760F5A
    .text C:\Windows\system32\taskeng.exe[2752] WS2_32.dll!listen 77178CD7 6 Bytes JMP 717F0F5A
    .text C:\Windows\system32\Dwm.exe[2868] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\Dwm.exe[2868] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [87, 71]
    .text C:\Windows\system32\Dwm.exe[2868] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\Dwm.exe[2868] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [8D, 71]
    .text C:\Windows\system32\Dwm.exe[2868] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\Dwm.exe[2868] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [84, 71]
    .text C:\Windows\system32\Dwm.exe[2868] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\Dwm.exe[2868] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [8A, 71]
    .text C:\Windows\system32\Dwm.exe[2868] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\Dwm.exe[2868] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [90, 71]
    .text C:\Windows\system32\Dwm.exe[2868] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 0B, 00] {OR AL, [EAX]; OR EAX, [EAX]}
    .text C:\Windows\system32\Dwm.exe[2868] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 71940F5A
    .text C:\Windows\system32\Dwm.exe[2868] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71970F5A
    .text C:\Windows\system32\Dwm.exe[2868] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 719D0F5A
    .text C:\Windows\system32\Dwm.exe[2868] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 71A30F5A
    .text C:\Windows\system32\Dwm.exe[2868] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 719A0F5A
    .text C:\Windows\system32\Dwm.exe[2868] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 71A00F5A
    .text C:\Windows\system32\Dwm.exe[2868] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71AC0F5A
    .text C:\Windows\system32\Dwm.exe[2868] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\Dwm.exe[2868] USER32.dll!SendInput + 4 75B82F79 2 Bytes [A5, 71]
    .text C:\Windows\system32\Dwm.exe[2868] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A90F5A
    .text C:\Windows\system32\Dwm.exe[2868] WS2_32.dll!connect 771740D9 6 Bytes JMP 717F0F5A
    .text C:\Windows\system32\Dwm.exe[2868] WS2_32.dll!WSALookupServiceNextW 7717455D 6 Bytes JMP 71760F5A
    .text C:\Windows\system32\Dwm.exe[2868] WS2_32.dll!WSALookupServiceBeginW 77174E93 6 Bytes JMP 71790F5A
    .text C:\Windows\system32\Dwm.exe[2868] WS2_32.dll!WSALookupServiceEnd 77175564 6 Bytes JMP 71820F5A
    .text C:\Windows\system32\Dwm.exe[2868] WS2_32.dll!listen 77178CD7 6 Bytes JMP 717C0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [87, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [8D, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [84, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [8A, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [90, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 17, 00]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 71940F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71970F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 719D0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 71A30F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 719A0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 71A00F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71AC0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] USER32.dll!SendInput + 4 75B82F79 2 Bytes [A5, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A90F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] WS2_32.dll!connect 771740D9 6 Bytes JMP 717C0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] WS2_32.dll!WSALookupServiceNextW 7717455D 6 Bytes JMP 71820F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] WS2_32.dll!WSALookupServiceBeginW 77174E93 6 Bytes JMP 71760F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] WS2_32.dll!WSALookupServiceEnd 77175564 6 Bytes JMP 717F0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[3396] WS2_32.dll!listen 77178CD7 6 Bytes JMP 71790F5A
    .text C:\Windows\system32\wuauclt.exe[3908] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wuauclt.exe[3908] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [87, 71]
    .text C:\Windows\system32\wuauclt.exe[3908] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wuauclt.exe[3908] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [8D, 71]
    .text C:\Windows\system32\wuauclt.exe[3908] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wuauclt.exe[3908] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [84, 71]
    .text C:\Windows\system32\wuauclt.exe[3908] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wuauclt.exe[3908] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [8A, 71]
    .text C:\Windows\system32\wuauclt.exe[3908] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wuauclt.exe[3908] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [90, 71]
    .text C:\Windows\system32\wuauclt.exe[3908] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 77, 00] {OR AL, [EAX]; JA 0x4}
    .text C:\Windows\system32\wuauclt.exe[3908] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 719D0F5A
    .text C:\Windows\system32\wuauclt.exe[3908] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 71A30F5A
    .text C:\Windows\system32\wuauclt.exe[3908] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 719A0F5A
    .text C:\Windows\system32\wuauclt.exe[3908] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 71A00F5A
    .text C:\Windows\system32\wuauclt.exe[3908] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71AC0F5A
    .text C:\Windows\system32\wuauclt.exe[3908] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wuauclt.exe[3908] USER32.dll!SendInput + 4 75B82F79 2 Bytes [A5, 71]
    .text C:\Windows\system32\wuauclt.exe[3908] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A90F5A
    .text C:\Windows\system32\wuauclt.exe[3908] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 71940F5A
    .text C:\Windows\system32\wuauclt.exe[3908] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71970F5A
    .text C:\Windows\System32\rundll32.exe[3940] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[3940] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [7F, 71] {JG 0x73}
    .text C:\Windows\System32\rundll32.exe[3940] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[3940] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [85, 71]
    .text C:\Windows\System32\rundll32.exe[3940] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[3940] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [7C, 71] {JL 0x73}
    .text C:\Windows\System32\rundll32.exe[3940] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[3940] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [82, 71]
    .text C:\Windows\System32\rundll32.exe[3940] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[3940] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [8A, 71]
    .text C:\Windows\System32\rundll32.exe[3940] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 1D, 00]
    .text C:\Windows\System32\rundll32.exe[3940] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 71970F5A
    .text C:\Windows\System32\rundll32.exe[3940] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 719D0F5A
    .text C:\Windows\System32\rundll32.exe[3940] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 71940F5A
    .text C:\Windows\System32\rundll32.exe[3940] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 719A0F5A
    .text C:\Windows\System32\rundll32.exe[3940] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71A60F5A
    .text C:\Windows\System32\rundll32.exe[3940] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[3940] USER32.dll!SendInput + 4 75B82F79 2 Bytes [9F, 71]
    .text C:\Windows\System32\rundll32.exe[3940] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A30F5A
    .text C:\Windows\System32\rundll32.exe[3940] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 718E0F5A
    .text C:\Windows\System32\rundll32.exe[3940] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71910F5A
    .text C:\Windows\System32\mobsync.exe[4184] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\mobsync.exe[4184] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [87, 71]
    .text C:\Windows\System32\mobsync.exe[4184] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\mobsync.exe[4184] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [8D, 71]
    .text C:\Windows\System32\mobsync.exe[4184] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\mobsync.exe[4184] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [84, 71]
    .text C:\Windows\System32\mobsync.exe[4184] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\mobsync.exe[4184] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [8A, 71]
    .text C:\Windows\System32\mobsync.exe[4184] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\mobsync.exe[4184] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [90, 71]
    .text C:\Windows\System32\mobsync.exe[4184] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 1F, 00]
    .text C:\Windows\System32\mobsync.exe[4184] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 71940F5A
    .text C:\Windows\System32\mobsync.exe[4184] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71970F5A
    .text C:\Windows\System32\mobsync.exe[4184] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 719D0F5A
    .text C:\Windows\System32\mobsync.exe[4184] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 71A30F5A
    .text C:\Windows\System32\mobsync.exe[4184] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 719A0F5A
    .text C:\Windows\System32\mobsync.exe[4184] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 71A00F5A
    .text C:\Windows\System32\mobsync.exe[4184] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71AC0F5A
    .text C:\Windows\System32\mobsync.exe[4184] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\mobsync.exe[4184] USER32.dll!SendInput + 4 75B82F79 2 Bytes [A5, 71]
    .text C:\Windows\System32\mobsync.exe[4184] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A90F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [87, 71]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [8D, 71]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [84, 71]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [8A, 71]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [90, 71]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 1D, 00]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 71940F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71970F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 719D0F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 71A30F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 719A0F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 71A00F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71AC0F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] USER32.dll!SendInput + 4 75B82F79 2 Bytes [A5, 71]
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A90F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] WS2_32.dll!connect 771740D9 6 Bytes JMP 717C0F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] WS2_32.dll!WSALookupServiceNextW 7717455D 6 Bytes JMP 71820F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] WS2_32.dll!WSALookupServiceBeginW 77174E93 6 Bytes JMP 71760F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] WS2_32.dll!WSALookupServiceEnd 77175564 6 Bytes JMP 717F0F5A
    .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[4548] WS2_32.dll!listen 77178CD7 6 Bytes JMP 71790F5A
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [87, 71]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [8D, 71]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [84, 71]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [8A, 71]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [90, 71]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 37, 00]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 719D0F5A
    .text C:\Users\User\Desktop\myffbimt.exe[5024] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 71A30F5A
    .text C:\Users\User\Desktop\myffbimt.exe[5024] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 719A0F5A
    .text C:\Users\User\Desktop\myffbimt.exe[5024] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 71A00F5A
    .text C:\Users\User\Desktop\myffbimt.exe[5024] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71AC0F5A
    .text C:\Users\User\Desktop\myffbimt.exe[5024] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] USER32.dll!SendInput + 4 75B82F79 2 Bytes [A5, 71]
    .text C:\Users\User\Desktop\myffbimt.exe[5024] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A90F5A
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 71940F5A
    .text C:\Users\User\Desktop\myffbimt.exe[5024] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71970F5A
    .text C:\Windows\System32\rundll32.exe[7700] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[7700] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [7F, 71] {JG 0x73}
    .text C:\Windows\System32\rundll32.exe[7700] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[7700] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [85, 71]
    .text C:\Windows\System32\rundll32.exe[7700] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[7700] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [7C, 71] {JL 0x73}
    .text C:\Windows\System32\rundll32.exe[7700] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[7700] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [82, 71]
    .text C:\Windows\System32\rundll32.exe[7700] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[7700] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [8A, 71]
    .text C:\Windows\System32\rundll32.exe[7700] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 0E, 00]
    .text C:\Windows\System32\rundll32.exe[7700] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 71970F5A
    .text C:\Windows\System32\rundll32.exe[7700] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 719D0F5A
    .text C:\Windows\System32\rundll32.exe[7700] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 71940F5A
    .text C:\Windows\System32\rundll32.exe[7700] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 719A0F5A
    .text C:\Windows\System32\rundll32.exe[7700] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71A60F5A
    .text C:\Windows\System32\rundll32.exe[7700] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Windows\System32\rundll32.exe[7700] USER32.dll!SendInput + 4 75B82F79 2 Bytes [9F, 71]
    .text C:\Windows\System32\rundll32.exe[7700] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A30F5A
    .text C:\Windows\System32\rundll32.exe[7700] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 718E0F5A
    .text C:\Windows\System32\rundll32.exe[7700] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71910F5A
    .text C:\Windows\explorer.exe[7772] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Windows\explorer.exe[7772] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [87, 71]
    .text C:\Windows\explorer.exe[7772] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Windows\explorer.exe[7772] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [8D, 71]
    .text C:\Windows\explorer.exe[7772] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Windows\explorer.exe[7772] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [84, 71]
    .text C:\Windows\explorer.exe[7772] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Windows\explorer.exe[7772] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [8A, 71]
    .text C:\Windows\explorer.exe[7772] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\explorer.exe[7772] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [90, 71]
    .text C:\Windows\explorer.exe[7772] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 19, 00] {OR AL, [EAX]; SBB [EAX], EAX}
    .text C:\Windows\explorer.exe[7772] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 71940F5A
    .text C:\Windows\explorer.exe[7772] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71970F5A
    .text C:\Windows\explorer.exe[7772] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 719D0F5A
    .text C:\Windows\explorer.exe[7772] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 71A30F5A
    .text C:\Windows\explorer.exe[7772] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 719A0F5A
    .text C:\Windows\explorer.exe[7772] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 71A00F5A
    .text C:\Windows\explorer.exe[7772] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71AC0F5A
    .text C:\Windows\explorer.exe[7772] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Windows\explorer.exe[7772] USER32.dll!SendInput + 4 75B82F79 2 Bytes [A5, 71]
    .text C:\Windows\explorer.exe[7772] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A90F5A
    .text C:\Windows\explorer.exe[7772] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C5 75FBB37C 4 Bytes [50, 26, 00, 10] {PUSH EAX; ADD ES:[EAX], DL}
    .text C:\Windows\explorer.exe[7772] WS2_32.dll!connect 771740D9 6 Bytes JMP 71790F5A
    .text C:\Windows\explorer.exe[7772] WS2_32.dll!WSALookupServiceNextW 7717455D 6 Bytes JMP 71700F5A
    .text C:\Windows\explorer.exe[7772] WS2_32.dll!WSALookupServiceBeginW 77174E93 6 Bytes JMP 71730F5A
    .text C:\Windows\explorer.exe[7772] WS2_32.dll!WSALookupServiceEnd 77175564 6 Bytes JMP 716D0F5A
    .text C:\Windows\explorer.exe[7772] WS2_32.dll!listen 77178CD7 6 Bytes JMP 71760F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ntdll.dll!NtCreateFile 770A4224 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ntdll.dll!NtCreateFile + 4 770A4228 2 Bytes [87, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ntdll.dll!NtDeleteValueKey 770A4644 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ntdll.dll!NtDeleteValueKey + 4 770A4648 2 Bytes [8D, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ntdll.dll!NtOpenFile 770A4A04 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ntdll.dll!NtOpenFile + 4 770A4A08 2 Bytes [84, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ntdll.dll!NtOpenProcess 770A4A84 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ntdll.dll!NtOpenProcess + 4 770A4A88 2 Bytes [8A, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ntdll.dll!NtSetValueKey 770A52A4 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ntdll.dll!NtSetValueKey + 4 770A52A8 2 Bytes [90, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] kernel32.dll!LoadLibraryExW + 248 76AC9351 4 Bytes [0A, 00, 1B, 00] {OR AL, [EAX]; SBB EAX, [EAX]}
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ADVAPI32.dll!CreateServiceW 76EE9EB4 6 Bytes JMP 71940F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] ADVAPI32.dll!CreateServiceA 76F272A1 6 Bytes JMP 71970F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] USER32.dll!PostMessageA 75B5F8F8 6 Bytes JMP 719D0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] USER32.dll!SendMessageA 75B5F956 6 Bytes JMP 71A30F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] USER32.dll!PostMessageW 75B6A175 6 Bytes JMP 719A0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] USER32.dll!SendMessageW 75B70AED 6 Bytes JMP 71A00F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] USER32.dll!mouse_event 75B8044E 6 Bytes JMP 71AC0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] USER32.dll!SendInput 75B82F75 3 Bytes [FF, 25, 1E]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] USER32.dll!SendInput + 4 75B82F79 2 Bytes [A5, 71]
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] USER32.dll!keybd_event 75BAD972 6 Bytes JMP 71A90F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] WS2_32.dll!connect 771740D9 6 Bytes JMP 717C0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] WS2_32.dll!WSALookupServiceNextW 7717455D 6 Bytes JMP 71820F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] WS2_32.dll!WSALookupServiceBeginW 77174E93 6 Bytes JMP 71760F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] WS2_32.dll!WSALookupServiceEnd 77175564 6 Bytes JMP 717F0F5A
    .text C:\Windows\system32\wbem\unsecapp.exe[8056] WS2_32.dll!listen 77178CD7 6 Bytes JMP 71790F5A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73F17817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [73F6A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73F1BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73F0F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73F175E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73F0E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73F48395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [73F1DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [73F0FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73F0FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [73F071CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [73F9CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [73F3C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73F0D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [73F06853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [73F0687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73F12AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [100027E0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001B60] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002B60] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [100011D0] C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated)
    IAT C:\Windows\explorer.exe[7772] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [7001F3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.***\OpenWithProgids@\xa0\xa0\xa0_auto_file

    ---- EOF - GMER 1.0.15 ----
  10. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume2
    Install Date: 4/26/2008 1:25:22 AM
    System Uptime: 4/9/2011 11:49:52 AM (4 hours ago)
    .
    Motherboard: Acer | | WMCP78M
    Processor: Athlon 64 Dual Core 5000+ | Socket AM2 | 2600/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 67 GiB total, 0.939 GiB free.
    D: is Removable
    E: is FIXED (NTFS) - 72 GiB total, 2.225 GiB free.
    F: is CDROM (UDF)
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1404: 4/9/2011 12:10:53 PM - Device Driver Package Install: ZTE Corporation Ports (COM & LPT)
    .
    ==== Installed Programs ======================
    .
    Acer eDataSecurity Management
    Acer Empowering Technology
    Acer eRecovery Management
    Acer eSettings Management
    Acer GameZone Console DTV 2.0.1.1
    Acer ScreenSaver
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1
    Advanced SystemCare 3
    Ashampoo Burning Studio 6 FREE
    Ask Toolbar
    Audacity 1.2.6
    BitTorrent
    Compatibility Pack for the 2007 Office system
    Emsisoft Anti-Malware 5.1
    eSobi v2
    Glary Utilities Pro 2.32.0.1126
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    ImagXpress
    IObit Security 360
    IZArc 4.1.6
    Java Auto Updater
    Java(TM) 6 Update 24
    K-Lite Mega Codec Pack 6.8.0
    LightScribe 1.4.142.1
    LimeWire 5.6.2
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Office Professional Edition 2003
    Microsoft Office Word Viewer 2003
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works
    Moyea YouTube FLV Downloader version: 3.1.2.23
    MSVC80_x86_v2
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML4 Parser
    Mystery Case Files - Huntsville
    neroxml
    Nokia Connectivity Cable Driver
    Nokia Lifeblog 2.5
    Nokia PC Suite
    NTI Backup Now 5
    NTI Backup Now Standard
    NVIDIA Display Control Panel
    NVIDIA Drivers
    NVIDIA ForceWare Network Access Manager
    PC Connectivity Solution
    Photo Pos Pro
    PhotoNow!
    Picture Package Music Transfer
    PowerDirector (Acer DT)
    PowerDVD 7.0 with 5.1ch
    PVSonyDll
    RealPlayer
    Realtek High Definition Audio Driver
    Samsung Mobile phone USB driver Software
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    SMART BRO
    Spyware Terminator
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    USB Video Device
    VC 9.0 Runtime
    VideoLAN VLC media player 0.8.6i
    VirtuaGirl version 1.0.5.2
    VistaGlazz 2.2
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Windows Driver Package - Nokia Modem (06/01/2009 7.01.0.4)
    Windows Driver Package - Nokia Modem (10/05/2009 4.2)
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    WinRAR archiver
    Wise Registry Cleaner 5.9.4
    Yahoo! Toolbar
    Yahoo!7 Messenger
    YASA AVI WMV ASF MOV VOB to MP3 Converter v2.6 (build 0048)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/9/2011 6:31:33 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    4/9/2011 2:59:45 PM, Error: nvstor32 [5] - A parity error was detected on \Device\RaidPort0.
    4/9/2011 2:34:04 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    4/9/2011 2:34:04 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/9/2011 2:33:58 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    4/9/2011 2:32:20 AM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Microsoft Office Document Image Writer with shared resource name Microsoft Office Document Image Writer. Error 2114. The printer cannot be used by others on the network.
    4/9/2011 2:32:19 AM, Error: Microsoft-Windows-Kernel-General [5] - {Registry Hive Recovered} Registry hive (file): '\??\C:\Users\User\AppData\Local\Microsoft\Windows\UsrClass.dat' was corrupted and it has been recovered. Some data might have been lost.
    4/9/2011 12:02:37 PM, Error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    4/9/2011 12:01:27 PM, Error: Service Control Manager [7034] - The IS360service service terminated unexpectedly. It has done this 1 time(s).
    4/9/2011 12:01:06 PM, Error: Service Control Manager [7031] - The Emsisoft Anti-Malware 5.0 - Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    4/9/2011 11:50:57 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    4/9/2011 11:50:15 AM, Error: volmgr [46] - Crash dump initialization failed!
    4/8/2011 6:52:28 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: a2injectiondriver AFD DfsC i8042prt NetBIOS netbt NetworkX nsiproxy PSched RasAcd rdbss Smb spldr sp_rsdrv2 StarOpen tdx Wanarpv6 ws2ifsl
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    4/8/2011 6:36:04 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    4/8/2011 6:36:03 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    4/8/2011 6:35:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    4/8/2011 6:35:29 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    4/8/2011 6:35:28 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    4/8/2011 6:35:19 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    4/8/2011 12:34:36 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    4/8/2011 1:40:49 AM, Error: Service Control Manager [7000] - The Nero BackItUp Scheduler 4.0 service failed to start due to the following error: The system cannot find the file specified.
    4/7/2011 6:08:49 PM, Error: Service Control Manager [7034] - The NTI Backup Now 5 Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
    4/7/2011 5:06:57 PM, Error: EventLog [6008] - The previous system shutdown at 4:04:45 PM on 4/7/2011 was unexpected.
    4/6/2011 3:15:39 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    4/6/2011 2:44:09 AM, Error: volmgr [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    4/6/2011 12:39:04 AM, Error: EventLog [6008] - The previous system shutdown at 12:36:47 AM on 4/6/2011 was unexpected.
    4/5/2011 8:37:42 PM, Error: EventLog [6008] - The previous system shutdown at 6:11:41 PM on 4/5/2011 was unexpected.
    4/5/2011 6:31:42 AM, Error: EventLog [6008] - The previous system shutdown at 5:17:53 PM on 4/4/2011 was unexpected.
    4/4/2011 4:22:54 PM, Error: EventLog [6008] - The previous system shutdown at 4:20:59 PM on 4/4/2011 was unexpected.
    4/4/2011 3:01:37 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user User-PC\User SID (S-1-5-21-597965172-4143358414-47882212-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    4/4/2011 3:01:37 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {682159D9-C321-47CA-B3F1-30E36B2EC8B9} to the user User-PC\User SID (S-1-5-21-597965172-4143358414-47882212-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    4/2/2011 4:15:58 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC i8042prt NetBIOS netbt NetworkX nsiproxy PSched RasAcd rdbss Smb spldr sp_rsdrv2 StarOpen tdx Wanarpv6 ws2ifsl
    4/2/2011 4:15:49 PM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.101.352.0 Loading engine version: 1.1.6702.0
    4/2/2011 1:51:27 AM, Error: EventLog [6008] - The previous system shutdown at 11:06:46 PM on 4/1/2011 was unexpected.
    .
    ==== End Of File ===========================
  11. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by User at 15:25:02.05 on Sat 04/09/2011
    Internet Explorer: 8.0.6001.19019
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.63.1033.18.894.254 [GMT 8:00]
    .
    AV: Emsisoft Anti-Malware *Disabled/Updated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Emsisoft Anti-Malware *Disabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\agrsmsvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
    C:\Windows\system32\crypserv.exe
    C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    C:\Program Files\Acer\Empowering Technology\Service\ETService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
    C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Cyberlink\Shared files\RichVideo.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\User\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://en.ph.acer.yahoo.com
    uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://au.search.yahoo.com
    uURLSearchHooks: H - No File
    mURLSearchHooks: H - No File
    BHO: AutorunsDisabled - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
    TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [EmpoweringTechnology] c:\program files\acer\empowering technology\Framework.Launcher.exe boot
    mRun: [eDataSecurity Loader] c:\program files\acer\empowering technology\edatasecurity\x86\eDSloader.exe
    mRun: [Skytel] Skytel.exe
    mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [a-squared] "c:\program files\emsisoft anti-malware\a2guard.exe" /d=60
    mRun: [Acer Empowering Technology Monitor] c:\program files\acer\empowering technology\SysMonitor.exe
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
    uPolicies-explorer: RestrictRun = 0 (0x0)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-explorer: RestrictRun = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    LSP: %SYSTEMROOT%\system32\nvLsp.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 a2injectiondriver;a2injectiondriver;c:\program files\emsisoft anti-malware\a2dix86.sys [2011-4-7 41928]
    R1 a2util;a-squared Malware-IDS utility driver;c:\program files\emsisoft anti-malware\a2util32.sys [2011-4-7 11776]
    R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2010-12-27 142592]
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-4 16384]
    R2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-4-30 24576]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-7 50424]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-4 131072]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-6-27 66080]
    S2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-4-7 2860800]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-19 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-24 135664]
    S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-12-27 312152]
    S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-4-7 73728]
    S3 RtlProt;RtlProt;c:\windows\system32\drivers\RtlProt.sys [2009-10-6 25896]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-19 753504]
    .
    =============== Created Last 30 ================
    .
    2011-04-09 07:20:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-09 07:20:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-09 07:20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-09 04:09:53 105088 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
    2011-04-09 04:09:53 105088 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
    2011-04-09 04:09:53 105088 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
    2011-04-09 04:09:42 -------- d-----w- c:\windows\system32\SupportAppXL
    2011-04-09 04:09:37 -------- d-----w- c:\program files\SMART BRO
    2011-04-08 18:41:07 6792528 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{fbc80483-db3a-4eaf-be62-abe8b9cb27fd}\mpengine.dll
    2011-04-08 07:47:07 -------- d-s---w- C:\Combo-Fix2206C
    2011-04-07 22:56:02 -------- d-----w- c:\users\user\appdata\local\temp
    2011-04-07 22:55:15 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-04-07 10:06:33 98816 ----a-w- c:\windows\sed.exe
    2011-04-07 10:06:33 89088 ----a-w- c:\windows\MBR.exe
    2011-04-07 10:06:33 256512 ----a-w- c:\windows\PEV.exe
    2011-04-07 10:06:33 161792 ----a-w- c:\windows\SWREG.exe
    2011-04-07 10:06:12 -------- d-----w- C:\Combo-Fix
    2011-04-06 19:24:15 -------- d-----w- c:\program files\Emsisoft Anti-Malware
    2011-04-05 20:02:23 -------- d-----w- c:\users\user\appdata\roaming\LimeWire
    2011-04-05 20:01:00 -------- d-----w- c:\program files\LimeWire
    2011-03-27 16:42:19 -------- d-----w- c:\program files\Ask.com
    2011-03-27 16:41:45 -------- d-----w- c:\program files\Wise Registry Cleaner
    2011-03-27 16:18:39 -------- d-----w- c:\users\user\appdata\local\PackageAware
    2011-03-22 20:00:13 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-22 20:00:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-22 20:00:13 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-15 20:57:53 4 ----a-w- c:\windows\info147.sys
    2011-03-15 20:54:16 -------- d-----w- c:\program files\IZArc
    2011-03-14 22:22:17 3 ----a-w- c:\windows\treeskp.sys
    2011-03-14 22:22:17 3 ----a-w- c:\windows\sbacknt.bin
    2011-03-14 22:19:55 -------- d-----w- c:\users\user\appdata\local\vghd
    .
    ==================== Find3M ====================
    .
    2011-02-02 13:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 10:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-13 08:00:00 80896 ----a-w- c:\windows\system32\ff_vfw.dll
    2010-02-10 11:18:42 2131336 ----a-w- c:\program files\common files\AskToolbarInstaller.exe
    .
    ============= FINISH: 15:26:39.21 ===============
     
  12. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    So far, I don't see much.

    Uninstall Ask Toolbar, known foistware.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  13. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    ComboFix 11-04-08.03 - User 04/10/2011 2:43.3.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.63.1033.18.894.528 [GMT 8:00]
    Running from: c:\users\User\Desktop\ComboFix.exe
    AV: Emsisoft Anti-Malware *Disabled/Updated* {0ADC9F7D-20C1-240F-01E2-43466EBA893A}
    SP: Emsisoft Anti-Malware *Disabled/Updated* {B1BD7E99-06FB-2B81-3B52-7834153DC387}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-09 to 2011-04-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-09 18:50 . 2011-04-09 18:50 -------- d-----w- c:\users\User\AppData\Local\temp
    2011-04-09 18:50 . 2011-04-09 18:50 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-04-09 07:20 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-09 07:20 . 2011-04-09 07:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-09 07:20 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-09 04:09 . 2009-10-13 12:09 105088 ----a-w- c:\windows\system32\drivers\ZTEusbnmea.sys
    2011-04-09 04:09 . 2009-10-13 12:09 105088 ----a-w- c:\windows\system32\drivers\ZTEusbmdm6k.sys
    2011-04-09 04:09 . 2009-10-13 12:09 105088 ----a-w- c:\windows\system32\drivers\ZTEusbser6k.sys
    2011-04-09 04:09 . 2011-04-09 04:11 -------- d-----w- c:\windows\system32\SupportAppXL
    2011-04-09 04:09 . 2011-04-09 17:36 -------- d-----w- c:\program files\SMART BRO
    2011-04-08 18:41 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBC80483-DB3A-4EAF-BE62-ABE8B9CB27FD}\mpengine.dll
    2011-04-07 11:40 . 2011-04-07 11:40 -------- d-----w- c:\program files\Common Files\Java
    2011-04-07 10:06 . 2011-04-07 10:40 -------- d-----w- C:\Combo-Fix
    2011-04-06 19:24 . 2011-04-09 15:53 -------- d-----w- c:\program files\Emsisoft Anti-Malware
    2011-04-05 20:02 . 2011-04-09 15:54 -------- d-----w- c:\users\User\AppData\Roaming\LimeWire
    2011-04-05 20:01 . 2011-04-05 20:01 -------- d-----w- c:\program files\LimeWire
    2011-03-27 16:41 . 2011-03-27 16:49 -------- d-----w- c:\program files\Wise Registry Cleaner
    2011-03-27 16:18 . 2011-03-27 16:18 -------- d-----w- c:\users\User\AppData\Local\PackageAware
    2011-03-22 20:00 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-22 20:00 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-22 20:00 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-15 20:57 . 2011-03-15 20:57 4 ----a-w- c:\windows\info147.sys
    2011-03-15 20:54 . 2011-03-15 20:55 -------- d-----w- c:\program files\IZArc
    2011-03-14 22:22 . 2011-03-15 00:45 3 ----a-w- c:\windows\treeskp.sys
    2011-03-14 22:22 . 2011-03-15 00:45 3 ----a-w- c:\windows\sbacknt.bin
    2011-03-14 22:19 . 2011-03-15 21:28 -------- d-----w- c:\users\User\AppData\Local\vghd
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-02 13:40 . 2010-04-21 00:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 10:11 . 2009-10-10 00:03 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 16:37 . 2011-02-09 17:19 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-09 17:19 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-09 17:19 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-09 17:19 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-09 17:19 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:08 . 2011-02-09 17:19 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:07 . 2011-02-09 17:19 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-09 17:19 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-09 17:19 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-09 17:19 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-09 17:19 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-09 17:19 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-09 17:19 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-09 17:19 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-09 17:19 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-09 17:19 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-09 17:19 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-09 17:19 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-09 17:19 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-09 17:19 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-09 17:19 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-09 17:19 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-09 17:19 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-09 17:19 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-09 17:19 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-13 08:00 . 2011-02-11 13:26 80896 ----a-w- c:\windows\system32\ff_vfw.dll
    2010-02-10 11:18 . 2010-06-24 09:02 2131336 ----a-w- c:\program files\Common Files\AskToolbarInstaller.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-03-05 06:38 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\windows sidebar\sidebar.exe" [2009-04-11 1233920]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 5369856]
    "EmpoweringTechnology"="c:\program files\Acer\Empowering Technology\Framework.Launcher.exe" [2008-04-25 319488]
    "eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 526896]
    "Skytel"="Skytel.exe" [2007-11-20 1826816]
    "IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "a-squared"="c:\program files\EMSISOFT ANTI-MALWARE\a2guard.exe" [2011-03-10 3438992]
    "Acer Empowering Technology Monitor"="c:\program files\Acer\Empowering Technology\SysMonitor.exe" [2008-04-25 319488]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]
    .
    c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-11-8 503808]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
    2008-04-07 05:42 34040 ----a-w- c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360]
    2010-06-11 10:14 1280344 ----a-w- c:\program files\IObit\IObit Security 360\is360tray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminatorUpdate]
    2010-12-27 01:46 3318784 ----a-w- c:\program files\Spyware Terminator\SpywareTerminatorUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
    "snp2uvc"=c:\windows\vsnp2uvc.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    R1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [2010-09-05 41928]
    R1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [2010-05-05 11776]
    R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2010-12-27 142592]
    R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-04-25 24576]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-24 135664]
    R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-07 50424]
    R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-04 131072]
    R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2011-02-20 73728]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-27 66080]
    R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [x]
    R3 RtlProt;RtlProt;c:\windows\System32\Drivers\RtlProt.sys [2007-04-23 25896]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\EMSISOFT ANTI-MALWARE\a2service.exe [2011-03-29 2860800]
    R4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [2010-06-11 312152]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-07 c:\windows\Tasks\AWC Startup.job
    - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2011-04-05 05:53]
    .
    2011-04-07 c:\windows\Tasks\GlaryInitialize.job
    - c:\program files\Glary Utilities\Glary Utilities\initialize.exe [2011-03-08 03:28]
    .
    2011-01-12 c:\windows\Tasks\User_Feed_Synchronization-{81FC29B7-D5F5-4C72-B0E4-C8D48262339A}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-09 04:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://en.ph.acer.yahoo.com
    uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://au.search.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    LSP: %SYSTEMROOT%\system32\nvLsp.dll
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-RunOnce-<NO NAME> - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-10 02:50
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(392)
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
    .
    Completion time: 2011-04-10 02:53:58
    ComboFix-quarantined-files.txt 2011-04-09 18:53
    ComboFix2.txt 2011-04-09 18:35
    ComboFix3.txt 2011-04-07 22:56
    .
    Pre-Run: 1,302,425,600 bytes free
    Post-Run: 1,199,312,896 bytes free
    .
    - - End Of File - - 13087A16176C4C506BBCFAED397077D6
  14. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Looks clean too.

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    =====================================================================

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  15. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    hi! base on your observation, can you give me the cause why my pc seems to be running sluggish after sometime (if not because of malware), physical memory is spiking high. before its not.

    also, i just wanted to ask if there are any anti-virus/spyware i needed to uninstall because its not applicable or it may interfere with other programs of the same category. and after all the fix, will i delete all the programs u asked me to download or shall i leave some of it because it can be useful for me in the future? tnx in advance..
  16. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Yes, you can simply delete all of those programs, except for MBAM, which you should run once in a while.

    How much RAM do you have?
  17. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    ESET log:

    C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VM2UV5LW\main[1].htm HTML/ScrInject.B.Gen virus

    about my RAM, it's 1GB... anyway, if no serious threats on my system that's good news. i might have removed it earlier when i tried to do manual cleaning. i wasn't sure i got rid of everything... also, i downloaded previously a combofix.exe before you asked me to DL again, i find it hard to remove some of it's contents... specially a folder under Qoobox. it's always "access denied". i can't find uninstall... tnx a lot..
  18. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.

    To remove Qoobox folder....

    Download, and install Unlocker: http://cedrick.collomb.perso.sfr.fr/unlocker/
    Restart computer.
    It'll install under right click menu.

    Open Windows Explorer.
    Navigate to offending folder/file.

    Right click on a folder/file. Click Unlocker
    Select Delete from drop-down menu:

    [​IMG]

    Click OK.
    A folder/file will refuse to be deleted, but Unlocker will give you an option to delete on reboot:

    [​IMG]

    Click Yes.
    Restart computer.

    ==============================================================

    If the above doesn't work, try...

    LockHunter: http://lockhunter.com/

    FileASSASSIN: http://www.snapfiles.com/get/fileassassin.html


    Other than that, all looks clean.
     
  19. meloxicam10

    meloxicam10 Newcomer, in training Topic Starter

    ei! i've completed the instructions.. somehow, my pc performance became snappy. i think i'm done now. thank you very much for the tips. it was really helpful. thanks again!
  20. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Way to go!! [​IMG]
    Good luck and stay safe :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.