TechSpot

Redirect and pop ups virus

Inactive
By oolong
Aug 20, 2011
  1. Hi everyone,

    I have followed the virus and malware removal steps and here are the logs. Before doing the steps I tried to remove it just using Avast and Malwarebytes. It appeared to work for about 24 hours but the pop ups and redirects returned and there was a keyboard error. The most common pop up is a window that says "Auto-Protect Results".

    Malwarebytes Log

    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7502

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/18/2011 8:44:25 PM
    mbam-log-2011-08-18 (20-44-25).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 430250
    Time elapsed: 1 hour(s), 10 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    Gmer Log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-08-19 18:47:04
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3808110AS rev.3.ADH
    Running: 70xkr9w0.exe; Driver: C:\DOCUME~1\ADMINI~1.334\LOCALS~1\Temp\pwtdrpob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA9315202]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA937BD8C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA93396C1]
    SSDT 8780E708 ZwConnectPort
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA93177F0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA9317848]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA931795E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA9339075]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA9317746]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA9317898]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA931779A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA931790C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA9315226]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA9339D87]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA933A03D]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA9317BE2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA9339BF2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA9339A5D]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA937BE3C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA9314FF0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA931524A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA9317D56]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA9315CDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA9317820]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA9317870]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA9317988]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA93393D1]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA9317772]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA9317A1A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA93178D8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA93177C8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA9317AFE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA9317936]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA937BED4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA93398D8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA9315BA0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA933972A]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA938410E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA93386E8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA931526E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA9315292]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA931504A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA9315186]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA9339E8E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA9315162]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA93151AA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA93152B6]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA9391398]
    Code A89ECBDE IoReportHalResourceUsage
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2DC0 8050465C 5 Bytes [D1, 93, 33, A9, 72]
    .text ntkrnlpa.exe!ZwCallbackReturn + 2DC6 80504662 2 Bytes [31, A9]
    .text ntkrnlpa.exe!ZwCallbackReturn + 2F14 805047B0 4 Bytes [E8, 86, 33, A9]
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64A8 4 Bytes CALL A9316335 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC556 5 Bytes JMP A938CD4C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 805C2FDA 5 Bytes JMP A938E7F2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D117A 7 Bytes JMP A939139C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9B31F80]
    .text win32k.sys!EngFreeUserMem + 674 BF809962 5 Bytes JMP A9318CA2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngDeleteSurface + 45 BF813956 5 Bytes JMP A9318BAE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngSetLastError + 79A8 BF824309 5 Bytes JMP A9317F34 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateBitmap + F9C BF828C73 5 Bytes JMP A9318E0C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngUnmapFontFileFD + 2C50 BF8316BE 5 Bytes JMP A9319014 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngUnmapFontFileFD + B68E BF83A0FC 5 Bytes JMP A9318B1E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!FONTOBJ_pxoGetXform + 84ED BF8519C5 5 Bytes JMP A9317E70 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!XLATEOBJ_iXlate + 3581 BF85E554 5 Bytes JMP A9318180 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!XLATEOBJ_iXlate + 360C BF85E5DF 5 Bytes JMP A9318326 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreatePalette + 88 BF85F852 5 Bytes JMP A9317E58 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreatePalette + 5454 BF864C1E 5 Bytes JMP A9318BD8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGetCurrentCodePage + 411E BF873F63 5 Bytes JMP A93182FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGradientFill + 26EE BF8947C0 5 Bytes JMP A9318D54 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngStretchBltROP + 583 BF895298 5 Bytes JMP A9318F72 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCopyBits + 4DEC BF89DBD8 5 Bytes JMP A9317FA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngEraseSurface + A9E0 BF8C2150 5 Bytes JMP A931803E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFillPath + 1517 BF8CA5B2 5 Bytes JMP A93180AE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFillPath + 1797 BF8CA832 5 Bytes JMP A93180E8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngDeleteSemaphore + 3B3E BF8EC2A7 5 Bytes JMP A9317D8C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 19DF BF9133E5 5 Bytes JMP A9317EF0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 25B3 BF913FB9 5 Bytes JMP A9318008 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 4F12 BF916918 5 Bytes JMP A9318440 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngPlgBlt + 18FC BF94638A 5 Bytes JMP A9318ECA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[280] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[280] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[280] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[468] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\Explorer.EXE[468] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[468] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\Explorer.EXE[468] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
    .text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
    .text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
    .text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
    .text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\Explorer.EXE[468] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\Explorer.EXE[468] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
    .text C:\WINDOWS\Explorer.EXE[468] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\Explorer.EXE[468] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
    .text C:\WINDOWS\Explorer.EXE[468] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\Explorer.EXE[468] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
    .text C:\WINDOWS\System32\smss.exe[668] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[740] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[764] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000701F8
    .text C:\WINDOWS\system32\winlogon.exe[764] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[764] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000703FC
    .text C:\WINDOWS\system32\winlogon.exe[764] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[764] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\winlogon.exe[764] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\winlogon.exe[764] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\winlogon.exe[764] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\winlogon.exe[764] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\winlogon.exe[764] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\winlogon.exe[764] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\winlogon.exe[764] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\winlogon.exe[764] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\winlogon.exe[764] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\winlogon.exe[764] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\winlogon.exe[764] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\winlogon.exe[764] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\services.exe[808] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\services.exe[808] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[808] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\services.exe[808] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\services.exe[808] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\services.exe[808] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\services.exe[808] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\services.exe[808] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\services.exe[808] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\services.exe[808] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[820] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\lsass.exe[820] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\lsass.exe[820] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\lsass.exe[820] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\lsass.exe[820] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\lsass.exe[820] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\lsass.exe[820] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\lsass.exe[820] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1012] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1012] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1012] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1012] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
    .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1024] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\svchost.exe[1116] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1116] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1116] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1116] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1116] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1116] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\System32\svchost.exe[1212] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\svchost.exe[1212] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1212] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\svchost.exe[1212] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\System32\svchost.exe[1212] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\System32\svchost.exe[1212] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\System32\svchost.exe[1212] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\System32\svchost.exe[1212] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\System32\svchost.exe[1212] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\System32\svchost.exe[1212] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1256] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1256] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\hkcmd.exe[1272] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\WINDOWS\system32\hkcmd.exe[1272] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\hkcmd.exe[1272] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\WINDOWS\system32\hkcmd.exe[1272] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\hkcmd.exe[1272] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\hkcmd.exe[1272] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\hkcmd.exe[1272] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\hkcmd.exe[1272] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\hkcmd.exe[1272] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\hkcmd.exe[1272] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\hkcmd.exe[1272] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\hkcmd.exe[1272] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\hkcmd.exe[1272] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text
     
  2. oolong

    oolong TS Rookie Topic Starter

    Malwarebytes Log pt. 2

    C:\WINDOWS\system32\hkcmd.exe[1272] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\hkcmd.exe[1272] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\hkcmd.exe[1272] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\hkcmd.exe[1272] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Symantec AntiVirus\SavRoam.exe[1332] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\WINDOWS\system32\igfxpers.exe[1344] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\igfxpers.exe[1344] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\WINDOWS\system32\igfxpers.exe[1344] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\WINDOWS\system32\igfxpers.exe[1344] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\WINDOWS\system32\igfxpers.exe[1344] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\WINDOWS\system32\igfxpers.exe[1344] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\WINDOWS\system32\igfxpers.exe[1344] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1352] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1352] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1352] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1352] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1352] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1352] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1352] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1352] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
    .text C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe[1400] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E1014
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E0804
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0A08
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E0C0C
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0E10
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E01F8
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E03FC
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E0600
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F0804
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0A08
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F0600
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F01F8
    .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1416] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F03FC
    .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1476] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1476] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1476] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1476] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Sharp\Sharpdesk\Indexer.exe[1488] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8
    .text C:\Program Files\Java\jre6\bin\jusched.exe[1564] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[1580] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1584] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[1584] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[1584] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[1584] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[1584] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[1584] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[1584] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[1584] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D1014
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D0804
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0A08
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D0C0C
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0E10
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D01F8
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D03FC
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D0600
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003E0804
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003E0A08
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003E0600
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003E01F8
    .text C:\WINDOWS\System32\DLA\DLACTRLW.EXE[1740] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003E03FC
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
    .text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[1760] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
    .text
    C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\PROGRA~1\SYMANT~1\VPTray.exe[1800] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[1808] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\spoolsv.exe[1808] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[1808] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\spoolsv.exe[1808] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\spoolsv.exe[1808] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\spoolsv.exe[1808] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\spoolsv.exe[1808] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\spoolsv.exe[1808] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text
     
  3. oolong

    oolong TS Rookie Topic Starter

    Malwarebytes Log pt. 3

    C:\WINDOWS\system32\spoolsv.exe[1808] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\spoolsv.exe[1808] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\spoolsv.exe[1808] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\spoolsv.exe[1808] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\spoolsv.exe[1808] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\spoolsv.exe[1808] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\spoolsv.exe[1808] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\rundll32.exe[1836] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\rundll32.exe[1836] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\rundll32.exe[1836] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\rundll32.exe[1836] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\rundll32.exe[1836] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\rundll32.exe[1836] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\rundll32.exe[1836] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\rundll32.exe[1836] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\rundll32.exe[1836] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\rundll32.exe[1836] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
    .text C:\WINDOWS\system32\rundll32.exe[1836] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\rundll32.exe[1836] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\rundll32.exe[1836] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
    .text C:\WINDOWS\system32\rundll32.exe[1836] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
    .text C:\WINDOWS\system32\rundll32.exe[1836] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\rundll32.exe[1836] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\rundll32.exe[1836] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe[1856] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Sharp\Sharpdesk\IndexTray.exe[1880] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe[1976] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000801F8
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000803FC
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002D1014
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002D0804
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002D0A08
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002D0C0C
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002D0E10
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002D01F8
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002D03FC
    .text C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe[2000] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002D0600
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Sharp\Sharpdesk\SharpTray.exe[2072] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe[2076] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC
    .text C:\Program Files\Sharp\Sharpdesk\FtpServer.exe[2164] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC
    .text C:\Program Files\iTunes\iTunesHelper.exe[2396] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
    .text
     
  4. oolong

    oolong TS Rookie Topic Starter

    Malwarebytes Log pt. 4

    C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
    .text C:\Program Files\Symantec AntiVirus\Rtvscan.exe[2448] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
    .text C:\Program Files\iPod\bin\iPodService.exe[2712] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Sharp\Sharpdesk\nsapp.exe[2752] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2760] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[2760] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[2788] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\system32\svchost.exe[2788] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[2788] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\system32\svchost.exe[2788] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[2788] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014
    .text C:\WINDOWS\system32\svchost.exe[2788] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804
    .text C:\WINDOWS\system32\svchost.exe[2788] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\system32\svchost.exe[2788] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C
    .text C:\WINDOWS\system32\svchost.exe[2788] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10
    .text C:\WINDOWS\system32\svchost.exe[2788] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\system32\svchost.exe[2788] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\system32\svchost.exe[2788] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600
    .text C:\WINDOWS\system32\svchost.exe[2788] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\svchost.exe[2788] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\svchost.exe[2788] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\svchost.exe[2788] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\svchost.exe[2788] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003E1014
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003E0804
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003E0A08
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003E0C0C
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003E0E10
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003E01F8
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003E03FC
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003E0600
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F0804
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0A08
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F0600
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F01F8
    .text C:\Documents and Settings\Administrator.334L5B1\My Documents\Downloads\70xkr9w0.exe[2812] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F03FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2880] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
    .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2972] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
    .text C:\WINDOWS\system32\ctfmon.exe[2992] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\ctfmon.exe[2992] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\ctfmon.exe[2992] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
    .text C:\WINDOWS\system32\ctfmon.exe[2992] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\system32\ctfmon.exe[2992] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
    .text C:\WINDOWS\system32\ctfmon.exe[2992] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\system32\ctfmon.exe[2992] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 009C1014
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 009C0804
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 009C0A08
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 009C0C0C
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 009C0E10
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 009C01F8
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 009C03FC
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 009C0600
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 009D0804
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 009D0A08
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 009D0600
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 009D01F8
    .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3132] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 009D03FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text
     
  5. oolong

    oolong TS Rookie Topic Starter

    Malwarebytes Log pt. 5 - Final

    C:\Program Files\Bonjour\mDNSResponder.exe[3156] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[3156] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
    .text C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe[3268] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
    .text C:\WINDOWS\System32\alg.exe[3372] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8
    .text C:\WINDOWS\System32\alg.exe[3372] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\alg.exe[3372] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC
    .text C:\WINDOWS\System32\alg.exe[3372] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\alg.exe[3372] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804
    .text C:\WINDOWS\System32\alg.exe[3372] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08
    .text C:\WINDOWS\System32\alg.exe[3372] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600
    .text C:\WINDOWS\System32\alg.exe[3372] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8
    .text C:\WINDOWS\System32\alg.exe[3372] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC
    .text C:\WINDOWS\System32\alg.exe[3372] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
    .text C:\WINDOWS\System32\alg.exe[3372] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
    .text C:\WINDOWS\System32\alg.exe[3372] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\System32\alg.exe[3372] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
    .text C:\WINDOWS\System32\alg.exe[3372] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
    .text C:\WINDOWS\System32\alg.exe[3372] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\System32\alg.exe[3372] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\System32\alg.exe[3372] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
    .text C:\Program Files\Symantec AntiVirus\DefWatch.exe[3488] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC
    .text C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe[3716] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[3724] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC
    .text C:\WINDOWS\system32\wuauclt.exe[3836] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC
    .text C:\WINDOWS\system32\wuauclt.exe[3836] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600
    .text C:\WINDOWS\system32\wuauclt.exe[3836] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804
    .text C:\WINDOWS\system32\wuauclt.exe[3836] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08
    .text C:\WINDOWS\system32\wuauclt.exe[3836] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600
    .text C:\WINDOWS\system32\wuauclt.exe[3836] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8
    .text C:\WINDOWS\system32\wuauclt.exe[3836] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[3888] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005E0002
    IAT C:\WINDOWS\system32\services.exe[808] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005E0000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device A751FD20

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB53424$\1462823483 0 bytes
    File C:\WINDOWS\$NtUninstallKB53424$\1928617403 0 bytes
    File C:\WINDOWS\$NtUninstallKB53424$\1928617403\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB53424$\1928617403\U 0 bytes

    ---- EOF - GMER 1.0.15 ----
     
  6. oolong

    oolong TS Rookie Topic Starter

    DDS Log

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Administrator at 7:53:52 on 2011-08-20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.944 [GMT -4:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe
    C:\Program Files\Sharp\Sharpdesk\IndexTray.exe
    C:\Program Files\Sharp\Sharpdesk\Indexer.exe
    C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
    C:\PROGRA~1\Sharp\SHARPD~1\Indexer.exe
    C:\Program Files\Sharp\Sharpdesk\FtpServer.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Sharp\Sharpdesk\nsapp.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    svchost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Reel Logix\Reel Production Calendar\pcrem.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\OFFICE11\excel.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Brother\BRAdmin Professional 3\stacheck.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
    uInternet Settings,ProxyOverride = 127.0.0.*;192.168.5.*
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [dxpoMJVpjtWVDrK] c:\documents and settings\all users\application data\dxpoMJVpjtWVDrK.exe
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10i_Plugin.exe -update plugin
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [MediaFace Integration] c:\program files\fellowes\mediaface 5.0\SetHook.exe
    mRun: [DellNSCST_GRNCH] "c:\program files\dell\dell laser mfp 1815\networkscan\DNSCST.exe" /HIDEUI
    mRun: [IndexTray] "c:\program files\sharp\sharpdesk\IndexTray.exe"
    mRun: [Indexer] "c:\program files\sharp\sharpdesk\Indexer.exe"
    mRun: [SharpTray] "c:\program files\sharp\sharpdesk\SharpTray.exe"
    mRun: [TypeRegChecker] "c:\program files\sharp\sharpdesk\TypeRegChecker.exe"
    mRun: [FtpServer.exe] "c:\program files\sharp\sharpdesk\FtpServer.exe" -usedefault
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/0/5/7/05796dde-b2ba-4eef-8da4-f99c7e0c9b92/LegitCheckControl.cab
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
    DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208898879951
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://blacks.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
    Handler: sds - {79E0F14C-9C52-4218-89A7-7C4B0563D121} - c:\program files\sharp\sharpdesk\ExplorerExtensions.dll
    Notify: igfxcui - igfxdev.dll
    Notify: NavLogon - c:\windows\system32\NavLogon.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator.334l5b1\application data\mozilla\firefox\profiles\wq9bjqlg.default\
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: XULRunner: {6BAD45BA-C2B0-4543-BF09-4F32CE6C6984} - c:\documents and settings\administrator.334l5b1\local settings\application data\{6BAD45BA-C2B0-4543-BF09-4F32CE6C6984}
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-8-12 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-8-12 309848]
    R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
    R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-8-12 19544]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-8-12 42184]
    R2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\brother\bradmin professional 3\bratimer.exe [2010-9-29 65536]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-12 366640]
    R2 pcremservice;pcrem service;c:\program files\reel logix\reel production calendar\pcrem.exe [2006-8-1 102400]
    R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
    R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-12 22712]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110819.007\naveng.sys [2011-8-19 86136]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110819.007\navex15.sys [2011-8-19 1576312]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
    S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    .
    =============== File Associations ===============
    .
    .txt=
    .
    =============== Created Last 30 ================
    .
    2011-08-12 21:39:16 -------- d-----w- c:\documents and settings\administrator.334l5b1\application data\Malwarebytes
    2011-08-12 21:38:31 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-12 21:38:29 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-08-12 21:38:23 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-12 21:38:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-12 18:16:41 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-12 18:16:21 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-12 18:16:04 -------- d-----w- c:\program files\AVAST Software
    2011-08-12 18:16:04 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
    2011-08-12 02:08:41 65536 --sha-r- c:\windows\system32\imm32S.dll
    2011-08-12 02:00:25 0 ----a-w- c:\windows\Bgocazoza.bin
    2011-08-12 02:00:23 -------- d-----w- c:\documents and settings\administrator.334l5b1\local settings\application data\{6BAD45BA-C2B0-4543-BF09-4F32CE6C6984}
    2011-08-12 01:58:39 0 ----a-w- c:\documents and settings\all users\application data\dxpoMJVpjtWVDrK.exe
    2011-08-10 22:50:00 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 22:49:41 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-08-09 21:43:00 -------- d-----w- c:\documents and settings\administrator.334l5b1\local settings\application data\Apple
    2011-08-09 05:44:04 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a34d17a4-68a9-48d1-a022-4ff79986c52f}\mpengine.dll
    2011-08-01 18:31:48 -------- d-----r- c:\documents and settings\administrator.334l5b1\application data\Brother
    2011-08-01 18:30:29 -------- d-----w- c:\documents and settings\administrator.334l5b1\application data\Xerox
    2011-08-01 18:29:27 -------- d-----w- c:\documents and settings\all users\application data\Xerox
    2011-07-25 19:48:36 -------- d-----w- c:\documents and settings\administrator.334l5b1\local settings\application data\PowerDVD
    2011-07-25 15:20:57 -------- d-----w- c:\documents and settings\administrator.334l5b1\local settings\application data\Adobe
    2011-07-25 14:53:18 -------- d-----w- c:\documents and settings\administrator.334l5b1\local settings\application data\Mozilla
    2011-07-21 17:57:02 -------- d-sh--w- c:\documents and settings\administrator.334l5b1\IECompatCache
    2011-07-21 17:56:45 -------- d-sh--w- c:\documents and settings\administrator.334l5b1\PrivacIE
    2011-07-21 15:50:39 105472 ------w- c:\windows\system32\dllcache\mup.sys
    .
    ==================== Find3M ====================
    .
    2011-07-21 17:59:00 6144 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\xpdprint.dll
    2011-07-21 17:59:00 45568 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\xpdpp.dll
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-08 14:02:00 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10:36 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec
    2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02:05 1858944 ------w- c:\windows\system32\win32k.sys
    2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    ============= FINISH: 7:55:37.64 ===============
     
  7. oolong

    oolong TS Rookie Topic Starter

    DDS Attach.txt Log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/22/2006 2:24:53 PM
    System Uptime: 8/18/2011 6:27:02 PM (37 hours ago)
    .
    Motherboard: Dell Inc. | | 0PJ149
    Processor: Intel(R) Pentium(R) 4 CPU 3.40GHz | Microprocessor | 3391/800mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 74 GiB total, 46.527 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom NetXtreme 57xx Gigabit Controller
    Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_01AD1028&REV_01\4&117729E2&0&00E0
    Manufacturer: Broadcom
    Name: Broadcom NetXtreme 57xx Gigabit Controller
    PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_01AD1028&REV_01\4&117729E2&0&00E0
    Service: b57w2k
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    Add or Remove Adobe Creative Suite 3 Master Collection
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Contribute CS3
    Adobe Default Language CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Viewer CS3
    Adobe PDF Library Files
    Adobe Reader 7.0.9
    Adobe Setup
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    AIM 6
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    avast! Free Antivirus
    Bonjour
    BRAdmin Professional 3
    Broadcom Advanced Control Suite
    Brother HL-5250DN
    Compatibility Pack for the 2007 Office system
    Critical Update for Windows Media Player 11 (KB959772)
    Dell Laser MFP 1815 Software Uninstall
    Dell Software Uninstall
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 11
    LiveUpdate 2.6 (Symantec Corporation)
    Malwarebytes' Anti-Malware version 1.51.1.1800
    McAfee Security Scan Plus
    MediaFACE 5.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Small Business Edition 2003
    Microsoft Outlook Personal Folders Backup
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MobileMe Control Panel
    Mozilla Firefox (3.6.20)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nero Media Player
    Nero OEM
    NeroVision Express 2
    Pdf995
    PowerDVD 5.7
    QuickTime
    RealPlayer
    Recuva
    Reel Production Calendar
    Roxio DLA
    Roxio Express Labeler
    Roxio RecordNow Audio
    Roxio RecordNow Copy
    Roxio RecordNow Data
    Safari
    Security Update for CAPICOM (KB931906)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SHARP AR-C260 Series PCL5c Printer Driver
    Sharpdesk
    Symantec AntiVirus
    Uninstall Dell PC Fax
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Viewpoint Media Player
    WebFldrs XP
    Windows Defender
    Windows Defender Signatures
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live installer
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/19/2011 9:42:19 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
    8/18/2011 12:55:20 PM, error: Service Control Manager [7000] - The SSPORT service failed to start due to the following error: The system cannot find the file specified.
    8/18/2011 12:55:20 PM, error: Service Control Manager [7000] - The DgiVecp service failed to start due to the following error: The system cannot find the file specified.
    8/15/2011 8:32:39 AM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_39049d00\MFC80U.DLL. Reference error message: The operation completed successfully. .
    8/15/2011 2:52:19 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
    8/15/2011 2:52:19 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
    8/14/2011 5:29:25 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer HOMER-2 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7F888D50-C472-4A80-8. The master browser is stopping or an election is being forced.
    .
    ==== End Of File ===========================
     
  8. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================================================

    You're running two AV programs, Avast and Norton.
    One of them has to go.
    If Norton, make sure to use this tool to remove it: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

    =====================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. oolong

    oolong TS Rookie Topic Starter

    aswMBR and combofix files

    aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
    Run date: 2011-08-22 20:16:29
    -----------------------------
    20:16:29.078 OS Version: Windows 5.1.2600 Service Pack 3
    20:16:29.078 Number of processors: 2 586 0x40A
    20:16:29.078 ComputerName: 334L5B1 UserName:
    20:16:30.234 Initialize success
    20:16:30.437 AVAST engine defs: 11082201
    20:16:53.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
    20:16:53.546 Disk 0 Vendor: ST3808110AS 3.ADH Size: 76293MB BusType: 3
    20:16:55.562 Disk 0 MBR read successfully
    20:16:55.562 Disk 0 MBR scan
    20:16:55.562 Disk 0 Windows XP default MBR code
    20:16:55.578 Disk 0 scanning sectors +156232125
    20:16:55.671 Disk 0 scanning C:\WINDOWS\system32\drivers
    20:17:08.046 Service scanning
    20:17:08.328 Service .mrxsmb \* **LOCKED** 123
    20:17:09.234 Modules scanning
    20:17:15.078 Disk 0 trace - called modules:
    20:17:15.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
    20:17:15.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8f9ab8]
    20:17:15.109 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a8c3940]
    20:17:15.625 AVAST engine scan C:\WINDOWS
    20:17:36.312 AVAST engine scan C:\WINDOWS\system32
    20:19:25.312 AVAST engine scan C:\WINDOWS\system32\drivers
    20:19:37.734 AVAST engine scan C:\Documents and Settings\Administrator.334L5B1
    20:23:35.343 AVAST engine scan C:\Documents and Settings\All Users
    20:24:22.046 Scan finished successfully
    20:26:06.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator.334L5B1\Desktop\MBR.dat"
    20:26:06.093 The log file has been saved successfully to "C:\Documents and Settings\Administrator.334L5B1\Desktop\aswMBR.txt"


    ComboFix 11-08-22.04 - Administrator 08/22/2011 20:54:45.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1599 [GMT -4:00]
    Running from: c:\documents and settings\Administrator.334L5B1\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator.334L5B1\Application Data\Adobe\plugs
    c:\documents and settings\Administrator.334L5B1\Application Data\Adobe\shed
    c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\{6BAD45BA-C2B0-4543-BF09-4F32CE6C6984}
    c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\{6BAD45BA-C2B0-4543-BF09-4F32CE6C6984}\chrome.manifest
    c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\{6BAD45BA-C2B0-4543-BF09-4F32CE6C6984}\chrome\content\_cfg.js
    c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\{6BAD45BA-C2B0-4543-BF09-4F32CE6C6984}\chrome\content\overlay.xul
    c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\{6BAD45BA-C2B0-4543-BF09-4F32CE6C6984}\install.rdf
    c:\windows\$NtUninstallKB53424$
    c:\windows\$NtUninstallKB53424$\1462823483
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_USNJSVC
    -------\Service_usnjsvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-23 to 2011-08-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-16 22:03 . 2011-08-16 22:03 -------- d-----w- c:\program files\Apple Software Update
    2011-08-12 21:39 . 2011-08-12 21:39 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Malwarebytes
    2011-08-12 21:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-12 21:38 . 2011-08-12 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-12 21:38 . 2011-08-12 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-12 21:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-12 18:16 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-08-12 18:16 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-08-12 18:16 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-08-12 18:16 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-12 18:16 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-08-12 18:16 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-08-12 18:16 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-08-12 18:16 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-08-12 18:16 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-12 18:16 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-08-12 18:16 . 2011-08-12 18:16 -------- d-----w- c:\program files\AVAST Software
    2011-08-12 18:16 . 2011-08-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-08-12 02:08 . 2011-08-12 02:08 65536 --sha-r- c:\windows\system32\imm32S.dll
    2011-08-12 02:00 . 2011-08-12 16:38 0 ----a-w- c:\windows\Bgocazoza.bin
    2011-08-12 01:58 . 2011-08-12 01:58 0 ----a-w- c:\documents and settings\All Users\Application Data\dxpoMJVpjtWVDrK.exe
    2011-08-11 21:53 . 2011-08-11 21:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-08-10 22:50 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 22:49 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-08-09 21:43 . 2011-08-09 21:43 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\Apple
    2011-08-09 05:44 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{A34D17A4-68A9-48D1-A022-4FF79986C52F}\mpengine.dll
    2011-08-01 18:31 . 2011-08-01 18:31 -------- d-----r- c:\documents and settings\Administrator.334L5B1\Application Data\Brother
    2011-08-01 18:30 . 2011-08-01 18:30 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Leadertech
    2011-08-01 18:30 . 2011-08-01 18:30 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Xerox
    2011-08-01 18:29 . 2011-08-01 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Xerox
    2011-07-25 19:48 . 2011-07-25 19:48 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\CyberLink
    2011-07-25 19:48 . 2011-07-25 21:35 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\PowerDVD
    2011-07-25 16:45 . 2011-07-25 16:45 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\AdobeUM
    2011-07-25 15:20 . 2011-07-25 16:00 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\Adobe
    2011-07-25 14:53 . 2011-07-25 14:53 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\Mozilla
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-21 17:59 . 2007-06-29 16:14 6144 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\xpdprint.dll
    2011-07-21 17:59 . 2007-06-29 16:14 45568 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\xpdpp.dll
    2011-07-15 13:29 . 2006-06-15 05:47 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-13 03:39 . 2006-06-22 18:44 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2011-07-08 14:02 . 2004-08-11 22:00 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2004-08-11 22:11 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2004-08-11 22:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2004-08-11 22:00 385024 ------w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2004-08-11 22:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02 . 2004-08-11 22:00 1858944 ------w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
    "dxpoMJVpjtWVDrK"="c:\documents and settings\All Users\Application Data\dxpoMJVpjtWVDrK.exe" [2011-08-12 0]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-04 136600]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
    "DellNSCST_GRNCH"="c:\program files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-05 278528]
    "IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2005-11-06 106496]
    "Indexer"="c:\program files\Sharp\Sharpdesk\Indexer.exe" [2005-11-06 184320]
    "SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2005-11-06 32768]
    "TypeRegChecker"="c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe" [2005-11-06 57344]
    "FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2005-11-06 688128]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-08 185896]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SHARP\\Sharpdesk\\FTPServer.exe"=
    "c:\\Program Files\\DELL\\Dell Laser MFP 1815\\NetworkScan\\DNSCST.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/12/2011 2:16 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/12/2011 2:16 PM 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/12/2011 2:16 PM 19544]
    R2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [9/29/2010 5:35 PM 65536]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/12/2011 5:38 PM 366640]
    R2 pcremservice;pcrem service;c:\program files\Reel Logix\Reel Production Calendar\pcrem.exe [8/1/2006 6:42 PM 102400]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
    R3 EraserUtilDrv11113;EraserUtilDrv11113;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11113.sys [8/21/2011 11:07 PM 105592]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/12/2011 5:38 PM 22712]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
    S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2011-08-22 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
    .
    2011-08-23 c:\windows\Tasks\User_Feed_Synchronization-{56742945-839F-40E6-9F7F-6F28D8A7FD7E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    2011-08-23 c:\windows\Tasks\User_Feed_Synchronization-{78E10CCB-4F9E-4D81-83FD-D6B48110994D}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    2011-08-23 c:\windows\Tasks\User_Feed_Synchronization-{B12684D6-771C-4CDE-8FCD-845C8C7AF04E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
    uInternet Settings,ProxyOverride = 127.0.0.*;192.168.5.*
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.4.4 66.207.192.6 8.8.8.8
    FF - ProfilePath - c:\documents and settings\Administrator.334L5B1\Application Data\Mozilla\Firefox\Profiles\wq9bjqlg.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    .
    .
    ------- File Associations -------
    .
    .txt=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
    HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-22 21:27
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.mrxsmb]
    "ImagePath"="\*"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,9f,e1,8b,91,90,1f,4e,85,79,33,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,9f,e1,8b,91,90,1f,4e,85,79,33,\
    .
    [HKEY_USERS\S-1-5-21-1239438457-1103471365-1085181089-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,ed,bf,b3,6b,de,6b,4d,ad,7e,dc,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,ed,bf,b3,6b,de,6b,4d,ad,7e,dc,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3024)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Symantec AntiVirus\DefWatch.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\progra~1\Sharp\SHARPD~1\Indexer.exe
    c:\program files\Sharp\Sharpdesk\nsapp.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-22 21:35:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-23 01:34
    .
    Pre-Run: 49,930,326,016 bytes free
    Post-Run: 51,739,123,712 bytes free
    .
    - - End Of File - - AC284DBF9B519FABEDC4C43C15DD8E4A
     
  10. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    You didn't allow recovery console installation because?
     
  11. oolong

    oolong TS Rookie Topic Starter

    Sorry thought that would turn back on my system restore. I've run it again here's the new log.

    ComboFix 11-08-23.03 - Administrator 08/23/2011 15:35:43.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1311 [GMT -4:00]
    Running from: c:\documents and settings\Administrator.334L5B1\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-23 to 2011-08-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-16 22:03 . 2011-08-16 22:03 -------- d-----w- c:\program files\Apple Software Update
    2011-08-12 21:39 . 2011-08-12 21:39 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Malwarebytes
    2011-08-12 21:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-12 21:38 . 2011-08-12 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-12 21:38 . 2011-08-12 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-12 21:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-12 18:16 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-08-12 18:16 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-08-12 18:16 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-08-12 18:16 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-12 18:16 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-08-12 18:16 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-08-12 18:16 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-08-12 18:16 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-08-12 18:16 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-12 18:16 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-08-12 18:16 . 2011-08-12 18:16 -------- d-----w- c:\program files\AVAST Software
    2011-08-12 18:16 . 2011-08-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-08-12 02:08 . 2011-08-12 02:08 65536 --sha-r- c:\windows\system32\imm32S.dll
    2011-08-12 02:00 . 2011-08-12 16:38 0 ----a-w- c:\windows\Bgocazoza.bin
    2011-08-12 01:58 . 2011-08-12 01:58 0 ----a-w- c:\documents and settings\All Users\Application Data\dxpoMJVpjtWVDrK.exe
    2011-08-11 21:53 . 2011-08-11 21:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-08-10 22:50 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 22:49 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-08-09 21:43 . 2011-08-09 21:43 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\Apple
    2011-08-09 05:44 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{A34D17A4-68A9-48D1-A022-4FF79986C52F}\mpengine.dll
    2011-08-01 18:31 . 2011-08-01 18:31 -------- d-----r- c:\documents and settings\Administrator.334L5B1\Application Data\Brother
    2011-08-01 18:30 . 2011-08-01 18:30 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Leadertech
    2011-08-01 18:30 . 2011-08-01 18:30 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Xerox
    2011-08-01 18:29 . 2011-08-01 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Xerox
    2011-07-25 19:48 . 2011-07-25 19:48 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\CyberLink
    2011-07-25 19:48 . 2011-07-25 21:35 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\PowerDVD
    2011-07-25 16:45 . 2011-07-25 16:45 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\AdobeUM
    2011-07-25 15:20 . 2011-07-25 16:00 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\Adobe
    2011-07-25 14:53 . 2011-07-25 14:53 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\Mozilla
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-21 17:59 . 2007-06-29 16:14 6144 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\xpdprint.dll
    2011-07-21 17:59 . 2007-06-29 16:14 45568 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\xpdpp.dll
    2011-07-15 13:29 . 2006-06-15 05:47 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-13 03:39 . 2006-06-22 18:44 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2011-07-08 14:02 . 2004-08-11 22:00 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2004-08-11 22:11 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2004-08-11 22:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2004-08-11 22:00 385024 ------w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2004-08-11 22:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02 . 2004-08-11 22:00 1858944 ------w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-23_01.27.51 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-23 19:01 . 2011-08-23 19:01 16384 c:\windows\Temp\Perflib_Perfdata_cc0.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
    "dxpoMJVpjtWVDrK"="c:\documents and settings\All Users\Application Data\dxpoMJVpjtWVDrK.exe" [2011-08-12 0]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-04 136600]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
    "DellNSCST_GRNCH"="c:\program files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-05 278528]
    "IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2005-11-06 106496]
    "Indexer"="c:\program files\Sharp\Sharpdesk\Indexer.exe" [2005-11-06 184320]
    "SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2005-11-06 32768]
    "TypeRegChecker"="c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe" [2005-11-06 57344]
    "FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2005-11-06 688128]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-08 185896]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SHARP\\Sharpdesk\\FTPServer.exe"=
    "c:\\Program Files\\DELL\\Dell Laser MFP 1815\\NetworkScan\\DNSCST.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/12/2011 2:16 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/12/2011 2:16 PM 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/12/2011 2:16 PM 19544]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/12/2011 5:38 PM 366640]
    R2 pcremservice;pcrem service;c:\program files\Reel Logix\Reel Production Calendar\pcrem.exe [8/1/2006 6:42 PM 102400]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/12/2011 5:38 PM 22712]
    S2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [9/29/2010 5:35 PM 65536]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
    S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - EraserUtilDrv11113
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2011-08-23 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
    .
    2011-08-23 c:\windows\Tasks\User_Feed_Synchronization-{56742945-839F-40E6-9F7F-6F28D8A7FD7E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    2011-08-23 c:\windows\Tasks\User_Feed_Synchronization-{78E10CCB-4F9E-4D81-83FD-D6B48110994D}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    2011-08-23 c:\windows\Tasks\User_Feed_Synchronization-{B12684D6-771C-4CDE-8FCD-845C8C7AF04E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
    uInternet Settings,ProxyOverride = 127.0.0.*;192.168.5.*
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.4.4 66.207.192.6 8.8.8.8
    FF - ProfilePath - c:\documents and settings\Administrator.334L5B1\Application Data\Mozilla\Firefox\Profiles\wq9bjqlg.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    .
    .
    ------- File Associations -------
    .
    .txt=
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-23 15:48
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.mrxsmb]
    "ImagePath"="\*"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,9f,e1,8b,91,90,1f,4e,85,79,33,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,9f,e1,8b,91,90,1f,4e,85,79,33,\
    .
    [HKEY_USERS\S-1-5-21-1239438457-1103471365-1085181089-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,ed,bf,b3,6b,de,6b,4d,ad,7e,dc,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,ed,bf,b3,6b,de,6b,4d,ad,7e,dc,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(268)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-23 15:53:42
    ComboFix-quarantined-files.txt 2011-08-23 19:53
    ComboFix2.txt 2011-08-23 01:35
    .
    Pre-Run: 51,614,212,096 bytes free
    Post-Run: 51,619,090,432 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 1DF6A59935BBABD75F407C07A4958451
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    I still see both AV programs running.
    I asked you to uninstall one.
    What happened?

    =======================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Bgocazoza.bin
    c:\documents and settings\All Users\Application Data\dxpoMJVpjtWVDrK.exe
    
    
    DDS::
    uInternet Settings,ProxyOverride = 127.0.0.*;192.168.5.*
    
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "dxpoMJVpjtWVDrK"=-
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  13. oolong

    oolong TS Rookie Topic Starter

    Bit of a long explanation but I wasn't able to remove Norton because I can't find Norton. I know that sounds ridiculous but this isn't my computer. I did a search for Norton and it didn't turn up. I can remove Avast (since I put that on the computer) but I'm not sure I can remove Norton in case they bought it. I haven't removed Avast though because I'm not sure this computer had any protection before getting the virus and me downloading Avast.

    However let me know and I can happily uninstall Avast and we'll leave Norton on the computer.

    Here is the report:
    ComboFix 11-08-23.03 - Administrator 08/26/2011 17:22:49.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1121 [GMT -4:00]
    Running from: c:\documents and settings\Administrator.334L5B1\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator.334L5B1\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    * Created a new restore point
    .
    FILE ::
    "c:\documents and settings\All Users\Application Data\dxpoMJVpjtWVDrK.exe"
    "c:\windows\Bgocazoza.bin"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-26 to 2011-08-26 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-24 07:00 . 2011-08-24 07:00 -------- d-----w- c:\windows\LastGood
    2011-08-16 22:03 . 2011-08-16 22:03 -------- d-----w- c:\program files\Apple Software Update
    2011-08-12 21:39 . 2011-08-12 21:39 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Malwarebytes
    2011-08-12 21:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-12 21:38 . 2011-08-12 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-12 21:38 . 2011-08-12 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-12 21:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-12 18:16 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-08-12 18:16 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-08-12 18:16 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-08-12 18:16 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-12 18:16 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-08-12 18:16 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-08-12 18:16 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-08-12 18:16 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-08-12 18:16 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-12 18:16 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-08-12 18:16 . 2011-08-12 18:16 -------- d-----w- c:\program files\AVAST Software
    2011-08-12 18:16 . 2011-08-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-08-12 02:08 . 2011-08-12 02:08 65536 --sha-r- c:\windows\system32\imm32S.dll
    2011-08-12 02:00 . 2011-08-12 16:38 0 ----a-w- c:\windows\Bgocazoza.bin
    2011-08-12 01:58 . 2011-08-12 01:58 0 ----a-w- c:\documents and settings\All Users\Application Data\dxpoMJVpjtWVDrK.exe
    2011-08-11 21:53 . 2011-08-11 21:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-08-10 22:50 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 22:49 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-08-09 21:43 . 2011-08-09 21:43 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\Apple
    2011-08-09 05:44 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{A34D17A4-68A9-48D1-A022-4FF79986C52F}\mpengine.dll
    2011-08-01 18:31 . 2011-08-01 18:31 -------- d-----r- c:\documents and settings\Administrator.334L5B1\Application Data\Brother
    2011-08-01 18:30 . 2011-08-01 18:30 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Leadertech
    2011-08-01 18:30 . 2011-08-01 18:30 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Xerox
    2011-08-01 18:29 . 2011-08-01 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Xerox
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-21 17:59 . 2007-06-29 16:14 6144 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\xpdprint.dll
    2011-07-21 17:59 . 2007-06-29 16:14 45568 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\xpdpp.dll
    2011-07-15 13:29 . 2006-06-15 05:47 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-13 03:39 . 2006-06-22 18:44 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2011-07-08 14:02 . 2004-08-11 22:00 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2004-08-11 22:11 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2004-08-11 22:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2004-08-11 22:00 385024 ------w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2004-08-11 22:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02 . 2004-08-11 22:00 1858944 ------w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-23_01.27.51 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-23 19:01 . 2011-08-23 19:01 16384 c:\windows\Temp\Perflib_Perfdata_cc0.dat
    + 2007-01-29 08:58 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
    - 2007-01-29 08:58 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-04 136600]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
    "DellNSCST_GRNCH"="c:\program files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-05 278528]
    "IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2005-11-06 106496]
    "Indexer"="c:\program files\Sharp\Sharpdesk\Indexer.exe" [2005-11-06 184320]
    "SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2005-11-06 32768]
    "TypeRegChecker"="c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe" [2005-11-06 57344]
    "FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2005-11-06 688128]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-08 185896]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SHARP\\Sharpdesk\\FTPServer.exe"=
    "c:\\Program Files\\DELL\\Dell Laser MFP 1815\\NetworkScan\\DNSCST.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/12/2011 2:16 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/12/2011 2:16 PM 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/12/2011 2:16 PM 19544]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/12/2011 5:38 PM 366640]
    R2 pcremservice;pcrem service;c:\program files\Reel Logix\Reel Production Calendar\pcrem.exe [8/1/2006 6:42 PM 102400]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/12/2011 5:38 PM 22712]
    S2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [9/29/2010 5:35 PM 65536]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
    S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - EraserUtilDrv11113
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2011-08-26 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
    .
    2011-08-26 c:\windows\Tasks\User_Feed_Synchronization-{56742945-839F-40E6-9F7F-6F28D8A7FD7E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    2011-08-26 c:\windows\Tasks\User_Feed_Synchronization-{78E10CCB-4F9E-4D81-83FD-D6B48110994D}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    2011-08-26 c:\windows\Tasks\User_Feed_Synchronization-{B12684D6-771C-4CDE-8FCD-845C8C7AF04E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.4.4 66.207.192.6 8.8.8.8
    FF - ProfilePath - c:\documents and settings\Administrator.334L5B1\Application Data\Mozilla\Firefox\Profiles\wq9bjqlg.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-26 17:37
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.mrxsmb]
    "ImagePath"="\*"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,9f,e1,8b,91,90,1f,4e,85,79,33,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,9f,e1,8b,91,90,1f,4e,85,79,33,\
    .
    [HKEY_USERS\S-1-5-21-1239438457-1103471365-1085181089-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,ed,bf,b3,6b,de,6b,4d,ad,7e,dc,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,ed,bf,b3,6b,de,6b,4d,ad,7e,dc,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3888)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-26 17:43:00
    ComboFix-quarantined-files.txt 2011-08-26 21:42
    ComboFix2.txt 2011-08-23 19:53
    ComboFix3.txt 2011-08-23 01:35
    .
    Pre-Run: 51,345,240,064 bytes free
    Post-Run: 51,374,481,408 bytes free
    .
    - - End Of File - - 83259D2EA2E3B9CCD156193C5B83978D
     
  14. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    Leave Avast alone.
    Did you actually run Norton Removal Tool listed in my reply #8?
    If you didn't, please do it now.

    ====================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Bgocazoza.bin
    c:\documents and settings\All Users\Application Data\dxpoMJVpjtWVDrK.exe
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  15. oolong

    oolong TS Rookie Topic Starter

    Sorry I'm not trying to be difficult. Because I can't find Norton on this computer, where ever it's buried, I don't know what kind of Norton it is (norton 360, Norton Security Suite, Norton System Works etc. etc. etc.) in order to remove it at http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

    Again I can remove Avast no problem if it's interfering and we'll leave Norton where it is.

    Here is the new log:
    ComboFix 11-08-27.01 - Administrator 08/28/2011 11:58:03.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1051 [GMT -4:00]
    Running from: c:\documents and settings\Administrator.334L5B1\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator.334L5B1\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    * Created a new restore point
    .
    FILE ::
    "c:\documents and settings\All Users\Application Data\dxpoMJVpjtWVDrK.exe"
    "c:\windows\Bgocazoza.bin"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\dxpoMJVpjtWVDrK.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-24 07:00 . 2011-08-24 07:00 -------- d-----w- c:\windows\LastGood
    2011-08-16 22:03 . 2011-08-16 22:03 -------- d-----w- c:\program files\Apple Software Update
    2011-08-12 21:39 . 2011-08-12 21:39 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Malwarebytes
    2011-08-12 21:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-12 21:38 . 2011-08-12 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-12 21:38 . 2011-08-12 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-12 21:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-12 18:16 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-08-12 18:16 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-08-12 18:16 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-08-12 18:16 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-12 18:16 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-08-12 18:16 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-08-12 18:16 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-08-12 18:16 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-08-12 18:16 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-12 18:16 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-08-12 18:16 . 2011-08-12 18:16 -------- d-----w- c:\program files\AVAST Software
    2011-08-12 18:16 . 2011-08-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-08-12 02:08 . 2011-08-12 02:08 65536 --sha-r- c:\windows\system32\imm32S.dll
    2011-08-12 02:00 . 2011-08-12 16:38 0 ----a-w- c:\windows\Bgocazoza.bin
    2011-08-11 21:53 . 2011-08-11 21:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-08-10 22:50 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 22:49 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-08-09 21:43 . 2011-08-09 21:43 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\Apple
    2011-08-09 05:44 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{A34D17A4-68A9-48D1-A022-4FF79986C52F}\mpengine.dll
    2011-08-01 18:31 . 2011-08-01 18:31 -------- d-----r- c:\documents and settings\Administrator.334L5B1\Application Data\Brother
    2011-08-01 18:30 . 2011-08-01 18:30 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Leadertech
    2011-08-01 18:30 . 2011-08-01 18:30 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Xerox
    2011-08-01 18:29 . 2011-08-01 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Xerox
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-21 17:59 . 2007-06-29 16:14 6144 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\xpdprint.dll
    2011-07-21 17:59 . 2007-06-29 16:14 45568 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\xpdpp.dll
    2011-07-15 13:29 . 2006-06-15 05:47 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-13 03:39 . 2006-06-22 18:44 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2011-07-08 14:02 . 2004-08-11 22:00 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2004-08-11 22:11 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2004-08-11 22:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2004-08-11 22:00 385024 ------w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2004-08-11 22:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02 . 2004-08-11 22:00 1858944 ------w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-23_01.27.51 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-23 19:01 . 2011-08-23 19:01 16384 c:\windows\Temp\Perflib_Perfdata_cc0.dat
    + 2007-01-29 08:58 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
    - 2007-01-29 08:58 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-04 136600]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
    "DellNSCST_GRNCH"="c:\program files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-05 278528]
    "IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2005-11-06 106496]
    "Indexer"="c:\program files\Sharp\Sharpdesk\Indexer.exe" [2005-11-06 184320]
    "SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2005-11-06 32768]
    "TypeRegChecker"="c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe" [2005-11-06 57344]
    "FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2005-11-06 688128]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-08 185896]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SHARP\\Sharpdesk\\FTPServer.exe"=
    "c:\\Program Files\\DELL\\Dell Laser MFP 1815\\NetworkScan\\DNSCST.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/12/2011 2:16 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/12/2011 2:16 PM 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/12/2011 2:16 PM 19544]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/12/2011 5:38 PM 366640]
    R2 pcremservice;pcrem service;c:\program files\Reel Logix\Reel Production Calendar\pcrem.exe [8/1/2006 6:42 PM 102400]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/12/2011 5:38 PM 22712]
    S2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [9/29/2010 5:35 PM 65536]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
    S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - EraserUtilDrv11113
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2011-08-28 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
    .
    2011-08-28 c:\windows\Tasks\User_Feed_Synchronization-{56742945-839F-40E6-9F7F-6F28D8A7FD7E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    2011-08-28 c:\windows\Tasks\User_Feed_Synchronization-{78E10CCB-4F9E-4D81-83FD-D6B48110994D}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    2011-08-28 c:\windows\Tasks\User_Feed_Synchronization-{B12684D6-771C-4CDE-8FCD-845C8C7AF04E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.4.4 66.207.192.6 8.8.8.8
    FF - ProfilePath - c:\documents and settings\Administrator.334L5B1\Application Data\Mozilla\Firefox\Profiles\wq9bjqlg.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-28 12:12
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.mrxsmb]
    "ImagePath"="\*"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,9f,e1,8b,91,90,1f,4e,85,79,33,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,9f,e1,8b,91,90,1f,4e,85,79,33,\
    .
    [HKEY_USERS\S-1-5-21-1239438457-1103471365-1085181089-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,ed,bf,b3,6b,de,6b,4d,ad,7e,dc,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,ed,bf,b3,6b,de,6b,4d,ad,7e,dc,\
    .
    Completion time: 2011-08-28 12:17:43
    ComboFix-quarantined-files.txt 2011-08-28 16:17
    ComboFix2.txt 2011-08-26 21:43
    ComboFix3.txt 2011-08-23 19:53
    ComboFix4.txt 2011-08-23 01:35
    .
    Pre-Run: 51,222,519,808 bytes free
    Post-Run: 51,200,008,192 bytes free
    .
    - - End Of File - - 5D695AA1CA9D6852DB2CA0EB3EBEE0E0
     
  16. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    How is computer doing?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    SecCenter::
    {FB06448E-52B8-493A-90F3-E43226D3305C}
    
    File::
    c:\windows\Bgocazoza.bin
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  17. oolong

    oolong TS Rookie Topic Starter

    the computer seems to be running well now.

    log

    ComboFix 11-08-27.01 - Administrator 08/29/2011 8:39.6.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1070 [GMT -4:00]
    Running from: c:\documents and settings\Administrator.334L5B1\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator.334L5B1\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    FILE ::
    "c:\windows\Bgocazoza.bin"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-28 to 2011-08-29 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-16 22:03 . 2011-08-16 22:03 -------- d-----w- c:\program files\Apple Software Update
    2011-08-12 21:39 . 2011-08-12 21:39 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Malwarebytes
    2011-08-12 21:38 . 2011-07-06 23:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-08-12 21:38 . 2011-08-12 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-08-12 21:38 . 2011-08-12 21:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-08-12 21:38 . 2011-07-06 23:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-12 18:16 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-08-12 18:16 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-08-12 18:16 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-08-12 18:16 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-08-12 18:16 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-08-12 18:16 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-08-12 18:16 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-08-12 18:16 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-08-12 18:16 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
    2011-08-12 18:16 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-08-12 18:16 . 2011-08-12 18:16 -------- d-----w- c:\program files\AVAST Software
    2011-08-12 18:16 . 2011-08-12 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-08-12 02:08 . 2011-08-12 02:08 65536 --sha-r- c:\windows\system32\imm32S.dll
    2011-08-12 02:00 . 2011-08-12 16:38 0 ----a-w- c:\windows\Bgocazoza.bin
    2011-08-11 21:53 . 2011-08-11 21:53 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-08-10 22:50 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
    2011-08-10 22:49 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
    2011-08-09 21:43 . 2011-08-09 21:43 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Local Settings\Application Data\Apple
    2011-08-09 05:44 . 2011-07-13 03:39 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{A34D17A4-68A9-48D1-A022-4FF79986C52F}\mpengine.dll
    2011-08-01 18:31 . 2011-08-01 18:31 -------- d-----r- c:\documents and settings\Administrator.334L5B1\Application Data\Brother
    2011-08-01 18:30 . 2011-08-01 18:30 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Leadertech
    2011-08-01 18:30 . 2011-08-01 18:30 -------- d-----w- c:\documents and settings\Administrator.334L5B1\Application Data\Xerox
    2011-08-01 18:29 . 2011-08-01 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Xerox
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-21 17:59 . 2007-06-29 16:14 6144 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\xpdprint.dll
    2011-07-21 17:59 . 2007-06-29 16:14 45568 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\xpdpp.dll
    2011-07-15 13:29 . 2006-06-15 05:47 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-07-13 03:39 . 2006-06-22 18:44 6881616 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2011-07-08 14:02 . 2004-08-11 22:00 10496 ------w- c:\windows\system32\drivers\ndistapi.sys
    2011-06-24 14:10 . 2004-08-11 22:11 139656 ------w- c:\windows\system32\drivers\rdpwd.sys
    2011-06-23 18:36 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-06-23 18:36 . 2004-08-11 22:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-06-23 18:36 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-06-23 12:05 . 2004-08-11 22:00 385024 ------w- c:\windows\system32\html.iec
    2011-06-20 17:44 . 2004-08-11 22:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2011-06-02 14:02 . 2004-08-11 22:00 1858944 ------w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-23_01.27.51 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-28 20:46 . 2011-08-28 20:46 16384 c:\windows\Temp\Perflib_Perfdata_ca4.dat
    + 2007-01-29 08:58 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
    - 2007-01-29 08:58 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-04 136600]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
    "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "MediaFace Integration"="c:\program files\Fellowes\MediaFACE 5.0\SetHook.exe" [2005-10-27 53248]
    "DellNSCST_GRNCH"="c:\program files\DELL\Dell Laser MFP 1815\NetworkScan\DNSCST.exe" [2006-12-05 278528]
    "IndexTray"="c:\program files\Sharp\Sharpdesk\IndexTray.exe" [2005-11-06 106496]
    "Indexer"="c:\program files\Sharp\Sharpdesk\Indexer.exe" [2005-11-06 184320]
    "SharpTray"="c:\program files\Sharp\Sharpdesk\SharpTray.exe" [2005-11-06 32768]
    "TypeRegChecker"="c:\program files\Sharp\Sharpdesk\TypeRegChecker.exe" [2005-11-06 57344]
    "FtpServer.exe"="c:\program files\Sharp\Sharpdesk\FtpServer.exe" [2005-11-06 688128]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-08 185896]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
    McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SHARP\\Sharpdesk\\FTPServer.exe"=
    "c:\\Program Files\\DELL\\Dell Laser MFP 1815\\NetworkScan\\DNSCST.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [8/12/2011 2:16 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/12/2011 2:16 PM 309848]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/12/2011 2:16 PM 19544]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/12/2011 5:38 PM 366640]
    R2 pcremservice;pcrem service;c:\program files\Reel Logix\Reel Production Calendar\pcrem.exe [8/1/2006 6:42 PM 102400]
    R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 12:30 PM 124608]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/12/2011 5:38 PM 22712]
    S2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [9/29/2010 5:35 PM 65536]
    S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
    S4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - EraserUtilDrv11113
    *Deregistered* - EraserUtilRebootDrv
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
    .
    2011-08-29 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
    .
    2011-08-29 c:\windows\Tasks\User_Feed_Synchronization-{56742945-839F-40E6-9F7F-6F28D8A7FD7E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    2011-08-29 c:\windows\Tasks\User_Feed_Synchronization-{78E10CCB-4F9E-4D81-83FD-D6B48110994D}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    2011-08-29 c:\windows\Tasks\User_Feed_Synchronization-{B12684D6-771C-4CDE-8FCD-845C8C7AF04E}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
    uInternet Settings,ProxyOverride = 192.168.5.*
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.4.4 66.207.192.6 8.8.8.8
    FF - ProfilePath - c:\documents and settings\Administrator.334L5B1\Application Data\Mozilla\Firefox\Profiles\wq9bjqlg.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-29 08:53
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.mrxsmb]
    "ImagePath"="\*"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,9f,e1,8b,91,90,1f,4e,85,79,33,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,9f,e1,8b,91,90,1f,4e,85,79,33,\
    .
    [HKEY_USERS\S-1-5-21-1239438457-1103471365-1085181089-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,ed,bf,b3,6b,de,6b,4d,ad,7e,dc,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5c,ed,bf,b3,6b,de,6b,4d,ad,7e,dc,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(2132)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-29 08:58:07
    ComboFix-quarantined-files.txt 2011-08-29 12:58
    ComboFix2.txt 2011-08-28 16:17
    ComboFix3.txt 2011-08-26 21:43
    ComboFix4.txt 2011-08-23 19:53
    ComboFix5.txt 2011-08-28 20:38
    .
    Pre-Run: 51,637,309,440 bytes free
    Post-Run: 51,629,490,176 bytes free
    .
    - - End Of File - - 61F03F3D53B8F61810D416EB01EED0AE
     
  18. Broni

    Broni Malware Annihilator Posts: 47,015   +255

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\Bgocazoza.bin
    
    DDS::
    uInternet Settings,ProxyOverride = 192.168.5.*
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\.mrxsmb]
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.