BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Multiple iexplore.exe in task manager
   
BullGuard Antivirus Forum > Virus information > Alerts & New Threats > Multiple iexplore.exe in task manager  
Forum Quick Jump
 
You cannot post new topics in this forum. Locked Topic Printable version of : Multiple iexplore.exe in task manager
55 posts in this thread.
Viewing Page :
 1  2  3 
[ << Previous Thread | Next Thread >> ]

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/5/2010 3:38 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
So I'm browsing the net when a browser message comes up saying "Internet Explorer has stopped working" and then abruptly closes.  This happend a few times.  The 4th time I check task manager and see that there's 3 iexplore.exe when I have only 1 browser open.  When I "kill" one iexplorer.exe process another one opens up immediately
 
 
I downloaded Proccess Explorer to check out the path of the other 2 iexplore.exe and it came up
 
Path:                C:\Program Files\Internet Explorer\iexplore.exe
 
Command Line:  "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:5116 CREDAT:71978
 
And when I click "Bring to front" I get the message "No visible windows found for this process"
 
Then I clicked Security then Permissions and listed in the accounts windows is
 
"Account Unknown (S-1-5-5-0-276877)"
 
I've removed this account numerous times but it just keeps coming back only with a different number
 
AVG found nothing.
MalwareBytes found nothing so dont have a log file.
 
HERE's MY HjT LOG...
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:10, on 05/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Users\Kris_2\Desktop\procexp.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Kris_2\Desktop\dds.scr
C:\Windows\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Users\Kris_2\AppData\Local\Temp\14B9.tmp\edS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\rmtray.exe /H
O4 - HKUS\S-1-5-21-2279729505-3709079803-170581798-1007\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Mcx1')
O4 - HKUS\S-1-5-21-2279729505-3709079803-170581798-1007\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'Mcx1')
O4 - HKUS\S-1-5-21-2279729505-3709079803-170581798-1007\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe (User 'Mcx1')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: dlcx_device -   - C:\Windows\system32\dlcxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: KRGSL - Sysinternals - www.sysinternals.com - C:\Users\Kris_2\AppData\Local\Temp\KRGSL.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MTXVRT - Sysinternals - www.sysinternals.com - C:\Users\Kris_2\AppData\Local\Temp\MTXVRT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: OVLLJRWYF - Sysinternals - www.sysinternals.com - C:\Users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 6417 bytes
HERE'S MY DDS LOG...
 

DDS (Ver_09-12-01.01) - NTFSx86 
Run by Kris_2 at 12:03:30.57 on 05/01/2010
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.3316.1724 [GMT 0:00]
SP: ZoneAlarm Pro Anti-Spyware *enabled* (Updated) {F245A209-1085-48B4-B927-35D56015EC60}
FW: ZoneAlarm Pro Firewall *disabled*   {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\system32\dlcxcoms.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Users\Kris_2\Desktop\procexp.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Kris_2\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [RegistryMechanic] c:\program files\registry mechanic\rmtray.exe /H
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dlcxmon.exe] "c:\program files\dell photo aio printer 926\dlcxmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 926\memcard.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
============= SERVICES / DRIVERS ===============
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-12-17 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-17 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-17 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-17 360584]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-12-15 58984]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-12-15 337000]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-12-22 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-22 285392]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-12-11 235344]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-12-26 583640]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-12-15 972008]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-11 19160]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-12-11 38224]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111v.sys [2008-8-4 904192]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-15 21504]
S3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-7-27 5504]
S3 KRGSL;KRGSL;c:\users\kris_2\appdata\local\temp\KRGSL.exe [2010-1-4 592768]
S3 MTXVRT;MTXVRT;c:\users\kris_2\appdata\local\temp\MTXVRT.exe [2010-1-4 342912]
S3 OVLLJRWYF;OVLLJRWYF;c:\users\kris_2\appdata\local\temp\OVLLJRWYF.exe [2010-1-4 400256]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2007-8-16 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2007-8-16 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\drivers\stppp.sys [2007-8-16 35328]
S4 ACKFBIA;ACKFBIA;c:\users\kris_2\appdata\local\temp\ackfbia.exe --> c:\users\kris_2\appdata\local\temp\ACKFBIA.exe [?]
=============== Created Last 30 ================
2009-12-28 15:23:18 65536 --sha-w- C:\ntuser.dat{3e1552ce-f2dd-11de-8e8a-001aa08b948b}.TM.blf
2009-12-28 15:23:18 524288 --sha-w- C:\ntuser.dat{3e1552ce-f2dd-11de-8e8a-001aa08b948b}.TMContainer00000000000000000002.regtrans-ms
2009-12-28 15:23:18 524288 --sha-w- C:\ntuser.dat{3e1552ce-f2dd-11de-8e8a-001aa08b948b}.TMContainer00000000000000000001.regtrans-ms
2009-12-27 19:54:17 65536 --sha-w- c:\users\kris_2\ntuser.dat{3e1552ca-f2dd-11de-8e8a-001aa08b948b}.TM.blf
2009-12-27 19:54:17 524288 --sha-w- c:\users\kris_2\ntuser.dat{3e1552ca-f2dd-11de-8e8a-001aa08b948b}.TMContainer00000000000000000002.regtrans-ms
2009-12-27 19:54:17 524288 --sha-w- c:\users\kris_2\ntuser.dat{3e1552ca-f2dd-11de-8e8a-001aa08b948b}.TMContainer00000000000000000001.regtrans-ms
2009-12-27 19:52:36 0 ---ha-w- C:\S-1-5-21-2279729505-3709079803-170581798-1000.rrr.LOG2
2009-12-27 19:52:36 0 ---ha-w- C:\S-1-5-21-2279729505-3709079803-170581798-1000.rrr.LOG1
2009-12-27 19:52:35 262144 ---ha-w- c:\users\kris_2\S-1-5-21-2279729505-3709079803-170581798-1004.rrr.LOG1
2009-12-27 19:52:35 0 ---ha-w- c:\users\kris_2\S-1-5-21-2279729505-3709079803-170581798-1004.rrr.LOG2
2009-12-26 17:18:53 0 d-----w- c:\users\kris_2\appdata\roaming\Registry Mechanic
2009-12-26 11:33:13 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2009-12-26 11:33:13 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2009-12-26 11:33:13 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2009-12-26 11:06:18 8192 ----a-w- C:\ntuser.dat
2009-12-26 11:06:18 65536 --sha-w- C:\ntuser.dat{ae4fa5a5-f203-11de-8eef-001aa08b948b}.TM.blf
2009-12-26 11:06:18 524288 --sha-w- C:\ntuser.dat{ae4fa5a5-f203-11de-8eef-001aa08b948b}.TMContainer00000000000000000002.regtrans-ms
2009-12-26 11:06:18 524288 --sha-w- C:\ntuser.dat{ae4fa5a5-f203-11de-8eef-001aa08b948b}.TMContainer00000000000000000001.regtrans-ms
2009-12-26 11:06:18 5120 ---ha-w- C:\ntuser.dat.LOG1
2009-12-26 11:06:18 262144 ----a-w- C:\ntuser.dat.rmbak
2009-12-26 11:06:18 0 ---ha-w- C:\ntuser.dat.LOG2
2009-12-26 11:05:34 0 d-----w- c:\program files\common files\PC Tools
2009-12-26 10:20:35 0 d-----w- c:\users\kris_2\appdata\roaming\Trusteer
2009-12-26 10:20:30 0 d-----w- c:\program files\Trusteer
2009-12-25 00:21:04 0 d-sh--w- c:\users\kris_2\appdata\roaming\lowsec
2009-12-22 16:14:04 0 d-----w- c:\program files\Microsoft
2009-12-17 02:33:05 0 d--h--w- C:\$AVG
2009-12-17 02:33:00 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-17 02:32:59 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-12-17 02:32:57 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-12-17 02:32:51 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-17 02:32:48 0 d-----w- c:\windows\system32\drivers\Avg
2009-12-17 02:32:36 0 d-----w- c:\programdata\avg9
2009-12-12 15:19:46 0 d-----w- c:\program files\CCleaner
2009-12-11 01:18:41 0 d-----w- c:\users\kris_2\appdata\roaming\Malwarebytes
2009-12-11 01:18:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-11 01:18:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 01:18:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 00:53:15 0 d-----w- c:\users\kris_2\appdata\roaming\BitTorrent
2009-12-11 00:51:44 0 d-----w- c:\program files\BitTorrent
2009-12-11 00:44:50 20 ----a-w- c:\windows\system32\SYSTEM
2009-12-09 11:43:56 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 11:43:55 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 11:43:55 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 11:23:43 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-08 18:16:40 0 d-----w- c:\programdata\Nero
2009-12-08 18:16:40 0 d-----w- c:\program files\Nero
==================== Find3M  ====================
2009-12-23 21:12:20 51200 ----a-w- c:\windows\inf\infpub.dat
2009-12-23 21:12:20 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-12-23 21:12:20 143360 ----a-w- c:\windows\inf\infstor.dat
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-14 01:47:57 260608 ----a-w- c:\windows\PEV.exe
2009-11-02 20:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-28 09:19:45 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-25 06:11:34 77312 ----a-w- c:\windows\MBR.exe
2009-10-15 16:31:51 2952 ----a-w- c:\users\kris_2\appdata\roaming\wklnhst.dat
2009-10-11 04:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-08 21:08:01 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08:01 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07:59 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2008-04-15 22:35:08 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-07-28 04:38:07 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
============= FINISH: 12:05:39.28 ===============
 
Please get back to me ASAP


File Attachment :
Attach.zip   2KB (application/x-zip-compressed)
This file has been downloaded 845 time(s).
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/6/2010 7:18 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Welcome to BG forums Tofer,

The logs show a folder normally created by malware to store encrypted file it makes from data it has stolen, and plans to upload. Unusual though, as you have Malwarebytes, which does locate and remove this particular folder. Have you run updated scans with that?

Let's get some different detailed looks, then see what repairs we need to do.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

--------------

Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/6/2010 9:02 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello Jin and thank you for replying, where abouts in the logs does it show you this folder?

HERE'S THE 1ST RSIT LOG:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of random's system information tool 1.06 (written by random/random)
Run by Kris_2 at 2010-01-06 17:20:37
Microsoft® Windows Vista™ Home Premium Service Pack 2
System drive C: has 162 GB (71%) free of 228 GB
Total RAM: 3316 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:20:47, on 06/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\BullGuard Ltd\BullGuard\BGScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Kris_2\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Kris_2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bglsp.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: dlcx_device - - C:\Windows\system32\dlcxcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6803 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2008-01-17 4907008]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-08-11 81920]
"dlcxmon.exe"=C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe [2007-01-12 292336]
"MemoryCardManager"=C:\Program Files\Dell Photo AIO Printer 926\memcard.exe [2006-11-04 304008]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-02-11 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-02-11 133656]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-02-11 141848]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-12-30 429392]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2010-01-05 304464]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [2005-08-11 249856]
"BullGuard"=C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe [2010-01-05 304464]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-02-11 204800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgLiveSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\BgMainSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42f74644-9537-11dd-adcf-001b2fb0fa50}]
shell\AutoRun\command - J:\bfyoiz.exe
shell\explore\command - J:\bfyoiz.exe
shell\open\command - J:\bfyoiz.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52d52efc-7050-11dd-9143-001b2fb0fa50}]
shell\AutoRun\command - J:\setup\rsrc\Autorun.exe
shell\dinstall\command - J:\Directx\dxsetup.exe


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-01-06 17:20:37 ----D---- C:\rsit
2010-01-06 12:31:41 ----D---- C:\ProgramData\Kaspersky Lab Setup Files
2010-01-06 10:48:39 ----D---- C:\Windows\Internet Logs
2010-01-05 20:21:51 ----D---- C:\ProgramData\CheckPoint
2010-01-05 15:24:38 ----D---- C:\Windows\ERDNT
2010-01-05 13:20:28 ----D---- C:\ProgramData\BullGuard
2010-01-05 13:20:27 ----D---- C:\Users\Kris_2\AppData\Roaming\BullGuard
2010-01-05 13:19:00 ----D---- C:\Program Files\BullGuard Ltd
2009-12-26 11:05:34 ----D---- C:\Program Files\Common Files\PC Tools
2009-12-26 10:20:35 ----D---- C:\Users\Kris_2\AppData\Roaming\Trusteer
2009-12-26 10:20:30 ----D---- C:\Program Files\Trusteer
2009-12-25 00:21:04 ----SHD---- C:\Users\Kris_2\AppData\Roaming\lowsec
2009-12-22 16:14:04 ----D---- C:\Program Files\Microsoft
2009-12-22 16:13:40 ----D---- C:\Program Files\Windows Live
2009-12-12 15:19:46 ----D---- C:\Program Files\CCleaner
2009-12-11 01:18:41 ----D---- C:\Users\Kris_2\AppData\Roaming\Malwarebytes
2009-12-11 01:18:34 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-11 00:53:15 ----D---- C:\Users\Kris_2\AppData\Roaming\BitTorrent
2009-12-11 00:51:44 ----D---- C:\Program Files\BitTorrent
2009-12-09 11:43:56 ----A---- C:\Windows\system32\nshhttp.dll
2009-12-09 11:43:55 ----A---- C:\Windows\system32\httpapi.dll
2009-12-09 11:24:34 ----A---- C:\Windows\system32\winhttp.dll
2009-12-09 11:24:30 ----A---- C:\Windows\system32\mshtml.dll
2009-12-09 11:24:29 ----A---- C:\Windows\system32\iertutil.dll
2009-12-09 11:24:29 ----A---- C:\Windows\system32\ieframe.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\wininet.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\urlmon.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\occache.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\msfeeds.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\ieui.dll
2009-12-09 11:24:28 ----A---- C:\Windows\system32\iedkcs32.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\msfeedssync.exe
2009-12-09 11:24:27 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\jsproxy.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\ieUnatt.exe
2009-12-09 11:24:27 ----A---- C:\Windows\system32\iesysprep.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\iesetup.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\iernonce.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\iepeers.dll
2009-12-09 11:24:27 ----A---- C:\Windows\system32\ie4uinit.exe
2009-12-09 11:23:43 ----A---- C:\Windows\system32\rastls.dll
2009-12-08 18:26:10 ----D---- C:\Users\Kris_2\AppData\Roaming\DivX
2009-12-08 18:16:40 ----D---- C:\ProgramData\Nero
2009-12-08 18:16:40 ----D---- C:\Program Files\Nero
2009-12-07 22:22:47 ----D---- C:\Users\Kris_2\AppData\Roaming\Ahead
2009-12-07 04:00:56 ----D---- C:\Program Files\Common Files\Ahead

======List of files/folders modified in the last 1 months======

2010-01-06 17:20:41 ----D---- C:\Windows\Temp
2010-01-06 17:02:42 ----D---- C:\Windows\System32
2010-01-06 17:02:42 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-01-06 17:02:41 ----D---- C:\Windows\inf
2010-01-06 14:30:32 ----HD---- C:\ProgramData
2010-01-06 13:15:14 ----D---- C:\TempDVD
2010-01-06 13:15:13 ----D---- C:\dvdsanta
2010-01-06 12:58:24 ----D---- C:\Windows\Debug
2010-01-06 11:00:27 ----D---- C:\Windows\system32\drivers
2010-01-06 10:48:39 ----D---- C:\Windows
2010-01-06 10:17:27 ----RD---- C:\Program Files
2010-01-06 10:15:44 ----D---- C:\Windows\system32\catroot
2010-01-05 16:02:32 ----AD---- C:\ProgramData\TEMP
2010-01-05 16:01:06 ----SD---- C:\Users\Kris_2\AppData\Roaming\Microsoft
2010-01-05 13:22:36 ----D---- C:\Windows\system32\config
2010-01-04 19:00:45 ----D---- C:\Windows\Prefetch
2010-01-04 15:28:13 ----RD---- C:\Users
2010-01-02 17:53:36 ----D---- C:\Windows\system32\catroot2
2010-01-02 12:56:55 ----SHD---- C:\Windows\Installer
2009-12-31 00:30:20 ----D---- C:\Windows\Cache
2009-12-27 19:54:27 ----SD---- C:\Windows\Downloaded Program Files
2009-12-27 19:44:50 ----SD---- C:\ProgramData\Microsoft
2009-12-26 11:05:34 ----D---- C:\Program Files\Common Files
2009-12-20 15:09:40 ----A---- C:\Windows\NeroDigital.ini
2009-12-17 15:36:00 ----D---- C:\Windows\system32\LogFiles
2009-12-17 00:09:14 ----SHD---- C:\System Volume Information
2009-12-11 00:41:53 ----D---- C:\Windows\system32\Tasks
2009-12-09 12:42:30 ----D---- C:\Windows\rescache
2009-12-09 12:37:30 ----D---- C:\Windows\winsxs
2009-12-09 12:24:59 ----D---- C:\Windows\system32\migration
2009-12-09 12:24:58 ----D---- C:\Windows\system32\en-US
2009-12-09 12:24:58 ----D---- C:\Program Files\Windows Mail
2009-12-09 12:24:58 ----D---- C:\Program Files\Internet Explorer
2009-12-08 18:17:16 ----D---- C:\Windows\ehome
2009-12-07 22:38:28 ----D---- C:\Windows\Minidump

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 afw;Agnitum Firewall Driver; C:\Windows\system32\DRIVERS\afw.sys [2009-03-23 29208]
R1 RapportKELL;RapportKELL; \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys [2009-12-15 58984]
R1 RapportPG;RapportPG; \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [2009-12-15 337000]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.2.0.3; C:\Windows\system32\DRIVERS\AegisP.sys [2008-04-13 17801]
R2 BdFileSpy;BullGuard File Monitor Driver; \??\C:\Windows\system32\drivers\BdFileSpy.sys [2009-01-23 55504]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 RMCAST;RMCAST (Pgm) Protocol Driver; C:\Windows\system32\DRIVERS\RMCAST.sys [2009-04-11 113664]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-05 8192]
R3 afwcore;afwcore; C:\Windows\system32\DRIVERS\afwcore.sys [2009-03-23 305688]
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2007-04-29 228224]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-18 986624]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-10-18 258048]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-02-11 2302976]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2008-01-24 2054872]
R3 MBAMProtector;MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [2009-12-30 19160]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-18 659968]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service; C:\Windows\system32\DRIVERS\WPN111v.sys [2008-08-04 904192]
S3 AFGMp50;AFGMp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\AFGMp50.sys []
S3 AFGSp50;AFGSp50 NDIS Protocol Driver; C:\Windows\System32\Drivers\AFGSp50.sys []
S3 catchme;catchme; \??\C:\Users\Kris_2\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 IntelDH;IntelDH Driver; C:\Windows\System32\Drivers\IntelDH.sys [2007-07-27 5504]
S3 MRV6X32P;Vista 32-bits Native WiFi Driver; C:\Windows\system32\DRIVERS\MRVW13B.sys [2007-05-03 256000]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NDISKIO;NDISKIO; \??\C:\Users\Kris_2\AppData\Local\Temp\00000e71.nmc\nse\bin\ndiskio.sys []
S3 nsak;nsak; \??\C:\Users\Kris_2\AppData\Local\Temp\00000e71.nmc\nse\bin\nsak.sys []
S3 Profos;Profos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys [2010-01-05 14720]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 RT73;D-Link USB Wireless LAN Card Driver; C:\Windows\system32\DRIVERS\Dr71WU.sys [2005-11-03 245504]
S3 RTL8023xp;Realtek 10/100 NIC Family NDIS x86 Driver; C:\Windows\system32\DRIVERS\Rtnicxp.sys [2006-11-02 47104]
S3 s125bus;Sony Ericsson Device 125 driver (WDM); C:\Windows\system32\DRIVERS\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\s125obex.sys [2007-04-24 98696]
S3 s616bus;Sony Ericsson Device 616 driver (WDM); C:\Windows\system32\DRIVERS\s616bus.sys [2007-04-03 83208]
S3 ST330;ST330; C:\Windows\system32\drivers\st330.sys [2007-08-16 30464]
S3 STBUS;STBUS; C:\Windows\system32\drivers\stbus.sys [2007-08-16 12672]
S3 stppp;Speedtouch PPP Adapter Adapter; C:\Windows\system32\DRIVERS\stppp.sys [2007-08-16 35328]
S3 Trufos;Trufos; \??\C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys [2010-01-05 39808]
S3 TSHWMDTCP;TSHWMDTCP; \??\C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys []
S3 UMPass;Microsoft UMPass Driver; C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 7680]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-11 73216]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 W8335XP;802.11g/b Driver for Windows XP ; C:\Windows\system32\DRIVERS\Mrvw125.sys [2007-06-19 282624]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-10-01 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 iaStor;Intel AHCI Controller; C:\Windows\system32\drivers\iastor.sys [2007-04-26 304920]
S4 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [2008-08-22 717296]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AERTFilters;Andrea RT Filters Service; C:\Windows\system32\AERTSrv.exe [2007-12-05 77824]
R2 BgLiveSvc;BullGuard LiveUpdate; C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe [2009-04-06 300368]
R2 BgMainSvc;BullGuard Main Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsFileScan;BullGuard File Scan Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsFire;BullGuard Firewall Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 dlcx_device;dlcx_device; C:\Windows\system32\dlcxcoms.exe [2006-11-04 537480]
R2 MBAMService;MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-12-30 235344]
R2 RapportMgmtService;Rapport Management Service; C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe [2009-12-15 972008]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-05 386560]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-27 279848]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 ACKFBIA;ACKFBIA; C:\Users\Kris_2\AppData\Local\Temp\ACKFBIA.exe []
S4 KRGSL;KRGSL; C:\Users\Kris_2\AppData\Local\Temp\KRGSL.exe []
S4 MTXVRT;MTXVRT; C:\Users\Kris_2\AppData\Local\Temp\MTXVRT.exe []
S4 OVLLJRWYF;OVLLJRWYF; C:\Users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe []
-----------------EOF-----------------



HERE'S THE 2ND RSIT LOG:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
info.txt logfile of random's system information tool 1.06 2010-01-06 17:20:49

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Windows\UNNeroShowTime.exe /UNINSTALL
-->C:\Windows\UNRecode.exe /UNINSTALL
-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
926plv32-->MsiExec.exe /I{0FA7B858-E0E1-400B-B5C0-1285F7D6FE5E}
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player-->C:\Windows\System32\Adobe\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Adobe\SHOCKW~1\Install.log
BitTorrent-->C:\Program Files\BitTorrent\uninst.exe
BullGuard 8.7-->C:\Program Files\BullGuard Ltd\BullGuard\uninst.exe
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch-->C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Conexant D850 PCI V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -IDel200fz.inf
Dell Photo AIO Printer 926-->C:\Program Files\Dell Photo AIO Printer 926\Install\x86\Uninst.exe
Dell System Customization Wizard-->MsiExec.exe /I{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
dvdSanta 4.50-->"C:\Program Files\DVDSanta\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel(R) Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
Intel(R) PRO Network Connections 12.1.11.0-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Intel(R) PRO Network Connections 12.1.11.0-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216015FF}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
K-Lite Codec Pack 3.2.5 Standard-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
Nero 7 Premium-->MsiExec.exe /X{CF097717-F174-4144-954A-FBC4BF301033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NETGEAR RangeMax(TM) Wireless USB 2.0 Adapter WPN111-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{582E9125-32B6-4CBA-AB48-3E33CE3DB389}\Setup.exe"
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
Rapport-->MsiExec.exe /X{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Reason 3.0-->"C:\Program Files\Propellerhead\Reason\Uninstall Reason\unins000.exe"
Sonic Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
VC 9.0 Runtime-->MsiExec.exe /I{A040AC77-C1AA-4CC9-8931-9F648AF178F6}
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

=====HijackThis Backups=====

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll [2009-12-05]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) [2009-12-05]
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - (no file) [2009-12-05]
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - (no file) [2009-12-05]
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file) [2009-12-05]
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file) [2009-12-05]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab [2009-12-05]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab [2009-12-05]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-12-06]
O23 - Service: ACKFBIA - Sysinternals - www.sysinternals.com - C:\Users\Kris_2\AppData\Local\Temp\ACKFBIA.exe [2009-12-09]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = [2009-12-09]
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe [2009-12-09]
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll [2009-12-20]
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup [2009-12-22]
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab [2009-12-22]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-12-22]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [2010-01-04]

======Security center information======

FW: ZoneAlarm Pro Firewall (disabled)
AS: ZoneAlarm Pro Anti-Spyware

======System event log======

Computer Name: HouseComp
Event Code: 51
Message: An error was detected on device \Device\CdRom0 during a paging operation.
Record Number: 160046
Source Name: cdrom
Time Written: 20090611131521.614365-000
Event Type: Warning
User:

Computer Name: HouseComp
Event Code: 51
Message: An error was detected on device \Device\CdRom0 during a paging operation.
Record Number: 160043
Source Name: cdrom
Time Written: 20090611124606.748365-000
Event Type: Warning
User:

Computer Name: HouseComp
Event Code: 51
Message: An error was detected on device \Device\CdRom0 during a paging operation.
Record Number: 160042
Source Name: cdrom
Time Written: 20090611124606.538365-000
Event Type: Warning
User:

Computer Name: HouseComp
Event Code: 51
Message: An error was detected on device \Device\CdRom0 during a paging operation.
Record Number: 160041
Source Name: cdrom
Time Written: 20090611124606.158365-000
Event Type: Warning
User:

Computer Name: HouseComp
Event Code: 51
Message: An error was detected on device \Device\CdRom0 during a paging operation.
Record Number: 160040
Source Name: cdrom
Time Written: 20090611124605.947365-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: RoomComp
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2279729505-3709079803-170581798-1001:
Process 3652 (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2279729505-3709079803-170581798-1001\Software\Microsoft\Windows\CurrentVersion\Explorer

Record Number: 451
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20070801123639.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: RoomComp
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {74cde794-228d-4283-9e78-7fc705f199fb}
Record Number: 430
Source Name: VSS
Time Written: 20070801123502.000000-000
Event Type: Error
User:

Computer Name: RoomComp
Event Code: 5007
Message: The target file for the Windows Feedback Platform (a DLL file containing the list of problems on this computer that require additional data collection for diagnosis) could not be parsed. The error code was 8014FFF9.
Record Number: 415
Source Name: WerSvc
Time Written: 20070801122122.000000-000
Event Type: Error
User:

Computer Name: RoomComp
Event Code: 15
Message:
Record Number: 414
Source Name: CCU_Desktop
Time Written: 20070801122033.000000-000
Event Type: Error
User:

Computer Name: RoomComp
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
3 user registry handles leaked from \Registry\User\S-1-5-21-2279729505-3709079803-170581798-1001:
Process 520 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2279729505-3709079803-170581798-1001
Process 5584 (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2279729505-3709079803-170581798-1001\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 5584 (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-2279729505-3709079803-170581798-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts

Record Number: 389
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20070801121616.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: HouseComp
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: HOUSECOMP$
Account Domain: HPC
Logon ID: 0x3e7

Logon Type: 2

New Logon:
Security ID: S-1-5-21-2279729505-3709079803-170581798-1004
Account Name: Kris_2
Account Domain: HOUSECOMP
Logon ID: 0x28e56
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x278
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: HOUSECOMP
Source Network Address: 127.0.0.1
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 58850
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090514203238.268557-000
Event Type: Audit Success
User:

Computer Name: HouseComp
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: HOUSECOMP$
Account Domain: HPC
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: Kris_2
Account Domain: HOUSECOMP
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x278
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Network Address: 127.0.0.1
Port: 0

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 58849
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090514203238.268557-000
Event Type: Audit Success
User:

Computer Name: HouseComp
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 58848
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090514203237.987757-000
Event Type: Audit Success
User:

Computer Name: HouseComp
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: HOUSECOMP$
Account Domain: HPC
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x260
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 58847
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090514203237.987757-000
Event Type: Audit Success
User:

Computer Name: HouseComp
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: HOUSECOMP$
Account Domain: HPC
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x260
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 58846
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090514203237.987757-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Intel\DMIX;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared;C:\Program Files\Common Files\DivX Shared;C:\Program Files\Smart Projects\IsoBuster
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0f02
"NUMBER_OF_PROCESSORS"=2
"tvdumpflags"=8
-----------------EOF-----------------



HERE'S THE GMER LOG:
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-06 17:50:50
Windows 6.0.6002 Service Pack 2
Running: Gmer.exe; Driver: C:\Users\Kris_2\AppData\Local\Temp\uwlcipoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x958B7D36]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x958B8442]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x958B858E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x958BBCC6]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x958BBCF8]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys Z!!!enFile [0x958B84F2]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys Z!!!enProcess [0x958B7E7A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys Z!!!enThread [0x958B806C]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x958B819E]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x958BBDCC]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x958BBD36]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x958BBD68]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x958BBD9A]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x958B7CE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x958B85EE]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetValueKey [0x958BBC66]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x958B7C88]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateProcess [0x958B7BE4]
SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x958B7C2C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 191 826E28D4 4 Bytes [36, 7D, 8B, 95]
.text ntkrnlpa.exe!KeSetEvent + 1D9 826E291C 4 Bytes [42, 84, 8B, 95]
.text ntkrnlpa.exe!KeSetEvent + 2D1 826E2A14 8 Bytes [8E, 85, 8B, 95, C6, BC, 8B, ...]
.text ntkrnlpa.exe!KeSetEvent + 2E1 826E2A24 4 Bytes [F8, BC, 8B, 95]
.text ntkrnlpa.exe!KeSetEvent + 3D1 826E2B14 4 Bytes [F2, 84, 8B, 95]
.text ...
.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x807A2024]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[532] ntdll.dll!KiUserApcDispatcher 773F5D18 5 Bytes JMP 02E06B00 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] kernel32.dll!SetUnhandledExceptionFilter 75F8A84F 6 Bytes PUSH 715B0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!CreateDialogParamW 766C72A2 5 Bytes JMP 6E3EDA10 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!DdeInitializeW 766C7921 6 Bytes PUSH 71550022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!GetAsyncKeyState 766C863C 5 Bytes JMP 6E3090DB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!SetWindowsHookExW 766C87AD 5 Bytes JMP 6E3E97FD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!CallNextHookEx 766C8E3B 5 Bytes JMP 6E3DCE81 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!UnhookWindowsHookEx 766C98DB 5 Bytes JMP 6E354620 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!EnableWindow 766CCD8B 5 Bytes JMP 6E3ED89D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!RegisterClassExW 766CDA30 6 Bytes PUSH 716E0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!RegisterClassA 766CDF42 6 Bytes PUSH 71640022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!RegisterClassW 766CE1AB 6 Bytes PUSH 71610022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!CreateWindowExW 766D1305 5 Bytes JMP 6E3ED684 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!GetKeyState 766D8CB1 5 Bytes JMP 6E3ECE4B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!TranslateMessage 766E01AD 6 Bytes PUSH 714F0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!IsDialogMessageW 766E0745 5 Bytes JMP 6E31592F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!CreateDialogParamA 766E17AA 5 Bytes JMP 6E4E5084 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!IsDialogMessage 766E1847 5 Bytes JMP 6E4E4920 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!CreateDialogIndirectParamA 766E26F1 5 Bytes JMP 6E4E50BB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!CreateDialogIndirectParamW 766E9A62 5 Bytes JMP 6E4E50F2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!SetKeyboardState 766F0987 5 Bytes JMP 6E4E4C8F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!DialogBoxParamW 766F10B0 5 Bytes JMP 6E31541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!DialogBoxIndirectParamW 766F2EF5 5 Bytes JMP 6E4E43FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!SendInput 766F2F75 5 Bytes JMP 6E4E584B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!EndDialog 766F326E 5 Bytes JMP 6E317DD6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!SetCursorPos 76706FB2 5 Bytes JMP 6E4E589F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!GetClipboardData 7670715A 6 Bytes PUSH 71520022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!DialogBoxParamA 76708152 5 Bytes JMP 6E4E439C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!DialogBoxIndirectParamA 7670847D 5 Bytes JMP 6E4E4462 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!MessageBoxIndirectA 7671D4D9 5 Bytes JMP 6E4E4331 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!MessageBoxIndirectW 7671D5D3 5 Bytes JMP 6E4E42C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!MessageBoxExA 7671D639 5 Bytes JMP 6E4E4264 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!MessageBoxExW 7671D65D 5 Bytes JMP 6E4E4202 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] USER32.dll!keybd_event 7671D972 5 Bytes JMP 6E4E5BCF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] GDI32.dll!BitBlt 763770A6 6 Bytes PUSH 715E0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] SHELL32.dll!SHRestricted + D95 76908988 4 Bytes [4D, 30, 08, 6B]
.text C:\Program Files\Internet Explorer\iexplore.exe[532] SHELL32.dll!SHRestricted + D9D 76908990 8 Bytes [57, 2F, 08, 6B, 9C, 5B, 07, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[532] ole32.dll!OleLoadFromStream 75B91E12 5 Bytes JMP 6E4E4780 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] ole32.dll!CoCreateInstance 75BC9EA6 5 Bytes JMP 6E3ED6E0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[532] ole32.dll!CoCreateInstanceEx 75BC9EE9 5 Bytes JMP 71580022
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!InternetCloseHandle 767A9088 6 Bytes PUSH 713A0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!InternetQueryDataAvailable 767ABF7F 6 Bytes PUSH 71280022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!HttpAddRequestHeadersA 767ACF46 6 Bytes PUSH 714C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!HttpOpenRequestA 767AD508 6 Bytes PUSH 71490022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!InternetConnectA 767ADEAE 5 Bytes JMP 71370022
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!InternetConnectW 767AF862 6 Bytes PUSH 71340022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!HttpSendRequestW 767AFABE 6 Bytes PUSH 713D0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!InternetOpenA 767BD690 6 Bytes PUSH 712B0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!InternetSetStatusCallback 767BDCC8 6 Bytes PUSH 71220022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!HttpSendRequestA 767BEE89 6 Bytes PUSH 71460022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!InternetReadFileExA 767C3381 6 Bytes PUSH 71250022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!InternetGetCookieExA 767C4BD0 6 Bytes PUSH 712E0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!InternetWriteFile 768060F6 6 Bytes PUSH 711F0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!HttpSendRequestExA 7681A75A 6 Bytes PUSH 71430022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!HttpSendRequestExW 7681A7B3 6 Bytes PUSH 71400022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WININET.dll!InternetGetCookieA 7681BE38 6 Bytes PUSH 71310022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WS2_32.dll!connect 767640D9 5 Bytes JMP 71180022
.text C:\Program Files\Internet Explorer\iexplore.exe[532] WS2_32.dll!getaddrinfo 7676418A 5 Bytes JMP 71140022
.text C:\Windows\system32\svchost.exe[752] ole32.dll!CoCreateInstance 75BC9EA6 5 Bytes JMP 008F000A
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[976] ntdll.dll!KiUserApcDispatcher 773F5D18 5 Bytes JMP 004112A0 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[976] USER32.dll!InSendMessageEx + 3B1 766CE6B0 6 Bytes JMP 716E001E
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[976] WS2_32.dll!getaddrinfo 7676418A 5 Bytes JMP 71640022
.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[976] WS2_32.dll!gethostbyname 767762D4 5 Bytes JMP 71670022
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] ntdll.dll!KiUserApcDispatcher 773F5D18 5 Bytes JMP 02FA6B00 c:\program files\trusteer\rapport\bin\rooksdol.dll (Rooks/Dolomite/Trusteer Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] kernel32.dll!SetUnhandledExceptionFilter 75F8A84F 6 Bytes PUSH 715B0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!DdeInitializeW 766C7921 6 Bytes PUSH 71550022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!RegisterClassExW 766CDA30 6 Bytes PUSH 716E0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!RegisterClassA 766CDF42 6 Bytes PUSH 71640022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!RegisterClassW 766CE1AB 6 Bytes PUSH 71610022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!CreateWindowExW 766D1305 5 Bytes JMP 6E3ED684 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!TranslateMessage 766E01AD 6 Bytes PUSH 714F0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!DialogBoxParamW 766F10B0 5 Bytes JMP 6E31541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!DialogBoxIndirectParamW 766F2EF5 5 Bytes JMP 6E4E43FF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!GetClipboardData 7670715A 6 Bytes PUSH 71520022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!DialogBoxParamA 76708152 5 Bytes JMP 6E4E439C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!DialogBoxIndirectParamA 7670847D 5 Bytes JMP 6E4E4462 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!MessageBoxIndirectA 7671D4D9 5 Bytes JMP 6E4E4331 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!MessageBoxIndirectW 7671D5D3 5 Bytes JMP 6E4E42C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!MessageBoxExA 7671D639 5 Bytes JMP 6E4E4264 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] USER32.dll!MessageBoxExW 7671D65D 5 Bytes JMP 6E4E4202 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] GDI32.dll!BitBlt 763770A6 6 Bytes PUSH 715E0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] ole32.dll!CoCreateInstance 75BC9EA6 5 Bytes JMP 71670022
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] ole32.dll!CoCreateInstanceEx 75BC9EE9 5 Bytes JMP 71580022
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!InternetCloseHandle 767A9088 6 Bytes PUSH 713A0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!InternetQueryDataAvailable 767ABF7F 6 Bytes PUSH 71280022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!HttpAddRequestHeadersA 767ACF46 6 Bytes PUSH 714C0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!HttpOpenRequestA 767AD508 6 Bytes PUSH 71490022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!InternetConnectA 767ADEAE 5 Bytes JMP 71370022
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!InternetConnectW 767AF862 6 Bytes PUSH 71340022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!HttpSendRequestW 767AFABE 6 Bytes PUSH 713D0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!InternetOpenA 767BD690 6 Bytes PUSH 712B0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!InternetSetStatusCallback 767BDCC8 6 Bytes PUSH 71220022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!HttpSendRequestA 767BEE89 6 Bytes PUSH 71460022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!InternetReadFileExA 767C3381 6 Bytes PUSH 71250022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!InternetGetCookieExA 767C4BD0 6 Bytes PUSH 712E0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!InternetWriteFile 768060F6 6 Bytes PUSH 711F0022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!HttpSendRequestExA 7681A75A 6 Bytes PUSH 71430022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!HttpSendRequestExW 7681A7B3 6 Bytes PUSH 71400022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] WININET.dll!InternetGetCookieA 7681BE38 6 Bytes PUSH 71310022; RET
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] ws2_32.dll!connect 767640D9 5 Bytes JMP 71180022
.text C:\Program Files\Internet Explorer\iexplore.exe[2744] ws2_32.dll!getaddrinfo 7676418A 5 Bytes JMP 71140022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3216] ntdll.dll!KiUserApcDispatcher 773F5D18 5 Bytes JMP 004348F0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3216] WS2_32.dll!getaddrinfo 7676418A 5 Bytes JMP 71670022
.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[3216] WS2_32.dll!gethostbyname 767762D4 5 Bytes JMP 716E0022

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SearchPathW] [6B071AEC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6B07007C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CopyFileW] [6B06E1E9] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!MoveFileW] [6B070994] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!DeleteFileW] [6B06EE46] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [6B06A3FB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetCurrentDirectoryW] [6B071D56] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindClose] [6B073ADC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindNextFileW] [6B072999] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!FindFirstFileW] [6B073035] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6B06FBE1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!CreateFileW] [6B06E860] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!WritePrivateProfileStringW] [6B06DC5C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6B06FD66] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetPrivateProfileStringW] [6B06D4B8] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegQueryInfoKeyW] [6B07FBB3] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegEnumValueW] [6B08051D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegOpenKeyExW] [6B07EB3D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegQueryValueExW] [6B07F817] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegDeleteKeyW] [6B07EF31] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegCreateKeyExW] [6B07E5C5] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USER32.dll [ADVAPI32.dll!RegCloseKey] [6B07ED95] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6B07007C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6B06FBE1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!CopyFileW] [6B06E1E9] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6B06FD66] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!CreateFileW] [6B06E860] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SearchPathW] [6B071AEC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!DeleteFileW] [6B06EE46] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!FindClose] [6B073ADC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!FindFirstFileA] [6B072CD2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!FindNextFileA] [6B072926] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!FindFirstFileW] [6B073035] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!FindNextFileW] [6B072999] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!GetFileAttributesA] [6B06BD77] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetCurrentDirectoryA] [6B07173F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetFileAttributesA] [6B06BFCD] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateDirectoryA] [6B070F0F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!RemoveDirectoryA] [6B0714E9] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!DeleteFileA] [6B06ED1B] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!GetFileAttributesW] [6B06BEA2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetCurrentDirectoryW] [6B071D56] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetFileAttributesW] [6B06C0FB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateDirectoryW] [6B07103D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!DeleteFileW] [6B06EE46] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!MoveFileW] [6B070994] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!RemoveDirectoryW] [6B071614] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!MoveFileA] [6B070921] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [6B06FBE1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [6B06A073] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [6B06A3FB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateFileA] [6B06E717] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!CreateFileW] [6B06E860] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryW] [6B06FD66] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6B06FD66] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!ReplaceFileW] [6B070C95] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!WritePrivateProfileStringW] [6B06DC5C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetPrivateProfileStringW] [6B06D4B8] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetPrivateProfileStringA] [6B06D361] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!DeleteFileW] [6B06EE46] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6B07007C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetFileAttributesW] [6B06C0FB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileW] [6B06E860] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindFirstFileW] [6B073035] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindNextFileW] [6B072999] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SearchPathW] [6B071AEC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetFileAttributesW] [6B06BEA2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetFileAttributesA] [6B06BFCD] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileA] [6B06E717] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindFirstFileA] [6B072CD2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindNextFileA] [6B072926] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FindClose] [6B073ADC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SearchPathA] [6B0723A5] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetFileAttributesA] [6B06BD77] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6B06FBE1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!WinHelpW] [6B06FAAA] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!WinHelpA] [6B06F973] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCloseKey] [6B07ED95] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExA] [6B07E43D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegDeleteKeyA] [6B07EDE8] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegQueryInfoKeyA] [6B07F9B7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExA] [6B07E9C5] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegCreateKeyExW] [6B07E5C5] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegOpenKeyExW] [6B07EB3D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumKeyExW] [6B08020D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegQueryValueW] [6B07F4DB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegDeleteKeyW] [6B07EF31] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegQueryInfoKeyW] [6B07FBB3] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegQueryValueExW] [6B07F817] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumValueW] [6B08051D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumKeyW] [6B07FF19] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumKeyExA] [6B080085] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumValueA] [6B080395] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegEnumKeyA] [6B07FDAF] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHLWAPI.dll [ADVAPI32.dll!RegQueryValueExA] [6B07F677] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileSectionW] [6B06CFA8] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!FindNextFileW] [6B072999] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!ReplaceFileW] [6B070C95] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileSectionNamesW] [6B06D22A] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!WritePrivateProfileSectionW] [6B06D9DA] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!WritePrivateProfileStringW] [6B06DC5C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CreateHardLinkW] [6B06EB68] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SetCurrentDirectoryW] [6B071D56] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CopyFileW] [6B06E1E9] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetBinaryTypeW] [6B06CAA7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6B07007C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [6B06A3FB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileW] [6B070994] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!FindFirstFileW] [6B073035] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!FindClose] [6B073ADC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetShortPathNameA] [6B06C709] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetFileAttributesA] [6B06BD77] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SearchPathW] [6B071AEC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileIntW] [6B06CD20] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetPrivateProfileStringW] [6B06D4B8] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!RemoveDirectoryW] [6B071614] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CreateDirectoryW] [6B07103D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!DeleteFileW] [6B06EE46] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SetFileAttributesW] [6B06C0FB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetFileAttributesW] [6B06BEA2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!MoveFileExW] [6B0709B9] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetShortPathNameW] [6B06C848] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6B06FD66] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!CreateFileW] [6B06E860] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetFileAttributesExW] [6B06C368] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6B06FBE1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetLongPathNameW] [6B06C5D8] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [USER32.dll!LoadImageW] [6B06F0D0] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [USER32.dll!WinHelpW] [6B06FAAA] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [USER32.dll!PrivateExtractIconsW] [6B06F5C5] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathCreateFromUrlW] [6B0765DA] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!AssocQueryStringByKeyW] [6B07620B] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHCreateStreamOnFileW] [6B077595] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!AssocQueryKeyW] [6B0760AE] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!AssocQueryStringW] [6B07615B] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHDeleteKeyA] [6B0775E7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathCombineW] [6B076533] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHOpenRegStream2W] [6B07799A] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsDirectoryW] [6B07684F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsURLW] [6B076E45] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsRootA] [6B076AFB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsRootW] [6B076B47] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathStripToRootW] [6B077281] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathFindOnPathW] [6B076716] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathStripPathW] [6B0771ED] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathRemoveArgsW] [6B077021] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegGetBoolUSValueW] [6B077FBE] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathSkipRootW] [6B077159] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsDirectoryEmptyW] [6B0768E7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsSystemFolderW] [6B076BE2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsDirectoryA] [6B076803] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathRelativePathToW] [6B076F81] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathBuildRootA] [6B0763A5] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegGetPathW] [6B0780BD] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegSetPathW] [6B078513] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegGetUSValueW] [6B078176] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHQueryValueExW] [6B077BA4] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHRegGetValueW] [6B078235] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsNetworkPathW] [6B07697F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsUNCServerShareW] [6B076DAD] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsUNCServerW] [6B076D15] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathUnExpandEnvStringsW] [6B07731F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathMakeSystemFolderW] [6B076EDD] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsUNCW] [6B076C7D] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathIsRelativeW] [6B076AAF] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHGetValueW] [6B0778EA] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathBuildRootW] [6B0763F4] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHDeleteValueW] [6B0776D7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHSetValueW] [6B078732] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHEnumKeyExW] [6B07777E] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHEnumValueW] [6B077831] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!PathFileExistsW] [6B07667B] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [SHLWAPI.dll!SHDeleteKeyW] [6B077636] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SHELL32.dll [ntdll.dll!NtQueryDirectoryFile] [6B06BB38] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!FindClose] [6B073ADC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] [6B073035] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [6B07007C] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!SearchPathW] [6B071AEC] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!CreateProcessW] [6B06A3FB] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!DeleteFileW] [6B06EE46] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetShortPathNameW] [6B06C848] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetFileAttributesExW] [6B06C368] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!CreateFileW] [6B06E860] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6B06FD66] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!GetFileAttributesW] [6B06BEA2] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6B06FBE1] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHRegGetValueW] [6B078235] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHRegGetValueA] [6B0781D7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!PathUnExpandEnvStringsA] [6B0772CD] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHDeleteKeyA] [6B0775E7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHDeleteValueW] [6B0776D7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!PathCreateFromUrlW] [6B0765DA] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHGetValueA] [6B07788F] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHSetValueA] [6B0786D7] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHGetValueW] [6B0778EA] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!SHSetValueW] [6B078732] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [SHLWAPI.dll!PathCombineW] [6B076533] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[532] @ C:\Windows\system32\IPHLPAPI.DLL [KERNEL32.dll!GetProcAddress] [6B0682F6] C:\Program Files\Internet Explorer\IEShims.dll (Internet Explorer Compatibility Shims/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[2744] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[2744] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[2744] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[2744] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[2744] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[2744] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[2744] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[2744] @ C:\Windows\system32\ws2_32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Program Files\Internet Explorer\iexplore.exe[2744] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 716B0000
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746F7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7474A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [746FBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [746EF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746F75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746EE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74728395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [746FDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746EFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746EFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746E71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7477CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7471C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [746ED968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [746E6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746E687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3000] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [746F2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys

Device \Driver\usbhub \Device\00000063 RapportKELL.sys
Device \Driver\usbhub \Device\00000064 RapportKELL.sys
Device \Driver\usbhub \Device\00000065 RapportKELL.sys
Device \Driver\usbhub \Device\USBPDO-9 RapportKELL.sys
Device \Driver\usbhub \Device\00000066 RapportKELL.sys
Device \Driver\usbhub \Device\00000067 RapportKELL.sys
Device \Driver\usbhub \Device\00000068 RapportKELL.sys
Device \Driver\usbhub \Device\USBPDO-11 RapportKELL.sys
Device \Driver\usbhub \Device\00000069 RapportKELL.sys
Device \Driver\nsiproxy \Device\Nsi afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\usbhub \Device\0000006a RapportKELL.sys
Device \FileSystem\fastfat \Fat B1273A7A

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat BdFileSpy.sys

Device -> \Driver\atapi \Device\Harddisk0\DR0 85D26618

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BsFileScan\Statistics@UiTotalScans 44788
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0D 0xC6 0x71 0x16 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0D 0xC6 0x71 0x16 ...

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.dir 0 bytes
File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


I hope I've posted these properly...
Thanks again.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/7/2010 3:23 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
This is the stolen data folder:

C:\Users\Kris_2\AppData\Roaming\lowsec

The Gmer log suggests a malware that alters an important boot level driver file, but you have Daemon Tools' hidden rootkit-like functions there, which interferes with the scan results. Let's remove that, then run a repair scan for now. The log also shows an autorun variant malware we will need to address.


The malware has included an autorun type component, so if any external drives have been used on this computer recently be sure to install them now, and leave them installed until ALL repairs on it are completed. If not, they will remain infected and can re-infect the computer (or others).


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{42f74644-9537-11dd-adcf-001b2fb0fa50}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{52d52efc-7050-11dd-9143-001b2fb0fa50}]

Open Notepad (Start - Run, type Notepad then press OK), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.


Click here and download Flash_Disinfector.exe and save it to your desktop.

Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.

The utility may ask you to insert your flash drive and/or other external/removable drives. Please do so and allow the utility to clean up those drives as well.

Then leave any drives installed until all repairs here have been completed.

This will also create autorun.inf folders on all drives there, which serves to block autoloading infection from creating some of their bad files they need to infect other drives and systems.

-------------------

Go here and download the most current copy of the SPTD installer (right now that is SPTDinst-v162-x86.exe). Then click the downloaded file to start the installer. When the option appears select Uninstall, and allow the tool to uninstall SPTD from your system. Be sure to reboot after to complete the removal of the SPTD settings.

--------------------

Once you have done that, make sure your security software is temp disabled, then download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 456out.com, then click the renamed 456out.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

Post Edited (Jintan) : 07-01-2010 00:30:54 GMT

Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/8/2010 3:21 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
I double clicked Flash_Disinfector and nothing happend :s. It's defo the correct one.  I Downloaded the rest of the things you told me and done the fixer.  But Flash Disinfector is next on the list to run.  I'm guessing its not right to run SPTD or combofix if the disinfector hasn't run yet?
 
Anyway around this?
 
Thanks for the help.
 
 
...Thee Infamous El Guapo
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/8/2010 4:28 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Suggests malware is loading into processes there, and monitoring and interfering with the known tools we use. Good to check in on things like this. But go ahead with the other steps please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/8/2010 7:27 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello again

Here's the ComboFix log:
(its says i have ZoneAlarm installed and enabled but i removed that months ago)
(it never asked me to install recovery console)

ComboFix log:

ComboFix 10-01-04.01 - Kris_2 08/01/2010 15:09:36.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3316.2165 [GMT 0:00]
Running from: c:\users\Kris_2\Desktop\456out.com
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: ZoneAlarm Pro Anti-Spyware *enabled* (Updated) {F245A209-1085-48B4-B927-35D56015EC60}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2279729505-3709079803-170581798-1001
c:\$recycle.bin\S-1-5-21-2279729505-3709079803-170581798-500
c:\$recycle.bin\S-1-5-21-2279729505-3709079803-170581798-501
c:\windows\system32\ActNAV_cltDynam.dat

.
((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 16:02 . 2010-01-08 16:03 -------- d-----w- c:\users\Kris_2\AppData\Local\temp
2010-01-08 16:02 . 2010-01-08 16:02 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-01-08 16:02 . 2010-01-08 16:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-07 13:06 . 2010-01-08 15:00 -------- d-----w- c:\programdata\BullGuard
2010-01-07 13:06 . 2010-01-08 12:31 -------- d-----w- c:\users\Kris_2\AppData\Roaming\BullGuard
2010-01-07 13:05 . 2009-01-23 13:48 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys
2010-01-07 13:05 . 2010-01-07 13:05 -------- d-----w- c:\program files\BullGuard Ltd
2010-01-07 12:59 . 2010-01-07 13:00 -------- d-----w- c:\users\Kris_2\AppData\Local\Tific
2010-01-07 12:59 . 2010-01-07 12:59 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Tific
2010-01-07 12:17 . 2010-01-07 12:17 -------- d-----w- c:\windows\system32\drivers\NAV
2010-01-07 02:04 . 2010-01-08 14:49 -------- d-----w- c:\users\Kris_2\AppData\Local\CrashDumps
2010-01-07 00:48 . 2010-01-07 13:11 -------- d-----w- c:\programdata\Norton
2010-01-07 00:48 . 2010-01-07 13:12 -------- d-----w- c:\programdata\NortonInstaller
2010-01-06 14:20 . 2010-01-06 14:20 -------- d-----w- c:\users\Kris_2\AppData\Local\ABBYY
2010-01-06 12:31 . 2010-01-06 12:31 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-01-06 10:48 . 2010-01-06 10:48 -------- d-----w- c:\windows\Internet Logs
2010-01-05 20:21 . 2010-01-05 20:21 -------- d-----w- c:\programdata\CheckPoint
2010-01-05 20:14 . 2010-01-05 20:14 68072 ----a-w- c:\users\Kris_2\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-26 11:06 . 2010-01-05 15:22 8192 ----a-w- C:\ntuser.dat
2009-12-26 11:05 . 2009-12-26 11:05 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-26 10:20 . 2009-12-26 10:20 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Trusteer
2009-12-26 10:20 . 2009-12-26 10:20 -------- d-----w- c:\program files\Trusteer
2009-12-25 00:21 . 2009-12-25 00:53 -------- d-sh--w- c:\users\Kris_2\AppData\Roaming\lowsec
2009-12-22 16:14 . 2009-12-22 16:14 -------- d-----w- c:\program files\Microsoft
2009-12-22 16:13 . 2009-12-22 16:13 -------- d-----w- c:\program files\Windows Live
2009-12-12 15:19 . 2009-12-12 15:19 -------- d-----w- c:\program files\CCleaner
2009-12-11 01:18 . 2009-12-11 01:18 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Malwarebytes
2009-12-11 01:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-11 01:18 . 2010-01-07 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 01:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 00:53 . 2010-01-08 12:37 -------- d-----w- c:\users\Kris_2\AppData\Roaming\BitTorrent
2009-12-11 00:51 . 2009-12-11 00:51 -------- d-----w- c:\program files\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 12:54 . 2008-08-22 13:19 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-09 12:24 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-08 18:26 . 2009-12-08 18:26 -------- d-----w- c:\users\Kris_2\AppData\Roaming\DivX
2009-12-08 18:17 . 2009-12-07 04:00 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-08 18:16 . 2009-12-08 18:16 -------- d-----w- c:\programdata\Nero
2009-12-08 18:16 . 2009-12-08 18:16 -------- d-----w- c:\program files\Nero
2009-12-07 23:34 . 2009-12-07 22:22 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Ahead
2009-12-05 16:31 . 2008-06-05 11:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-05 16:09 . 2009-12-05 16:09 -------- d-----w- c:\program files\Trend Micro
2009-12-02 12:20 . 2009-12-02 12:20 -------- d-----w- c:\program files\AVG
2009-11-30 23:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-30 23:08 . 2007-08-01 12:54 -------- d-----w- c:\program files\DivX
2009-11-30 23:08 . 2009-05-29 02:10 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-30 19:47 . 2009-11-30 19:47 -------- d-----w- c:\programdata\Malwarebytes
2009-11-21 06:40 . 2009-12-09 11:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 11:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 11:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 11:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 18:56 . 2009-11-19 18:56 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-09 20:39 . 2007-07-27 20:57 -------- d-----w- c:\program files\Java
2009-11-09 12:31 . 2009-12-09 11:43 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-09 11:43 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-09 11:43 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-02 20:42 . 2009-10-03 08:47 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:39 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-11 04:17 . 2009-08-24 19:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2007-07-28 04:38 . 2007-07-28 04:37 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-01-07 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-04 304008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-01-07 304464]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-27 50688]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2008-4-13 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):5f,33,8f,a8,0d,e0,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2279729505-3709079803-170581798-1004]
"EnableNotificationsRef"=dword:00000001

R1 afw;Agnitum Firewall Driver;c:\windows\System32\drivers\afw.sys [23/03/2009 12:07 29208]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/12/2009 13:37 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/12/2009 13:37 337000]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [05/12/2007 05:17 77824]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\System32\drivers\BdFileSpy.sys [07/01/2010 13:05 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [15/04/2008 22:01 21504]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [15/04/2008 22:01 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [15/04/2008 22:01 21504]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/12/2009 01:18 236368]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/12/2009 13:37 972008]
R3 afwcore;afwcore;c:\windows\System32\drivers\afwcore.sys [23/03/2009 12:07 305688]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [11/12/2009 01:18 19160]
S2 .1185569378;1185569378;c:\program files\1185569378\Kris1185569378L.exe --> c:\program files\1185569378\Kris1185569378L.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [15/04/2008 22:01 21504]
S3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [27/07/2007 21:09 5504]
S3 ST330;ST330;c:\windows\System32\drivers\st330.sys [16/08/2007 22:10 30464]
S3 STBUS;STBUS;c:\windows\System32\drivers\stbus.sys [16/08/2007 22:10 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\System32\drivers\stppp.sys [16/08/2007 22:10 35328]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\System32\drivers\WPN111v.sys [04/08/2008 16:20 904192]
S4 ACKFBIA;ACKFBIA;c:\users\Kris_2\AppData\Local\Temp\ACKFBIA.exe --> c:\users\Kris_2\AppData\Local\Temp\ACKFBIA.exe [?]
S4 KRGSL;KRGSL;c:\users\Kris_2\AppData\Local\Temp\KRGSL.exe --> c:\users\Kris_2\AppData\Local\Temp\KRGSL.exe [?]
S4 MTXVRT;MTXVRT;c:\users\Kris_2\AppData\Local\Temp\MTXVRT.exe --> c:\users\Kris_2\AppData\Local\Temp\MTXVRT.exe [?]
S4 OVLLJRWYF;OVLLJRWYF;c:\users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe --> c:\users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe [?]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [22/08/2008 13:19 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\BGLsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 16:02
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85D26618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8b3a6d24
\Driver\ACPI -> acpi.sys @ 0x80693d68
\Driver\atapi -> ataport.SYS @ 0x807a9a2c
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-08 16:17:49
ComboFix-quarantined-files.txt 2010-01-08 16:17

Pre-Run: 167,101,485,056 bytes free
Post-Run: 167,027,085,312 bytes free

- - End Of File - - 3E9B97A56BD596DF9EA954907EDFF87E

Cheers.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/8/2010 8:43 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Those older security software entries are stored in the WMI info.

The log still suggests a malware altered boot level driver file. Hopefully you did do the Daemon Tools uninstall, so this information can be considered accurate. We will need to locate a clean file copy to use.

Click here and download jpshortstuff's SystemLook to your desktop, then click that file to open the scan display. In the open textbox, copy and paste the following (inside the Code box below):

:filefind
atapi.sys


Then click Look. Once the scan completes Notepad will open - copy/paste those contents back here please. That will also be saved as a log where you have the scan file, named SystemLook.txt.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/9/2010 12:55 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
we meet again wise one...

Daemon Tools uninstall?

SystemLooK log:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:46 on 08/01/2010 by Kris_2 (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\Windows\ERDNT\cache\atapi.sys --a--- 19944 bytes [16:14 08/01/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys --a--- 21688 bytes [04:38 28/07/2007] [04:38 28/07/2007] 9E7E85EC61D1C9C3171CC08427108863
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys --a--- 21560 bytes [15:12 13/04/2008] [15:12 13/04/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys --a--- 21560 bytes [15:12 13/04/2008] [15:12 13/04/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys --a--- 19048 bytes [04:38 28/07/2007] [04:38 28/07/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [01:55 29/05/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [22:01 15/04/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 19944 bytes [01:55 29/05/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys --a--- 19048 bytes [04:38 28/07/2007] [04:38 28/07/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a--- 21560 bytes [15:12 13/04/2008] [15:12 13/04/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys --a--- 19048 bytes [04:38 28/07/2007] [04:38 28/07/2007] 5653737BAD8C6C10136451C195C19881
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys --a--- 21688 bytes [04:38 28/07/2007] [04:38 28/07/2007] 9E7E85EC61D1C9C3171CC08427108863
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a--- 21560 bytes [15:12 13/04/2008] [15:12 13/04/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [22:01 15/04/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [01:55 29/05/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

-=End Of File=-


a many thank yous for your time

Thee Infamous El Guapo
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/9/2010 3:16 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Before we take action on a file move, did you do these steps posted earlier in our work here:

Go here and download the most current copy of the SPTD installer (right now that is SPTDinst-v162-x86.exe). Then click the downloaded file to start the installer. When the option appears select Uninstall, and allow the tool to uninstall SPTD from your system. Be sure to reboot after to complete the removal of the SPTD settings.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/9/2010 4:00 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Sure did but I didn't see it do anything apart from install and then uninstall like you said.  Was it supposed to scan and then save a log or something?
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/9/2010 4:51 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
The words you chose in the earlier post made it unclear if that step had been done there. Let's make the file exchange and check after.


Go to Start Search, type cmd.exe in the Start Search box. Cmd.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator". At the prompt copy/paste the following, pressing Enter after each:

cd C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8
attrib -s -h atapi.sys
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys c:\atapi.sys
exit


Make sure you get the indication that one file was copied successfully (if not, stop and post back here for additional instructions).

-----------------

Download The Avenger by Swandog from here and save it to your Desktop, and unzip the downloaded avenger.zip file. Then in the new avenger folder created locate and click on avenger.exe to run the tool.

Okay the warning. When the Avenger display opens place a check in the following box:

Automatically disable any rootkits found

Then copy/paste the following text inside the Code box into the Avenger box titled "Input script here:". Then click the Execute button to run the repair, click Yes, then allow Avenger to reboot your system.

Begin copying here:
Files to move:
c:\atapi.sys | c:\windows\system32\drivers\atapi.sys

Your system may reboot twice to complete the repairs. After the reboot a text will open - copy/paste those contents back here please. The log can also be found at C:\avenger.txt.

----------

After the reboot run a new ComboFix scan, and post that C:\ComboFix.txt log and the C:\avenger.txt log please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/9/2010 6:17 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Jin I tried inputting what you said but nothing happend and I was left with this...

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002
.18005_none_df23a1261eab99e8

C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261ea
b99e8>attrib -s -h atapi.sys
Access denied - C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_
none_df23a1261eab99e8\atapi.sys

C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261ea
b99e8>C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a
1261eab99e8\atapi.sys c:\atapi.sysexit
The C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a12
61eab99e8\atapi.sys application cannot be run in Win32 mode.

C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261ea
b99e8>

shall I move onto the avenger.zip as I've downloaded it.
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/9/2010 7:53 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Use this for Avenger instead of the earlier one:

Begin copying here:
Files to move:
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_
none_df23a1261eab99e8\atapi.sys | c:\windows\system32\drivers\atapi.sys


We'll just have to remember to put the file back in that folder later.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/9/2010 6:44 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello there

i thought you should know that...
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Kaspersky found 2 rootkits last night heres 2 lines from the log ::
::
Status: Disinfected (events: 2)
09/01/2010 02:15:44 Disinfected virus Rootkit.Win32.TDSS.y c:\Windows\System32\drivers\kav_atapi.sys High::
09/01/2010 02:15:50 Disinfected virus Rootkit.Win32.TDSS.y c:\Windows\System32\drivers\atapi.sys High::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

with that being said heres the avenger log


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6002, Service Pack 2)
Sat Jan 09 14:43:57 2010

14:43:46: Error: Invalid syntax in command:
"C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_"
Skipping line. (File move mode)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file move operations must be within volumes.
File move operation "none_df23a1261eab99e8\atapi.sys|c:\windows\system32\drivers\atapi.sys" failed!
Status: 0xc000003e (STATUS_DATA_ERROR)


Completed script processing.

*******************

Finished! Terminate.


:::::::::::::::::::::COMBOFIXLOG:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::COMBOFIXLOG::::::::::::::::::::::::::::::::::::::::::::
COMBOFIX LOG:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::COMBOFIX LOG::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

ComboFix 10-01-04.01 - Kris_2 09/01/2010 15:03:41.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3316.2263 [GMT 0:00]
Running from: c:\users\Kris_2\Desktop\456out.com
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: ZoneAlarm Pro Anti-Spyware *enabled* (Updated) {F245A209-1085-48B4-B927-35D56015EC60}
.

((((((((((((((((((((((((( Files Created from 2009-12-09 to 2010-01-09 )))))))))))))))))))))))))))))))
.

2010-01-09 15:16 . 2010-01-09 15:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-09 15:16 . 2010-01-09 15:16 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-01-09 15:16 . 2010-01-09 15:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-09 15:16 . 2010-01-09 15:16 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-09 02:15 . 2010-01-09 02:15 19944 ----a-w- c:\windows\system32\drivers\kav_atapi.sys
2010-01-09 02:08 . 2010-01-09 02:08 932368 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-01-09 02:08 . 2010-01-09 02:08 678416 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-01-09 02:08 . 2010-01-09 02:08 604688 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-01-09 02:08 . 2010-01-09 02:08 1096208 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-01-09 02:08 . 2010-01-09 02:08 522768 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-01-09 02:05 . 2010-01-09 02:05 80400 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-01-09 02:05 . 2010-01-09 02:05 80400 ----a-w- c:\programdata\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-01-09 01:46 . 2010-01-09 01:46 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-09 01:46 . 2010-01-09 01:46 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-09 01:45 . 2010-01-09 14:46 -------- d-----w- c:\programdata\Kaspersky Lab
2010-01-09 01:45 . 2010-01-09 01:45 -------- d-----w- c:\program files\Kaspersky Lab
2010-01-08 16:17 . 2010-01-09 15:16 -------- d-----w- c:\users\Kris_2\AppData\Local\temp
2010-01-07 13:06 . 2010-01-09 01:41 -------- d-----w- c:\programdata\BullGuard
2010-01-07 13:06 . 2010-01-09 01:09 -------- d-----w- c:\users\Kris_2\AppData\Roaming\BullGuard
2010-01-07 12:59 . 2010-01-07 13:00 -------- d-----w- c:\users\Kris_2\AppData\Local\Tific
2010-01-07 12:59 . 2010-01-07 12:59 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Tific
2010-01-07 12:17 . 2010-01-07 12:17 -------- d-----w- c:\windows\system32\drivers\NAV
2010-01-07 02:04 . 2010-01-08 21:39 -------- d-----w- c:\users\Kris_2\AppData\Local\CrashDumps
2010-01-07 00:48 . 2010-01-07 13:11 -------- d-----w- c:\programdata\Norton
2010-01-07 00:48 . 2010-01-07 13:12 -------- d-----w- c:\programdata\NortonInstaller
2010-01-06 14:20 . 2010-01-06 14:20 -------- d-----w- c:\users\Kris_2\AppData\Local\ABBYY
2010-01-06 12:31 . 2010-01-06 12:31 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-01-06 10:48 . 2010-01-06 10:48 -------- d-----w- c:\windows\Internet Logs
2010-01-05 20:21 . 2010-01-05 20:21 -------- d-----w- c:\programdata\CheckPoint
2010-01-05 20:14 . 2010-01-05 20:14 68072 ----a-w- c:\users\Kris_2\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-26 11:06 . 2010-01-05 15:22 8192 ----a-w- C:\ntuser.dat
2009-12-26 11:05 . 2009-12-26 11:05 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-26 10:20 . 2009-12-26 10:20 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Trusteer
2009-12-26 10:20 . 2009-12-26 10:20 -------- d-----w- c:\program files\Trusteer
2009-12-25 00:21 . 2009-12-25 00:53 -------- d-sh--w- c:\users\Kris_2\AppData\Roaming\lowsec
2009-12-22 16:14 . 2009-12-22 16:14 -------- d-----w- c:\program files\Microsoft
2009-12-22 16:13 . 2009-12-22 16:13 -------- d-----w- c:\program files\Windows Live
2009-12-12 15:19 . 2009-12-12 15:19 -------- d-----w- c:\program files\CCleaner
2009-12-11 01:19 . 2010-01-07 23:54 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-11 01:18 . 2009-12-11 01:18 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Malwarebytes
2009-12-11 01:18 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-11 01:18 . 2010-01-07 23:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-11 01:18 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 00:53 . 2010-01-09 14:30 -------- d-----w- c:\users\Kris_2\AppData\Roaming\BitTorrent
2009-12-11 00:51 . 2009-12-11 00:51 -------- d-----w- c:\program files\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-09 02:16 . 2009-05-29 01:55 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-09 12:24 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-08 18:26 . 2009-12-08 18:26 -------- d-----w- c:\users\Kris_2\AppData\Roaming\DivX
2009-12-08 18:17 . 2009-12-07 04:00 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-08 18:16 . 2009-12-08 18:16 -------- d-----w- c:\programdata\Nero
2009-12-08 18:16 . 2009-12-08 18:16 -------- d-----w- c:\program files\Nero
2009-12-07 23:34 . 2009-12-07 22:22 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Ahead
2009-12-05 16:31 . 2008-06-05 11:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-05 16:09 . 2009-12-05 16:09 -------- d-----w- c:\program files\Trend Micro
2009-12-02 12:20 . 2009-12-02 12:20 -------- d-----w- c:\program files\AVG
2009-11-30 23:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-30 23:08 . 2007-08-01 12:54 -------- d-----w- c:\program files\DivX
2009-11-30 23:08 . 2009-05-29 02:10 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-30 19:47 . 2009-11-30 19:47 -------- d-----w- c:\programdata\Malwarebytes
2009-11-21 06:40 . 2009-12-09 11:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 11:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 11:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 11:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 18:56 . 2009-11-19 18:56 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-14 13:06 . 2009-11-14 13:06 59992 ----a-w- c:\programdata\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-11-09 12:31 . 2009-12-09 11:43 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-09 11:43 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-09 11:43 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-03 16:33 . 2009-11-03 16:33 21520 ----a-w- c:\windows\system32\drivers\klim6.sys
2009-11-02 20:42 . 2009-10-03 08:47 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:39 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-28 09:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-20 19:34 . 2009-10-20 19:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-14 20:18 . 2009-10-14 20:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2007-07-28 04:38 . 2007-07-28 04:37 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-04 304008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-27 50688]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2008-4-13 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):5f,33,8f,a8,0d,e0,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2279729505-3709079803-170581798-1004]
"EnableNotificationsRef"=dword:00000001

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\System32\drivers\klbg.sys [14/10/2009 20:18 36880]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\System32\drivers\klim6.sys [03/11/2009 16:33 21520]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/12/2009 13:37 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/12/2009 13:37 337000]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [05/12/2007 05:17 77824]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/12/2009 01:18 236368]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/12/2009 13:37 972008]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\System32\drivers\klmouflt.sys [02/10/2009 18:39 19472]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [11/12/2009 01:18 19160]
S2 .1185569378;1185569378;c:\program files\1185569378\Kris1185569378L.exe --> c:\program files\1185569378\Kris1185569378L.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [15/04/2008 22:01 21504]
S3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [27/07/2007 21:09 5504]
S3 ST330;ST330;c:\windows\System32\drivers\st330.sys [16/08/2007 22:10 30464]
S3 STBUS;STBUS;c:\windows\System32\drivers\stbus.sys [16/08/2007 22:10 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\System32\drivers\stppp.sys [16/08/2007 22:10 35328]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\System32\drivers\WPN111v.sys [04/08/2008 16:20 904192]
S4 ACKFBIA;ACKFBIA;c:\users\Kris_2\AppData\Local\Temp\ACKFBIA.exe --> c:\users\Kris_2\AppData\Local\Temp\ACKFBIA.exe [?]
S4 KRGSL;KRGSL;c:\users\Kris_2\AppData\Local\Temp\KRGSL.exe --> c:\users\Kris_2\AppData\Local\Temp\KRGSL.exe [?]
S4 MTXVRT;MTXVRT;c:\users\Kris_2\AppData\Local\Temp\MTXVRT.exe --> c:\users\Kris_2\AppData\Local\Temp\MTXVRT.exe [?]
S4 OVLLJRWYF;OVLLJRWYF;c:\users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe --> c:\users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lycos.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(15232)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
Completion time: 2010-01-09 15:25:17
ComboFix-quarantined-files.txt 2010-01-09 15:25

Pre-Run: 164,026,007,552 bytes free
Post-Run: 163,991,990,272 bytes free

- - End Of File - - CE4E4CB89C50BE21D12AC0C2802D5640

thanks
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/10/2010 1:50 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
The Avenger log suggests it was unable to make the file move, but the ComboFix scan run after that indicates the file alteration is no longer occurring. Let's check the file status again. Run this same script in SystemLook again, and post the log please:

Begin copying here:
Files to move:
c:\atapi.sys | c:\windows\system32\drivers\atapi.sys
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/10/2010 2:01 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 23:00 on 09/01/2010 by Kris_2 (Administrator - Elevation successful)

No Context: Files to move:

No Context: c:\atapi.sys | c:\windows\system32\drivers\atapi.sys

-=End Of File=-

Is that right?
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/10/2010 3:10 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
No, my fault reposting the Avenger script. This script please:

:filefind
atapi.sys
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/10/2010 3:30 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello
 
Is this the right?
 
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 00:26 on 10/01/2010 by Kris_2 (Administrator - Elevation successful)
========== filefind ==========
Searching for "atapi.sys"
C:\Windows\ERDNT\cache\atapi.sys --a--- 19944 bytes [16:14 08/01/2010] [02:16 09/01/2010] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys --a--- 21688 bytes [04:38 28/07/2007] [04:38 28/07/2007] 9E7E85EC61D1C9C3171CC08427108863
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys --a--- 21560 bytes [15:12 13/04/2008] [15:12 13/04/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys --a--- 21560 bytes [15:12 13/04/2008] [15:12 13/04/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys --a--- 19048 bytes [04:38 28/07/2007] [04:38 28/07/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [01:55 29/05/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [22:01 15/04/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 19944 bytes [01:55 29/05/2009] [02:16 09/01/2010] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys --a--- 19048 bytes [04:38 28/07/2007] [04:38 28/07/2007] A779CA2C76DA4FCB595E692C05E8E4EB
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys --a--- 21560 bytes [15:12 13/04/2008] [15:12 13/04/2008] B35CFCEF838382AB6490B321C87EDF17
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys --a--- 19048 bytes [04:38 28/07/2007] [04:38 28/07/2007] 5653737BAD8C6C10136451C195C19881
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys --a--- 21688 bytes [04:38 28/07/2007] [04:38 28/07/2007] 9E7E85EC61D1C9C3171CC08427108863
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys --a--- 21560 bytes [15:12 13/04/2008] [15:12 13/04/2008] E03E8C99D15D0381E02743C36AFC7C6F
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [22:01 15/04/2008] [07:41 19/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [01:55 29/05/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
-=End Of File=-
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/13/2010 4:35 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Sorry for missing you had replied, and it is okay to send a PM like you did should this occur. These files match, which indicates the file exchange worked:

C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [01:55 29/05/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4

C:\Windows\System32\drivers\atapi.sys --a--- 19944 bytes [01:55 29/05/2009] [02:16 09/01/2010] 1F05B78AB91C9075565A9D8A4B880BC4

Go ahead and run and post back a new ComboFix scan log please - the log will be again C:\ComboFix.txt.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/13/2010 5:26 PM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello again, no need to say sorry I'm sure you're a very busy man!

ok here's the log:

ComboFix 10-01-04.01 - Kris_2 13/01/2010 13:52:11.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3316.2143 [GMT 0:00]
Running from: c:\users\Kris_2\Desktop\456out.com
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: ZoneAlarm Pro Anti-Spyware *enabled* (Updated) {F245A209-1085-48B4-B927-35D56015EC60}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-12 17:02 . 2010-01-12 17:02 -------- d-----w- c:\users\Kris_2\AppData\Roaming\AVG8
2010-01-07 13:06 . 2010-01-13 10:42 -------- d-----w- c:\programdata\BullGuard
2010-01-07 13:06 . 2010-01-13 11:51 -------- d-----w- c:\users\Kris_2\AppData\Roaming\BullGuard
2010-01-07 12:59 . 2010-01-07 12:59 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Tific
2009-12-26 10:20 . 2009-12-26 10:20 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Trusteer
2009-12-25 00:21 . 2009-12-25 00:53 -------- d-sh--w- c:\users\Kris_2\AppData\Roaming\lowsec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-12 23:55 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-12 23:53 . 2009-12-22 16:14 -------- d-----w- c:\program files\Microsoft
2010-01-12 23:49 . 2010-01-12 23:49 87376 ----a-w- c:\windows\system32\BGLsp.dll
2010-01-12 23:49 . 2010-01-12 17:50 305688 ----a-r- c:\windows\system32\drivers\AfwCore.sys
2010-01-12 23:49 . 2008-09-18 09:17 29208 ----a-r- c:\windows\system32\drivers\Afw.sys
2010-01-12 23:49 . 2009-12-11 00:53 -------- d-----w- c:\users\Kris_2\AppData\Roaming\BitTorrent
2010-01-12 23:49 . 2010-01-12 17:49 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys
2010-01-12 17:49 . 2010-01-12 17:49 -------- d-----w- c:\program files\BullGuard Ltd
2010-01-12 16:52 . 2009-12-02 12:20 -------- d-----w- c:\program files\AVG
2010-01-09 02:16 . 2009-05-29 01:55 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-09 02:15 . 2010-01-09 02:15 19944 ----a-w- c:\windows\system32\drivers\kav_atapi.sys
2010-01-07 23:59 . 2009-12-11 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 16:07 . 2009-12-11 01:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-12-11 01:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 20:14 . 2010-01-05 20:14 68072 ----a-w- c:\users\Kris_2\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-05 15:22 . 2009-12-26 11:06 8192 ----a-w- C:\ntuser.dat
2009-12-26 11:05 . 2009-12-26 11:05 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-26 10:20 . 2009-12-26 10:20 -------- d-----w- c:\program files\Trusteer
2009-12-22 16:13 . 2009-12-22 16:13 -------- d-----w- c:\program files\Windows Live
2009-12-12 15:19 . 2009-12-12 15:19 -------- d-----w- c:\program files\CCleaner
2009-12-11 01:18 . 2009-12-11 01:18 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Malwarebytes
2009-12-11 00:51 . 2009-12-11 00:51 -------- d-----w- c:\program files\BitTorrent
2009-12-08 18:26 . 2009-12-08 18:26 -------- d-----w- c:\users\Kris_2\AppData\Roaming\DivX
2009-12-08 18:17 . 2009-12-07 04:00 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-08 18:16 . 2009-12-08 18:16 -------- d-----w- c:\programdata\Nero
2009-12-08 18:16 . 2009-12-08 18:16 -------- d-----w- c:\program files\Nero
2009-12-07 23:34 . 2009-12-07 22:22 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Ahead
2009-12-05 16:31 . 2008-06-05 11:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-05 16:09 . 2009-12-05 16:09 -------- d-----w- c:\program files\Trend Micro
2009-11-30 23:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-30 23:08 . 2007-08-01 12:54 -------- d-----w- c:\program files\DivX
2009-11-30 23:08 . 2009-05-29 02:10 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-30 19:47 . 2009-11-30 19:47 -------- d-----w- c:\programdata\Malwarebytes
2009-11-21 06:40 . 2009-12-09 11:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 11:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 11:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 11:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 18:56 . 2009-11-19 18:56 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-09 12:31 . 2009-12-09 11:43 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-09 11:43 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-09 11:43 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-02 20:42 . 2009-10-03 08:47 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:39 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-19 13:38 . 2010-01-12 23:52 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-10-19 13:35 . 2010-01-12 23:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2007-07-28 04:38 . 2007-07-28 04:37 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-01-12 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-04 304008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-01-12 304464]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-27 50688]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2008-4-13 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):5f,33,8f,a8,0d,e0,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2279729505-3709079803-170581798-1004]
"EnableNotificationsRef"=dword:00000001

R1 afw;Agnitum Firewall Driver;c:\windows\System32\drivers\Afw.sys [18/09/2008 09:17 29208]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/12/2009 13:37 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/12/2009 13:37 337000]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [05/12/2007 05:17 77824]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\System32\drivers\BdFileSpy.sys [12/01/2010 17:49 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [15/04/2008 22:01 21504]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [15/04/2008 22:01 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [15/04/2008 22:01 21504]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/12/2009 01:18 236368]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/12/2009 13:37 972008]
R3 AfwCore;Agnitum Firewall Core Driver;c:\windows\System32\drivers\AfwCore.sys [12/01/2010 17:50 305688]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [11/12/2009 01:18 19160]
S2 .1185569378;1185569378;c:\program files\1185569378\Kris1185569378L.exe --> c:\program files\1185569378\Kris1185569378L.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [15/04/2008 22:01 21504]
S3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [27/07/2007 21:09 5504]
S3 Reconn;BullGuard Email Monitor;c:\program files\BullGuard Ltd\BullGuard\Reconn.sys [29/07/2008 09:03 16984]
S3 ST330;ST330;c:\windows\System32\drivers\st330.sys [16/08/2007 22:10 30464]
S3 STBUS;STBUS;c:\windows\System32\drivers\stbus.sys [16/08/2007 22:10 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\System32\drivers\stppp.sys [16/08/2007 22:10 35328]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\System32\drivers\WPN111v.sys [04/08/2008 16:20 904192]
S4 ACKFBIA;ACKFBIA;c:\users\Kris_2\AppData\Local\Temp\ACKFBIA.exe --> c:\users\Kris_2\AppData\Local\Temp\ACKFBIA.exe [?]
S4 KRGSL;KRGSL;c:\users\Kris_2\AppData\Local\Temp\KRGSL.exe --> c:\users\Kris_2\AppData\Local\Temp\KRGSL.exe [?]
S4 MTXVRT;MTXVRT;c:\users\Kris_2\AppData\Local\Temp\MTXVRT.exe --> c:\users\Kris_2\AppData\Local\Temp\MTXVRT.exe [?]
S4 OVLLJRWYF;OVLLJRWYF;c:\users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe --> c:\users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-13 14:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(9940)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.
Completion time: 2010-01-13 14:20:18
ComboFix-quarantined-files.txt 2010-01-13 14:20
ComboFix2.txt 2010-01-09 15:25

Pre-Run: 188,966,010,880 bytes free
Post-Run: 188,626,329,600 bytes free

- - End Of File - - E6FB999F35491A9F9715CECE06349205

cheerio!

El Guapo
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/14/2010 2:37 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Good job - the file exchange appears to have worked. Don't want to delay things more than we need to, but I would like you to verify a folder, and/or the file inside it:

c:\program files\1185569378\Kris1185569378L.exe <----

Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types", so you will see any info available to you. Just check if that file exists, right click it - select Properties and see if you can determine what created/uses it.

If necessary, go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select that file on your computer.

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/14/2010 5:15 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
cant find that file anywhere. think it may have been removed allready?

i ran hijackthis and i thought this entry would shed some light.

O23 - Service: 1185569378 (.1185569378) - Unknown owner - C:\Program Files\1185569378\Kris1185569378L.exe (file missing)

what do you think?
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 1/14/2010 6:54 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
That is enough to move forward on.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

KillAll::
Driver::
.1185569378
ACKFBIA
KRGSL
MTXVRT
OVLLJRWYF
Folder::
c:\program files\1185569378
c:\users\Kris_2\AppData\Roaming\lowsec


Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-------------

Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.

Post that log and the C:\ComboFix.txt log please.
Back to Top
 

Tofer
New Member


Date Joined Dec 2009
Total Posts : 27
 
   Posted 1/15/2010 1:49 AM (GMT +3)    Quote: Multiple iexplore.exe in task managerAlert an admin about: Multiple iexplore.exe in task manager
Hello,

We gotta stop meeting like this...

COMBOFIX LOG:
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------

ComboFix 10-01-04.01 - Kris_2 14/01/2010 18:34:26.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3316.2168 [GMT 0:00]
Running from: c:\users\Kris_2\Desktop\456out.com
Command switches used :: c:\users\Kris_2\Desktop\CFScript.txt
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: ZoneAlarm Pro Anti-Spyware *enabled* (Updated) {F245A209-1085-48B4-B927-35D56015EC60}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Kris_2\AppData\Roaming\lowsec
c:\users\Kris_2\AppData\Roaming\lowsec\local.ds
c:\users\Kris_2\AppData\Roaming\lowsec\user.ds

.
((((((((((((((((((((((((( Files Created from 2009-12-14 to 2010-01-14 )))))))))))))))))))))))))))))))
.

2010-01-14 18:43 . 2010-01-14 18:46 -------- d-----w- c:\users\Kris_2\AppData\Local\temp
2010-01-14 18:43 . 2010-01-14 18:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-14 18:43 . 2010-01-14 18:43 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2010-01-14 18:43 . 2010-01-14 18:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-14 18:43 . 2010-01-14 18:43 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-01-12 23:52 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-12 23:52 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-12 23:49 . 2010-01-12 23:49 87376 ----a-w- c:\windows\system32\BGLsp.dll
2010-01-12 17:50 . 2010-01-12 23:49 305688 ----a-r- c:\windows\system32\drivers\AfwCore.sys
2010-01-12 17:49 . 2010-01-12 23:49 55504 ----a-w- c:\windows\system32\drivers\BdFileSpy.sys
2010-01-12 17:49 . 2010-01-12 17:49 -------- d-----w- c:\program files\BullGuard Ltd
2010-01-12 17:02 . 2010-01-12 17:02 -------- d-----w- c:\users\Kris_2\AppData\Roaming\AVG8
2010-01-09 02:15 . 2010-01-09 02:15 19944 ----a-w- c:\windows\system32\drivers\kav_atapi.sys
2010-01-07 13:06 . 2010-01-14 18:47 -------- d-----w- c:\programdata\BullGuard
2010-01-07 13:06 . 2010-01-13 11:51 -------- d-----w- c:\users\Kris_2\AppData\Roaming\BullGuard
2010-01-07 12:59 . 2010-01-07 13:00 -------- d-----w- c:\users\Kris_2\AppData\Local\Tific
2010-01-07 12:59 . 2010-01-07 12:59 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Tific
2010-01-07 12:17 . 2010-01-07 12:17 -------- d-----w- c:\windows\system32\drivers\NAV
2010-01-07 02:04 . 2010-01-13 01:32 -------- d-----w- c:\users\Kris_2\AppData\Local\CrashDumps
2010-01-06 14:20 . 2010-01-06 14:20 -------- d-----w- c:\users\Kris_2\AppData\Local\ABBYY
2010-01-06 10:48 . 2010-01-06 10:48 -------- d-----w- c:\windows\Internet Logs
2010-01-05 20:14 . 2010-01-05 20:14 68072 ----a-w- c:\users\Kris_2\AppData\Local\GDIPFONTCACHEV1.DAT
2009-12-26 11:06 . 2010-01-05 15:22 8192 ----a-w- C:\ntuser.dat
2009-12-26 11:05 . 2009-12-26 11:05 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-26 10:20 . 2009-12-26 10:20 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Trusteer
2009-12-26 10:20 . 2009-12-26 10:20 -------- d-----w- c:\program files\Trusteer
2009-12-22 16:14 . 2010-01-12 23:53 -------- d-----w- c:\program files\Microsoft
2009-12-22 16:13 . 2009-12-22 16:13 -------- d-----w- c:\program files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-14 18:18 . 2009-12-11 00:53 -------- d-----w- c:\users\Kris_2\AppData\Roaming\BitTorrent
2010-01-12 23:55 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-12 23:49 . 2008-09-18 09:17 29208 ----a-r- c:\windows\system32\drivers\Afw.sys
2010-01-12 16:52 . 2009-12-02 12:20 -------- d-----w- c:\program files\AVG
2010-01-09 02:16 . 2009-05-29 01:55 19944 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-07 23:59 . 2009-12-11 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-07 23:54 . 2009-12-11 01:19 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 16:07 . 2009-12-11 01:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-12-11 01:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-12 15:19 . 2009-12-12 15:19 -------- d-----w- c:\program files\CCleaner
2009-12-11 01:18 . 2009-12-11 01:18 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Malwarebytes
2009-12-11 00:51 . 2009-12-11 00:51 -------- d-----w- c:\program files\BitTorrent
2009-12-08 18:26 . 2009-12-08 18:26 -------- d-----w- c:\users\Kris_2\AppData\Roaming\DivX
2009-12-08 18:17 . 2009-12-07 04:00 -------- d-----w- c:\program files\Common Files\Ahead
2009-12-08 18:16 . 2009-12-08 18:16 -------- d-----w- c:\programdata\Nero
2009-12-08 18:16 . 2009-12-08 18:16 -------- d-----w- c:\program files\Nero
2009-12-07 23:34 . 2009-12-07 22:22 -------- d-----w- c:\users\Kris_2\AppData\Roaming\Ahead
2009-12-05 16:31 . 2008-06-05 11:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-05 16:09 . 2009-12-05 16:09 -------- d-----w- c:\program files\Trend Micro
2009-11-30 23:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-11-30 23:08 . 2007-08-01 12:54 -------- d-----w- c:\program files\DivX
2009-11-30 23:08 . 2009-05-29 02:10 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-30 19:47 . 2009-11-30 19:47 -------- d-----w- c:\programdata\Malwarebytes
2009-11-21 06:40 . 2009-12-09 11:24 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 11:24 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 11:24 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 11:24 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 18:56 . 2009-11-19 18:56 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-11-09 12:31 . 2009-12-09 11:43 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 12:30 . 2009-12-09 11:43 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 10:36 . 2009-12-09 11:43 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-11-02 20:42 . 2009-10-03 08:47 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:39 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-28 09:19 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2007-07-28 04:38 . 2007-07-28 04:37 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-01-12 304464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-04 304008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"BullGuard"="c:\program files\BullGuard Ltd\BullGuard\bullguard.exe" [2010-01-12 304464]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-7-27 50688]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2008-4-13 884838]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BgMainSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):5f,33,8f,a8,0d,e0,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2279729505-3709079803-170581798-1004]
"EnableNotificationsRef"=dword:00000001

R1 afw;Agnitum Firewall Driver;c:\windows\System32\drivers\Afw.sys [18/09/2008 09:17 29208]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/12/2009 13:37 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/12/2009 13:37 337000]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [05/12/2007 05:17 77824]
R2 BdFileSpy;BullGuard File Monitor Driver;c:\windows\System32\drivers\BdFileSpy.sys [12/01/2010 17:49 55504]
R2 BsFileScan;BullGuard File Scan Service;c:\windows\System32\svchost.exe -k BullGuard [15/04/2008 22:01 21504]
R2 BsFire;BullGuard Firewall Service;c:\windows\System32\svchost.exe -k BullGuard [15/04/2008 22:01 21504]
R2 BsMailProxy;BullGuard Email Monitoring Service;c:\windows\System32\svchost.exe -k BullGuard [15/04/2008 22:01 21504]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/12/2009 01:18 236368]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/12/2009 13:37 972008]
R3 AfwCore;Agnitum Firewall Core Driver;c:\windows\System32\drivers\AfwCore.sys [12/01/2010 17:50 305688]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [11/12/2009 01:18 19160]
S2 .1185569378;1185569378;c:\program files\1185569378\Kris1185569378L.exe --> c:\program files\1185569378\Kris1185569378L.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [15/04/2008 22:01 21504]
S3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [27/07/2007 21:09 5504]
S3 Reconn;BullGuard Email Monitor;c:\program files\BullGuard Ltd\BullGuard\Reconn.sys [29/07/2008 09:03 16984]
S3 ST330;ST330;c:\windows\System32\drivers\st330.sys [16/08/2007 22:10 30464]
S3 STBUS;STBUS;c:\windows\System32\drivers\stbus.sys [16/08/2007 22:10 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\System32\drivers\stppp.sys [16/08/2007 22:10 35328]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\System32\drivers\WPN111v.sys [04/08/2008 16:20 904192]
S4 ACKFBIA;ACKFBIA;c:\users\Kris_2\AppData\Local\Temp\ACKFBIA.exe --> c:\users\Kris_2\AppData\Local\Temp\ACKFBIA.exe [?]
S4 KRGSL;KRGSL;c:\users\Kris_2\AppData\Local\Temp\KRGSL.exe --> c:\users\Kris_2\AppData\Local\Temp\KRGSL.exe [?]
S4 MTXVRT;MTXVRT;c:\users\Kris_2\AppData\Local\Temp\MTXVRT.exe --> c:\users\Kris_2\AppData\Local\Temp\MTXVRT.exe [?]
S4 OVLLJRWYF;OVLLJRWYF;c:\users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe --> c:\users\Kris_2\AppData\Local\Temp\OVLLJRWYF.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.co.uk/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-14 18:45
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5844)
c:\program files\BullGuard Ltd\BullGuard\antispam\PluginHook.dll
c:\program files\BullGuard Ltd\BullGuard\res\en\PluginHookRes.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\program files\BullGuard Ltd\BullGuard\BackupShellHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
c:\windows\system32\dlcxcoms.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2010-01-14 18:52:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-14 18:52
ComboFix2.txt 2010-01-13 14:20
ComboFix3.txt 2010-01-09 15:25

Pre-Run: 190,786,424,832 bytes free
Post-Run: 190,750,674,944 bytes free

- - End Of File - - 986919839C3E2820BCBC788E19B566A1


ESET ONLINE SCAN LOG:
--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251

this is all that was in the log.txt file is this right?
Back to Top
 
You cannot post new topics in this forum. Locked Topic Printable version of : Multiple iexplore.exe in task manager
55 posts in this thread.
Viewing Page :
 1  2  3 
 
Forum Information
Currently it is Monday, July 28, 2014 7:28 PM (GMT +3)
There are a total of 60,529 posts in 13,304 threads.
In the last 3 days there were 1 new threads and 3 reply posts. View Active Threads
Who's Online
This forum has 36179 registered members. Please welcome our newest member, laurenschultz.
3 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Bullguard removes CODWAW.exe says its a trojen generic (1)7/26/2014 5:56:15 PM (Andreea-Luciana Ostache)
Virus Through Email (8)7/25/2014 10:44:18 PM (tbush004)