Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Purchased Used System - May Have Malware [Solved]


  • This topic is locked This topic is locked

#16
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Can add back indexing if you think it is a good idea

Your choice that really as it depends on what you actually plan to use the machine for.

One item to report - can't seem to get Internet Explorer "Auto Complete" to work (wasn't working before either). When I received the computer, IE was set at "Medium-High" for internet access. Did not make any changes.

OK we will see if we can remedy that(reset IE below).

Could not remove using add/remove programs. I have attached screenshot from Add/Remove Programs

Either options you mentioned are fine to proceed with.

Gateway M675 PRR. Here is more detail from Speccy

According to my research some type of Recovery Partition should be present or in this case was. So we can check further and may shed some light on the strange output in the DDS log also.

Should I leave both these reports in the root drive?

Delete both now if you so wish and or wait until I give the all clear.

Also - thought you should see this folder that RK placed on the desktop named RK Quarantine

That is fine, not a cause for concern and you can delete that when I give the all clear.

Next:

Click on Start >> Control Panel >> Computer Management >> Disk Management >> create a screen-shot and post it for my review please

Boot.ini Check:

I would like to review the current state of the Boot.ini file to check if it is corrupted or not as follows...

  • Open Notepad.
  • Copy and Paste everything from the Code Box(do not copy the word quote) below into Notepad: <-- Start >> Run... type in notepad and select OK

@echo off
xcopy C:\boot.ini "%userprofile%\desktop\" /h
attrib -s -h "%userprofile%\desktop\boot.ini"
ren "%userprofile%\desktop\boot.ini" bootini.txt
del %0

  • Go to File >> Save As
  • Save File name as "Look.bat" <-- Make sure to include the apostrophes.
  • Change Save as Type to All Files and save the file to your Desktop.
  • It should look like this: Posted Image
Reset IE8:

  • Please download this Microsoft FixIt and save it to the desktop.
  • Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
  • Follow the on-screen prompts.
  • You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
  • Next time IE8 is launched you will be prompted to reapply settings again, this is normal.
Note: Any add-ons will require to be reapplied after the above reset.
  • 0

Advertisements


#17
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 345 posts
Ask.com files deleted per Revo Uninstaller

IE8 Reset and now working properly - Thanks! :cheers:

Computer Management snapshot attached Computer Management.JPG

Look.bat on desktop (Was not sure if you wanted me to run it yet): Look.JPG
  • 0

#18
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Ask.com files deleted per Revo Uninstaller

OK.

IE8 Reset and now working properly

Good.

Computer Management snapshot attached

If there was a Recovery Partition, it is not there now and or may just be the machine did not have one on the first place...Though I do suspect the former, unless off course at some point the actual Hard-Drive was replaced if it had failed for example.

Curious though non the less, anyway lets continue as follows shall we...

Look.bat on desktop (Was not sure if you wanted me to run it yet)

Sure go ahead and run it.

Also carry out the below scan for me also...

Scan With RKUnHooker:

  • Please download Rootkit Unhooker, save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
  • Copy the entire contents of the report and paste it in a reply here.
Note: You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
  • 0

#19
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 345 posts
Some interesting developments when running RKu? :confused:

Need to attach some photos as soon as I figure out how to make some space since I am at my limit of 4 mb. Figured it out and attached files:

MSE RKU.JPG

And the reports you requested:

Boot.ini

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

RkU

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF0B2000 C:\WINDOWS\System32\ati3duag.dll 2367488 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2265088 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2265088 bytes
0x804D7000 RAW 2265088 bytes
0x804D7000 WMIxWDM 2265088 bytes
0xBF800000 Win32k 1863680 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1863680 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9C3B000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1331200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xB9A49000 C:\WINDOWS\system32\DRIVERS\smserial.sys 925696 bytes (Motorola Inc., Motorola SM56 Modem WDM Driver)
0xBF2F4000 C:\WINDOWS\System32\ativvaxx.dll 643072 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB5556000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB98F3000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB570B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB1FA8000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF391000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9BC2000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 266240 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.0 wireless driver)
0xB1BF4000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9B4D000 C:\WINDOWS\system32\drivers\STAC97.sys 253952 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF07D000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xBF049000 C:\WINDOWS\System32\ati2cqag.dll 212992 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xB9951000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB226C000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF786A000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB106D000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB55C6000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF7422000 MpFilter.sys 163840 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0xB56D9000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF7494000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB56B3000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB1900000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB9C03000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9B8B000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB5691000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB9B2B000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x80700000 ACPI_HAL 134400 bytes
0x80700000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF745C000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74BA000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF74D9000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF7850000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF747C000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB46E4000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB16DE000 C:\WINDOWS\system32\drivers\57028367.sys 94208 bytes (Kaspersky Lab, GERT, Kaspersky Lab Mini Driver)
0xF740B000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9A32000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB23AF000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9BAE000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB9C27000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB5764000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF744A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9981000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB5681000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA700000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF7607000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF7687000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA6F0000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB5641000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7557000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7617000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF7657000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA720000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7697000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7637000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF76B7000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7667000 agp440.sys 45056 bytes (Microsoft Corporation, 440 NT AGP Filter)
0xF7527000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA710000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7627000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF76A7000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76F7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76D7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB1248000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF7647000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA730000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF76C7000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7537000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF7547000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF77C7000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF780F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77A7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF77BF000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7817000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF778F000 C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys 28672 bytes
0xF7707000 C:\WINDOWS\System32\Drivers\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF77AF000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77B7000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7777000 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{965E7061-AB6B-4E98-A636-8CE4614BB58D}\MpKsl8ca676ec.sys 24576 bytes (Microsoft Corporation, KSLDriver)
0xF779F000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF77FF000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF77EF000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7807000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF77D7000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF77DF000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF77CF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB5810000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF789F000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA7B0000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xBA790000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB2648000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF78A3000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB5532000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA7AC000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF793F000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF79B9000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF79EF000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79B7000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF798B000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79BB000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7995000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF79BD000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79B1000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79B3000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A56000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB5868000 C:\WINDOWS\System32\Drivers\BANTExt.sys 4096 bytes
0xB552B000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7A64000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A50000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A4F000 PCIIde.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntoskrnl.exe+0x00005B22, Type: Inline - RelativeJump 0x804DCB22-->804DCB29 [ntoskrnl.exe]
[1832]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - RelativeJump 0x7C810E27-->00585C0C [mssrch.dll]
[1832]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810E2C [unknown_code_page]
[1832]searchindexer.exe-->kernel32.dll-->WriteFile, Type: Inline - SEH 0x7C810E2D [unknown_code_page]
[2020]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[2020]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[2020]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[2020]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]
[2020]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[2020]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[2020]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[2020]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[2020]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[2264]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[2264]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->715B9E59 [aclayers.dll]
[2264]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->715BA16B [aclayers.dll]
[2264]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->715BA067 [aclayers.dll]
[2264]iexplore.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[2264]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77A81190-->715B9E59 [aclayers.dll]
[2264]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x77A811F8-->715B9F5D [aclayers.dll]
[2264]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77A811FC-->715BA16B [aclayers.dll]
[2264]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[2264]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->715B9E59 [aclayers.dll]
[2264]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->715BA16B [aclayers.dll]
[2264]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->715BA067 [aclayers.dll]
[2264]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->5CB77774 [shimeng.dll]
[2264]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->715B9E59 [aclayers.dll]
[2264]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->715BA16B [aclayers.dll]
[2264]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->715BA067 [aclayers.dll]
[2264]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[2264]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->715B9E59 [aclayers.dll]
[2264]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->715BA067 [aclayers.dll]
[2264]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[2264]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->715B9E59 [aclayers.dll]
[2264]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->715B9F5D [aclayers.dll]
[2264]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->715BA16B [aclayers.dll]
[2264]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->715BA067 [aclayers.dll]
[2264]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x7E42B3C6-->3E2DD119 [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->3E2EDB14 [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->3E3E5412 [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->3E3E53AF [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->3E3E534C [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->3E215505 [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[2264]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->715B9E59 [aclayers.dll]
[2264]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->715BA16B [aclayers.dll]
[2264]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->715BA067 [aclayers.dll]
[2264]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->3E3E5214 [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->3E3E51B2 [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->3E3E52E1 [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->3E3E5276 [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->3E2E9AA5 [ieframe.dll]
[2264]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->3E254686 [ieframe.dll]
[2264]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[2264]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D9314B4-->715B9E59 [aclayers.dll]
[2264]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931450-->715BA16B [aclayers.dll]
[2264]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D931350-->715BA067 [aclayers.dll]
[2264]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[2264]iexplore.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->715B9E59 [aclayers.dll]
[2520]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[2520]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->715B9E59 [aclayers.dll]
[2520]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->715BA16B [aclayers.dll]
[2520]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->715BA067 [aclayers.dll]
[2520]iexplore.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[2520]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77A81190-->715B9E59 [aclayers.dll]
[2520]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x77A811F8-->715B9F5D [aclayers.dll]
[2520]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77A811FC-->715BA16B [aclayers.dll]
[2520]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[2520]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->715B9E59 [aclayers.dll]
[2520]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->715BA16B [aclayers.dll]
[2520]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->715BA067 [aclayers.dll]
[2520]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->5CB77774 [shimeng.dll]
[2520]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->715B9E59 [aclayers.dll]
[2520]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->715BA16B [aclayers.dll]
[2520]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->715BA067 [aclayers.dll]
[2520]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[2520]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->715B9E59 [aclayers.dll]
[2520]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->715BA067 [aclayers.dll]
[2520]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[2520]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->715B9E59 [aclayers.dll]
[2520]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->715B9F5D [aclayers.dll]
[2520]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->715BA16B [aclayers.dll]
[2520]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->715BA067 [aclayers.dll]
[2520]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x7E42B3C6-->3E2DD119 [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->3E2EDB14 [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->3E3E5412 [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->3E3E53AF [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->3E3E534C [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->3E215505 [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[2520]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->715B9E59 [aclayers.dll]
[2520]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->715BA16B [aclayers.dll]
[2520]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->715BA067 [aclayers.dll]
[2520]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->3E3E5214 [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->3E3E51B2 [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->3E3E52E1 [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->3E3E5276 [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42820F-->3E2E9AA5 [ieframe.dll]
[2520]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E42D5F3-->3E254686 [ieframe.dll]
[2520]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[2520]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D9314B4-->715B9E59 [aclayers.dll]
[2520]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931450-->715BA16B [aclayers.dll]
[2520]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D931350-->715BA067 [aclayers.dll]
[2520]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[2520]iexplore.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->715B9E59 [aclayers.dll]
[472]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]
[472]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->715B9E59 [aclayers.dll]
[472]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->715BA16B [aclayers.dll]
[472]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->715BA067 [aclayers.dll]
[472]iexplore.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]
[472]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77A81190-->715B9E59 [aclayers.dll]
[472]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x77A811F8-->715B9F5D [aclayers.dll]
[472]iexplore.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77A811FC-->715BA16B [aclayers.dll]
[472]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]
[472]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->715B9E59 [aclayers.dll]
[472]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->715BA16B [aclayers.dll]
[472]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->715BA067 [aclayers.dll]
[472]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->5CB77774 [shimeng.dll]
[472]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->715B9E59 [aclayers.dll]
[472]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->715BA16B [aclayers.dll]
[472]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->715BA067 [aclayers.dll]
[472]iexplore.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]
[472]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71A51184-->715B9E59 [aclayers.dll]
[472]iexplore.exe-->mswsock.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x71A511A0-->715BA067 [aclayers.dll]
[472]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]
[472]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->715B9E59 [aclayers.dll]
[472]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->715B9F5D [aclayers.dll]
[472]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->715BA16B [aclayers.dll]
[472]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->715BA067 [aclayers.dll]
[472]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E42D0A3-->3E2EDB14 [ieframe.dll]
[472]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456D7D-->3E3E5412 [ieframe.dll]
[472]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432072-->3E3E53AF [ieframe.dll]
[472]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B144-->3E3E534C [ieframe.dll]
[472]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E4247AB-->3E215505 [ieframe.dll]
[472]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]
[472]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F4-->715B9E59 [aclayers.dll]
[472]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->715BA16B [aclayers.dll]
[472]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->715BA067 [aclayers.dll]
[472]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E45085C-->3E3E5214 [ieframe.dll]
[472]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E450838-->3E3E51B2 [ieframe.dll]
[472]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A082-->3E3E52E1 [ieframe.dll]
[472]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4664D5-->3E3E5276 [ieframe.dll]
[472]iexplore.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]
[472]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x3D9314B4-->715B9E59 [aclayers.dll]
[472]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x3D931450-->715BA16B [aclayers.dll]
[472]iexplore.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x3D931350-->715BA067 [aclayers.dll]
[472]iexplore.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]
[472]iexplore.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x71AB10A8-->715B9E59 [aclayers.dll]

Edited by joseph456, 21 May 2012 - 11:41 AM.

  • 0

#20
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Some interesting developments when running RKu?

Sometimes when running a Anti-Rootkit tool the unexpected can occur due to every system being unique if you will and what is installed, in this instance it appears MSE to be falsely detecting RKU as malicious etc. Hence the error and what it detected. Feel free to delete that from the history of MSE.

Anyway nothing bad in the log, so that is a good outcome. Plus the actual boot loader on your machine is fine also.

Next:

Any further issues with your machine?

If not we will clean up all tools used during the Malware Removal process and I will provide some advice about online safety etc.
  • 0

#21
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 345 posts
That's good to hear :cheers:

Everything seems to be running well. What should I do with the entries in MSE that are quartined. Looks like they are referring to an installed program?

This has all been very helpful.
  • 0

#22
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Everything seems to be running well.

Good...

What should I do with the entries in MSE that are quarantined. Looks like they are referring to an installed program?

As mentioned prior, relates to what is known as a false postive detection against RKU. I have informed the vendor and that should be rectified within the next few update cycles as that is in my own interest. As upon occasion I ask for this specific Anti-Rootkit tool to be deployed by anyone I assist who has say a 32 bit version of either XP, Vista or Windows 7 for example...

Anyway merely remove from the history if you so wish, to do so:-

Launch MSE >> click on History >> Quarantined items >> select both items >> Remove all

This has all been very helpful.

Pleased to learn such.

Next:

Congratulations your computer appears to be malware free!

Now I have some tasks for your good self to carry out as part of a clean up process and some advice about online safety.

Importance of Regular System Maintenance:

I advice you read both of the below listed topics as this will go a long way to keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Clean up with OTL:

  • Double-click OTL to start the program.
  • Close all other programs apart from OTL as this step will require a reboot.
  • On the OTL main screen, depress the CleanUp button.
  • Say Yes to the prompt and then allow the program to reboot your computer.
The above process should clean up and remove the vast majority of scanners used and logs created etc.

Any left over merely delete yourself and empty the Recycle Bin.

Reset the System Restore points:

  • Create a new, clean System Restore point which you can use in case of future system problems:
  • Clcik on Start >> All Programs >> Accessories >>System Tools >> System Restore
  • Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close
  • Now remove old, infected System Restore points:
  • Click on Start >> Run... and type cleanmgr in the box and press OK
  • Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
  • Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
  • Press OK and Ye to confirm
Now some advice for on-line safety:

Malwarebyte's Anti-Malware:

This is a excellent application and I advise you keep this installed. Check for updates and run a scan at least once per week.

Other installed security software:

Your presently installed security application, Microsoft Security Essentials automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also at least once per week.

Erunt:

Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Keep your system updated:

Microsoft releases patches for Windows and other products regularly:

  • I advise you visit: http://update.micros...t.aspx?ln=en-us
  • Install the Active X
  • Once installed it will advise set Auto-Updates if not set and you then you will be able to manually check for updates also via:
  • Start >> All Programs >> Microsoft Updates
Note: If the above is not a option availble merely use Windows Update via Start >> All Programs >> Windows Update

Be careful when opening attachments and downloading files:

Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
Never open emails from unknown senders.
Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. My advice is avoid these types of software applications.

Hosts File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

Only use one of the above!

Install WinPatrol:

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here.

You can find information about how WinPatrol works here.

Check your third party software is up to date periodically:

Via the Secunia Online Software Inspector

Next:

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center

Any questions? Feel free to ask, if not stay safe!
  • 0

#23
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 345 posts
Thanks for help, responsiveness and diligence in getting these issues settled in a timely manner.

Also appreciate the comprehensive list. :thumbsup:

Will attend to these later today and report back with any issues

Any reason to keep any of the attached for any type of future reference? Any of these I can use on another machine for preventive maintenance? GTG 05.21.12.JPG

Also - Win Patrol - should I run periodically or let run all the time?

What do you do when you need a piece of software - for example - I use PDF995 which was provided by a trusted source. But if I wanted to find for example a PDF printer how do I know what is trusted and malware free?

Do you have a preference for IE8 or Firefox? How do I find out which security settings to use/turn on/off ?
  • 0

#24
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Thanks for help, responsiveness and diligence in getting these issues settled in a timely manner.

You're most welcome!

Any reason to keep any of the attached for any type of future reference? Any of these I can use on another machine for preventive maintenance?

No need to keep any as mentioned in part of my clean up advice with OTL. I would not use any on another machine at all for the reason stated in my first reply to your good self:-

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.


Also - Win Patrol - should I run periodically or let run all the time?

If you opt to download/install, let it start with every system start-up/reboot as it provides real time monitoring.

What do you do when you need a piece of software - for example - I use PDF995 which was provided by a trusted source. But if I wanted to find for example a PDF printer how do I know what is trusted and malware free?

The sites I listed in Be careful when opening attachments and downloading files are a trustworthy source.

Though for peace of mind you could always scan any executable/installer you download with the presently installed security software and or say use a online scan such as Jotti to upload the aforementioned for a check prior to installing etc.

Do you have a preference for IE8 or Firefox? How do I find out which security settings to use/turn on/off ?

Either is fine actually as long as up-to date/any critical updates applied regarding IE8 etc. Myself I mainly use IE9 but unfortunately that is not a option for XP based machines.

The below should prove of assistance:-

Mozilla Security Center

Security and privacy features in Internet Explorer 8

Securing Your Web Browser
  • 0

#25
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 345 posts
Ok - followed through on all suggestions (BTW great tips - will retain for future reference) , cleaned up computer, couple of minor minor glitches and questions. :help:

Your presently installed security application, Microsoft Security Essentials automatically checks for updates and downloads/installs them with every system reboot and or periodically if the machine is left running providing a internet connection is active.

I advise you also run a complete scan with this also at least once per week.

Do you mean "quick scan" or "full scan?" Full scan takes about two plus hours

Erunt: Emergency Recovery Utility NT, I advice you keep this installed as a means to keep a complete backup of your registry and restore it when needed.

Myself I would actually create a new back up once per week as this along with System Restore may prove to be invaluable if something unforeseen occurs!

Will do. Should I erase all previous files in ERDNT file? Should I leave program on AutoBack? How often should I erase - what I mean is how many should I keep? Should I use NTREGOPT

Malwarebyte's Anti-Malware: This is a excellent application and I advise you keep this installed. Check for updates and run a scan at least once per week.

Ran it now - all clean!

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:

•MVPS Hosts File

Here was the glitch. Program did not back up current hosts file although here is what my hosts file looks like. If I ever needed to remove which hosts file would I be use since there is no backup? Here is the file. Windows.drivers.etc.JPG

In addition MVP Hosts provided this instruction:

[Important Notice - 2K/XP/Vista/Win7 Users]
In most cases a large HOSTS file (over 135 kb) tends to slow down the machine. This only occurs
in 2K/XP/Vista/Win7. Windows 98 and Windows ME are not affected.

To resolve this issue (manually) open the "Services Editor"

Start | Run (type) "services.msc" (no quotes)
Scroll down to "DNS Client", Right-click and select: Properties
Click the drop-down arrow for "Startup type"
Select: Manual, click Apply/Ok and restart.

I am not sure when the machine would be slow. Does this refer to using it offline or while I am using it or on the internet? Should I just go ahead and do this or just wait and see?

Importance of Regular System Maintenance: Help! My computer is slow!

Downloaded CCleaner, CleanUp and ATF and ran PC Pitstop

One of the suggestions in how to improve the performance of your machine was to use PCPitstop. I ran it and here were the results: PC Pitstop

Receive Buffer Size
Your receive buffer size is currently set to the system default. The default value usually does not provide the best performance.

One of the suggestions was to "change the buffer size" but I have to access the registry to do that. Should I go ahead with their suggestion?

Thanks again :thumbsup:

Edited by joseph456, 22 May 2012 - 10:59 PM.

  • 0

Advertisements


#26
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Do you mean "quick scan" or "full scan?" Full scan takes about two plus hours

A quick scan is fine but the reason I mentioned run a actual full scan is it is more prudent from a security point of view. Just ensure you have cleaned out temp files before hand and leave the machine to be scanned and do something else until complete.

Or if you so wish run a quick scan every other day and at least run the full scan once every few weeks. End of the day it all depends how often the machine will be used with online access.

Will do. Should I erase all previous files in ERDNT file? Should I leave program on AutoBack? How often should I erase - what I mean is how many should I keep? Should I use NTREGOPT

No need to delete any backups created as after thirty days of automatic backups and or thirty actual backups created manually over time say...Erunt will automatically start to delete the oldest backup etc and overwrite it if memory serves correctly.

Also no need to use the autoback feature as this may increase boot-up time and rather just create a new backup manually. However the choice is yours regarding this. As for the NTREGOPT, personally I would advise do not use as any type of purported registry cleaner/optimiser. It will have limited benefit and always the chance it may actually create more problems than actually improve anything.

The Windows registry by design is fairly robust and never used any form of such registry cleaner/optimiser myself.

Here was the glitch. Program did not back up current hosts file although here is what my hosts file looks like. If I ever needed to remove which hosts file would I be use since there is no backup?

That is because it does not create a backup of the default installed. Easy enough to reset it again back to the aforementioned with say HostsXpert.

I am not sure when it the machine would be slow. While I am using it or on the internet. Should I just go ahead and do this or just wait and see.

To be honest myself personally I have never noticed any significant lag whilst browsing online with the MVPS Hosts file installed on either a XP, Vista or W7 machine over the years I have used such and always kept the DNS service active. Though entirely feasible it may as every machine is vastly different if you will.

The downside of disabling the DNS is as mentioned:-

Editors Note: The above instructions are intended for a single (home-user) PC. If your machine is part of a "Domain", check with your IT Dept. before applying this work-around. This especially applies to Laptop users who travel or bring their work machines home. Make sure to reset the Service (if needed) prior to connecting (reboot required) to your work Domain ...

Important! If you are using Network Discovery then the DNS Client service is required and should not be set to either Manual or Disabled.

Source.

Myself I would merely try it as is with the DNS service active and see how it goes.

Downloaded CCleaner, CleanUp and ATF

I would not use ATF Cleaner as this has not been updated in a very long time.

A better option would be TFC - Temp File Cleaner

The PCPitstop url you posted appears to not working for myself, not a problem though and no need for myself to actually view the results anyway.

One of the suggestions was to "change the buffer size" but I have to access the registry to do that. Should I go ahead with their suggestion?

Personally I would not bother and it will in all likelihood make no discernible difference. If anything such a modification would only really be applicable if using say a form of Dial-Up connection.

However you choice to do so and if you opt to, ensure you actually create a registry backup beforehand.
  • 0

#27
joseph456

joseph456

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 345 posts
Hi Dakeyras -

You have taken care of everything I requested and answered all the questions. As a matter of fact you have cleared most of the issues I had originally approved this site with. You have cleared all the malware issues that I originally came for and some others too. I will now go back to the system forum for the remaining (non malware) questions. Also system now has a lot more remaining space of 27.2 of 37.5 GB. I also appreciate you advising what you do with your own computer. That provides a great example. This is an 8 year old computer and it is running well.

Thanks!!! :cheers:

1.I received the system with the Administrator named "Owner". How do I change it back to Administrator

2.I have not set up any user account and am not sure how to do it

3.The system has "Total Defense Security Center" installed. Should I remove this and if so, what should I add? It also has CA Security Center (may be the same). Should I use Revo to uninstall? At what level?

4.What other cleaners should I run? I have run CCleaner, Slimcleaner, ATF, Spyware Blaster and used Auslogics to Defrag

5.What other items do you suggest I do before I begin using the system?


6.How else can I clean the system?

7.System runs hot - Any suggestions?

8.I have used Windows Update to update Windows files. "Windows Search" and "Microsoft Silverlight" have been added and I do not need them. Can I remove them? If so, how?

9.The computer has WINRAR and two extremely large ISO fiiles ( 1 GB and 4 GB). I am not sure what they are for or what the program is for

10.I ran Malwarebytes and it came up with a couple of items but since these are registry items I am not sure what to delete. The list follows:

Edited by joseph456, 23 May 2012 - 05:20 PM.

  • 0

#28
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#29
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Topic reopened....

Hi Dakeyras -

You helped me clean up my system on the above. Recently when I was on Ebay.com it takes me to a Chinese site and then when I try to get on if through Firefox it says "Forbidden You don't have permission to access / on this server" If on IE8 it says HTTP 403. I ran Malwarebytes and it came up clean. I had this problem before you helped me clean it up and then seemed like it was ok. Any idea what this could be? I can go to ebay global with no problem. It is just when I try to go to ebay.com that I have the problem. If this is not the right place to bring this up, please let me know and I will repost

Thanks for your help.


  • 0

#30
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Was it the Chinese version of Ebay and or just a random site? Have any other browser searches been misdirected at all? I do not use Ebay myself but from a quick look it does appear it is full of advertisements that are blocked by my custom host file.

If you are connecting this machine to a Router, might be a idea to reset it and apply a new admin password as a precaution.

Anyway answer my questions for me and carry out the below three scans also.

Scan with Blacklight:

Please download Blacklight from the below link to your Desktop.

Click here --> ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

Then click onto Start >> Run..., copy & paste in the following text, and press Enter:

"%userprofile%\desktop\fsbl.exe" /expert

Accept the license agreement.

Click on Scan, wait for it to finish, then click Close

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste the contents of this log into your next reply.

Scan with GooredFix:

Please download GooredFix from one of the locations below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click on the excutible.
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Scan with RogueKiller:

Please download RogueKiller to your desktop

Alternate download is here.

  • Quit all running programs
  • Double-click on RogueKiller.exe to start the application.
  • When prompted, type 1 then depress the Enter/Return key.
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP