Help
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
I had to remove several fake AV infections for a friend. I'm not doing it anymore. I cannot convince this woman that the popups are causing her problems. She thinks that they are messages from her own AV and I can't convince her otherwise. Somewhere along the line, it got into my network and I can't get rid of it.
It started in my XP netbook. The internet slowed to a crawl first, then the machine itself. Eventually, it was so slow it was unusable. I was running Norton at the time. It found nothing. Neither did malwarebytes or anything else. Any type of security software shut down. I tried repeating the procedures that I had used to get the fake AV's out of my friend's machine. It didn't work.
I reformatted as I do when I am not sure that an infection is gone. All was fine for a few days, then it came back. Reformat, rinse and repeat over and over again. I wiped the drive, as much as I could without removing the recovery partition. I also changed the wireless password, a 63 character random string and my ip address in the router several times. It just came back.
Meanwhile, it spread to everything in the house. The harder that i tried to get rid of it, the worse things got.
The home theatre pc was next. It exhibited all of the above symptoms first. It was reformatted too. The fan on the heatsink then died, or so I thought. I replaced it and the replacement died days later. The Pentium D got so hot it burned the board. I changed the board and processor and swapped out the power supply with a known good one off my bench. It lasted a few days and that died too. I believe that the fans were being shut down somehow. It was clean inside. That's a regular thing around here. I have two dogs and a cat.
The desktop started just after the home theatre. I was going at both of them at the same time. Same as above, slowdowns, all security software shut down. The front USB ports stopped working. The dvd burner, a mobo and a video card went next. I had two video cards in SLI. One survived. I replaced the mobo and have only turned that machine on about once a month since December. I checked the logs in the router one day from that machine and watched the network card go into promiscuous mode. I hit the button on the power supply. I wanted to shut it off ASAP.
That router, by the way, died shortly afterwards.
There is also a dual core Athlon notebook here. That runs Vista or used to. I tried to boot it one day and it wouldn't. It also wouldn't boot from either a Windows or Ubuntu DVD from the internal DVD drive. I thought that it was dead. I plugged in a USB burner and it booted into the Ubuntu disk right away. The hard drive was corrupted and so was the MBR. I reinstalled Vista. Same thing happened again a few days later. It now has Ubuntu on it. No more problems.
The cable modem was the next victim. It just stopped working. The tech left me on hold for about 15 minutes while he talked to his boss. When he pinged the modem, it returned a string of weird characters that neither one had ever seen before. Both of them were freaked right out.
Speaking of being freaked out, I pulled out an old P4 laptop. (Running out of equipment, at this point). I went on the web, updated everything and the pages started to scroll on their own after a few minutes. I saw the webcam start up. I flipped the bird, and my Ukrainian friend started yelling at the screen in Russian. I shut it down and of course, reformatted.
The XP netbook got killed a few days later. As soon as I started it up, the CPU temp would just climb up to 90 degrees C almost immediately. The mobo gave out.
I got a new netbook running Win 7 Starter. I put in the AV, attached a cable and went online to get my updates. Immediately after, I did a system image. The @#@$% thing was trashed within two hours. Norton had expired and I tried MS Security Essentials. It just shut it down. I got in the car and bought a copy of ESET. That found several trojans, trojan droppers and a keylogger on the first run, all related to fake AV infections. It never found anything again. Within two weeks, it was trashed again. I came here and ran DDS and GMER. It seemed to indicate a keylogger was still present and TDL3 was suspected. Tried TDD Killer and Hitman Pro. Nope. Ran ComboFix and trashed it. I pulled out my System Image, reformatted it and I think that the Image is infected. I ran TDL3 and GMER right away. It looks to me like I still have a keylogger and TDL3 may be present.
I installed Anonymizer Universal last week because I was scared of everything that is going on. That is now shutting itself off and will not reconnect when connected to my home network. I tethered my phone to the netbook and it works ok. Took it to McDonald's, it also works ok there.
Sorry for the long post, but this is what happened. Here are my logs from the new netbook:
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by USER at 15:05:16 on 2011-06-23
Microsoft Windows 7 Starter 6.1.7601.1.1252.1.1033.18.2036.1272 [GMT -4:00]
.
AV: ESET Smart Security 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET Smart Security 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\aestsrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP QuickSync\QuickSync.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Hewlett-Packard\HP QuickSync\jre\bin\javaw.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP CloudDrive\zumodrive.exe
C:\Program Files\Anonymizer\Anonymizer Universal\Anonymizer Universal.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\ProgramData\{2C4A57D6-4F0C-49A4-9A3F-89423FD797DC}\Anonymizer_Universal_Setup.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0566.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0566.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Anonymizer Universal] c:\program files\anonymizer\anonymizer universal\Anonymizer Universal.exe /hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [HP] c:\program files\hewlett-packard\hp quicksync\QuickSync.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [ZumoDrive] "c:\program files\hewlett-packard\hp clouddrive\ZumoLauncher.lnk"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{00102A2A-9972-452D-B8C7-06B0ABF5CA0A} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{E746CBA7-25F0-43B5-978F-FBE6D3933C4E} : DhcpNameServer = 192.168.0.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\61cmexs2.default\
FF - prefs.js: browser.startup.homepage - hxxp://ca.my.msn.com/?lang=en-ca
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_5576240ee6baaa25\AEstSrv.exe [2010-3-25 81920]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-9-11 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-9-11 38240]
R2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\qualcomm\qdlservice2k\QDLService2kHP.exe [2010-1-19 330488]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-4-14 45736]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-3-25 29472]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-4-12 228408]
R3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\drivers\qcfilterhp2k.sys [2010-1-19 5248]
R3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\drivers\qcusbnethp2k.sys [2010-1-19 206848]
R3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\drivers\qcusbserhp2k.sys [2010-1-19 106368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-3-25 174592]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-3-25 204288]
S3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2010-1-7 375808]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-5-5 52224]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-13 311296]
.
=============== Created Last 30 ================
.
2011-06-23 17:57:23 -------- d-----w- c:\users\user\appdata\roaming\Anonymizer
2011-06-23 17:57:10 -------- d-----w- c:\programdata\Anonymizer
2011-06-23 17:57:10 -------- d-----w- c:\program files\Anonymizer
2011-06-23 17:57:06 -------- dc-h--w- c:\programdata\{2C4A57D6-4F0C-49A4-9A3F-89423FD797DC}
2011-06-23 17:56:40 -------- d-----w- c:\users\user\appdata\local\PackageAware
2011-06-23 06:38:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-23 06:38:00 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-23 06:37:58 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-23 06:36:05 -------- d-----w- c:\users\user\appdata\roaming\Verizon Wireless
.
==================== Find3M ====================
.
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-06 00:56:00 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-05-06 00:56:00 161792 ----a-w- c:\windows\system32\msls31.dll
2011-05-06 00:56:00 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-05-06 00:56:00 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-05-05 22:48:37 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-05-04 08:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-03 04:30:02 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 02:46:33 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-29 02:46:15 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 02:46:10 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-27 02:17:36 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-27 02:17:28 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-27 02:17:22 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 04:31:30 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-04-25 02:18:03 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-04-22 19:14:16 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-04-09 06:02:25 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-04-09 06:02:25 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- c:\windows\system32\poqexec.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: ST925041 rev.0006 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x81A03000]<< >>UNKNOWN [0x8842F000]<< >>UNKNOWN [0x89270000]<< >>UNKNOWN [0x88283000]<< >>UNKNOWN [0x81E15000]<< >>UNKNOWN [0x88614000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x81A3A52F] -> \Device\Harddisk0\DR0[0x857A8AC8]
\Driver\Disk[0x857A79A8] -> IRP_MJ_CREATE -> 0x8843339F
3 [0x8843359E] -> ntkrnlpa!IofCallDriver[0x81A3A52F] -> [0x84DA4900]
\Driver\ACPI[0x840AE030] -> IRP_MJ_CREATE -> 0x8828C4CC
5 [0x8828C3D4] -> ntkrnlpa!IofCallDriver[0x81A3A52F] -> \Device\Ide\IAAStorageDevice-0[0x84D50028]
\Driver\iaStor[0x84D37F38] -> IRP_MJ_CREATE -> 0x8865892E
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:06:36.51 ===============
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-23 16:44:00
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST925041 rev.0006
Running: gmer.exe; Driver: C:\Users\USER\AppData\Local\Temp\pgddqpoc.sys
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKey + 13C1 81A91339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81ACAD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A734B000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A734B123 629 Bytes [65, 34, A7, FE, 05, 34, 65, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 A734B399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F A734B3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B A734B4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[1052] ntdll.dll!LdrLoadDll 777B22B8 5 Bytes JMP 003D1410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[1052] USER32.dll!GetWindowInfo 762A4B5E 5 Bytes JMP 64BA9437 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1760] kernel32.dll!SetUnhandledExceptionFilter 77233D01 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Anonymizer\Anonymizer Universal\Anonymizer Universal.exe[2928] KERNEL32.dll!LoadLibraryExW 77224775 5 Bytes JMP 10005B50 C:\Program Files\Anonymizer\Anonymizer Universal\Anonymizer.System.dll (rscoree/Remotesoft, Inc.)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000071 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\00000098 bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000009a bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\78e400ff082c
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\f07bcb9c40af
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\78e400ff082c (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\f07bcb9c40af (not active ControlSet)
---- EOF - GMER 1.0.15 ----
This post has been edited by Muttz: 24 June 2011 - 03:46 PM
Back to top
