BleepingComputer.com: Another google search redirect problem...

Google search redirects in internet explorer and firefox, older laptop, previously used trend micro, then symantec endpoint, then avg (any traces of those should be gone, but apparently still show up on these logs), now running avira and malware bytes pro, neither one turns up any problems on the system. I apologize in advance for the number of programs and games, my fiance had a problem a while back, but they've been on there for quite some time and the redirect issue has been pretty recent. I repaired the windows installation a few months back after some trojan/virus/malware attack stopped allowing windows updates. Any help would be greatly appreciated. Thanks!


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-25 21:35:51
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK1031GAS rev.AA204A
Running: gmer.exe; Driver: C:\DOCUME~1\MR5D72~1.NAT\LOCALS~1\Temp\pxtdrpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0xAFCCB328]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0xAFCCA824]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwConnectPort [0xAFCC964C]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateFile [0xAFCD01F8]
SSDT BA75A646 ZwCreateKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreatePort [0xAFCC946A]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateProcess [0xAFCCADE4]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateProcessEx [0xAFCC7978]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateSection [0xAFCC74F2]
SSDT BA75A63C ZwCreateThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwDebugActiveProcess [0xAFCC8D22]
SSDT BA75A64B ZwDeleteKey
SSDT BA75A655 ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwDuplicateObject [0xAFCC932C]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwLoadDriver [0xAFCCA24C]
SSDT BA75A65A ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenFile [0xAFCD0554]
SSDT BA75A628 ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenSection [0xAFCC77B4]
SSDT BA75A62D ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwProtectVirtualMemory [0xAFCCA5D6]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwQueueApcThread [0xAFCCA940]
SSDT BA75A664 ZwReplaceKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwRequestPort [0xAFCC9CB0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0xAFCC9F14]
SSDT BA75A65F ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwResumeThread [0xAFCC90CE]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSecureConnectPort [0xAFCC986E]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSetContextThread [0xAFCC8BCC]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSetSystemInformation [0xAFCCAFDC]
SSDT BA75A650 ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwShutdownSystem [0xAFCCA186]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSuspendProcess [0xAFCC91FE]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSuspendThread [0xAFCC8F7A]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSystemDebugControl [0xAFCC8E40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwTerminateProcess [0xAFCC8472]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwTerminateThread [0xAFCC8A66]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwUnloadDriver [0xAFCCA414]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwWriteVirtualMemory [0xAFCCA700]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 243C 80501C74 12 Bytes [6A, 94, CC, AF, E4, AD, CC, ...] {PUSH -0x6c; INT 3 ; SCASD ; IN AL, 0xad; INT 3 ; SCASD ; JS 0x83; INT 3 ; SCASD }
.text ntkrnlpa.exe!ZwCallbackReturn + 2778 80501FB0 12 Bytes [FE, 91, CC, AF, 7A, 8F, CC, ...]
? C:\DOCUME~1\MR5D72~1.NAT\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[136] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[136] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [7D, 71] {JGE 0x73}
.text C:\WINDOWS\Explorer.EXE[136] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[136] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [7A, 71] {JP 0x73}
.text C:\WINDOWS\Explorer.EXE[136] kernel32.dll!LoadLibraryExW + C4 7C801BB9 2 Bytes CALL 00810001
.text C:\WINDOWS\Explorer.EXE[136] kernel32.dll!LoadLibraryExW + C7 7C801BBC 1 Byte [84]
.text C:\WINDOWS\Explorer.EXE[136] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71780F5A
.text C:\WINDOWS\Explorer.EXE[136] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\WINDOWS\Explorer.EXE[136] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\WINDOWS\Explorer.EXE[136] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 71750F5A
.text C:\WINDOWS\Explorer.EXE[136] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[136] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [8F, 71]
.text C:\WINDOWS\Explorer.EXE[136] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\WINDOWS\Explorer.EXE[136] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 71930F5A
.text C:\WINDOWS\Explorer.EXE[136] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[136] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [8C, 71]
.text C:\WINDOWS\Explorer.EXE[136] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 71840F5A
.text C:\WINDOWS\Explorer.EXE[136] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 71810F5A
.text C:\WINDOWS\Explorer.EXE[136] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 718A0F5A
.text C:\WINDOWS\Explorer.EXE[136] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71870F5A
.text C:\WINDOWS\Explorer.EXE[136] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71990F5A
.text C:\WINDOWS\Explorer.EXE[136] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71960F5A
.text C:\WINDOWS\Explorer.EXE[136] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\WINDOWS\Explorer.EXE[136] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [6E, 71]
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [6B, 71]
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] ntdll.dll!LdrGetProcedureAddress 7C917CF0 6 Bytes JMP 71630F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] kernel32.dll!VirtualProtectEx 7C801A61 6 Bytes JMP 71600F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AB0001
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71690F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] kernel32.dll!WriteProcessMemory 7C802213 6 Bytes JMP 715D0F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 718D0F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 71660F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71900F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [80, 71]
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 71840F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [7D, 71] {JGE 0x73}
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 71750F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 71720F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 717B0F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71780F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 718A0F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71870F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] ole32.dll!CoCreateInstanceEx 774FF154 6 Bytes JMP 71960F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] ole32.dll!CoCreateInstance 774FF1AC 6 Bytes JMP 71990F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] ole32.dll!CoGetClassObject 775151F5 6 Bytes JMP 71930F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\Documents and Settings\Mr. Nation\Desktop\gmer\gmer.exe[204] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\Program Files\Online Armor\oasrv.exe[1176] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DC0001
.text C:\Program Files\Online Armor\oasrv.exe[1176] kernel32.dll!CreateRemoteThread + 174 7C810640 4 Bytes JMP 71A20000
.text C:\Program Files\Online Armor\oasrv.exe[1176] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 71A50F5A
.text C:\Program Files\Online Armor\oasrv.exe[1176] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Online Armor\OAhlp.exe[2244] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F60001
.text C:\Program Files\Online Armor\OAhlp.exe[2244] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 71A50F5A
.text C:\Program Files\Online Armor\OAhlp.exe[2244] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00920001
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] user32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 1068EDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] user32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 1068ED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] user32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104A5451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] user32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104A5A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[2324] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009F0001
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!sendto 71AB2F51 6 Bytes JMP 715A0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!select 71AB30A8 6 Bytes JMP 71570F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 71660F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 71540F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 71630F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!send 71AB4C27 6 Bytes JMP 715D0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 71480F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!recv 71AB676F 6 Bytes JMP 714C0F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 71450F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 71510F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2672] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00AA0001
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3188] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Rundll32.exe[3224] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\WINDOWS\system32\Rundll32.exe[3224] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Rundll32.exe[3224] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\WINDOWS\system32\Rundll32.exe[3224] kernel32.dll!LoadLibraryExW + C4 7C801BB9 2 Bytes CALL 00810001
.text C:\WINDOWS\system32\Rundll32.exe[3224] kernel32.dll!LoadLibraryExW + C7 7C801BBC 1 Byte [84]
.text C:\WINDOWS\system32\Rundll32.exe[3224] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Rundll32.exe[3224] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\WINDOWS\system32\Rundll32.exe[3224] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\Rundll32.exe[3224] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\WINDOWS\system32\Rundll32.exe[3224] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\WINDOWS\system32\Rundll32.exe[3224] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\keyhook.exe[3252] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\WINDOWS\system32\keyhook.exe[3252] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\keyhook.exe[3252] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\WINDOWS\system32\keyhook.exe[3252] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009F0001
.text C:\WINDOWS\system32\keyhook.exe[3252] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\keyhook.exe[3252] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\WINDOWS\system32\keyhook.exe[3252] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\keyhook.exe[3252] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\WINDOWS\system32\keyhook.exe[3252] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\WINDOWS\system32\keyhook.exe[3252] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Launch Manager\QtZgAcer.EXE[3332] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\WLTRAY.exe[3400] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\WINDOWS\system32\WLTRAY.exe[3400] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\WLTRAY.exe[3400] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\WINDOWS\system32\WLTRAY.exe[3400] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\WINDOWS\system32\WLTRAY.exe[3400] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\WLTRAY.exe[3400] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\WINDOWS\system32\WLTRAY.exe[3400] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\WLTRAY.exe[3400] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\WINDOWS\system32\WLTRAY.exe[3400] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\WINDOWS\system32\WLTRAY.exe[3400] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[3432] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\WINDOWS\AGRSMMSG.exe[3432] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[3432] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\WINDOWS\AGRSMMSG.exe[3432] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A00001
.text C:\WINDOWS\AGRSMMSG.exe[3432] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[3432] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\WINDOWS\AGRSMMSG.exe[3432] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\AGRSMMSG.exe[3432] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\WINDOWS\AGRSMMSG.exe[3432] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\WINDOWS\AGRSMMSG.exe[3432] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[3584] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\WINDOWS\SOUNDMAN.EXE[3584] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[3584] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\WINDOWS\SOUNDMAN.EXE[3584] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A00001
.text C:\WINDOWS\SOUNDMAN.EXE[3584] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[3584] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\WINDOWS\SOUNDMAN.EXE[3584] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\SOUNDMAN.EXE[3584] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\WINDOWS\SOUNDMAN.EXE[3584] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\WINDOWS\SOUNDMAN.EXE[3584] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3628] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\Program Files\Online Armor\oaui.exe[3656] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00F70001
.text C:\Program Files\Online Armor\oaui.exe[3656] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 71A50F5A
.text C:\Program Files\Online Armor\oaui.exe[3656] user32.dll!LoadStringA 7E42C908 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 003F0001
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3692] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A40001
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3736] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A00001
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe[3764] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B20001
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!sendto 71AB2F51 6 Bytes JMP 71600F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!select 71AB30A8 6 Bytes JMP 715D0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 716C0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!ioctlsocket 71AB3F50 6 Bytes JMP 715A0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 71690F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!send 71AB4C27 6 Bytes JMP 71630F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 714E0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!recv 71AB676F 6 Bytes JMP 71520F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 714B0F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] WS2_32.dll!WSAAsyncSelect 71AC0991 6 Bytes JMP 71570F5A
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[3792] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A
.text C:\WINDOWS\system32\sistray.exe[4040] ntdll.dll!NtCreateSymbolicLinkObject 7C90D19E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\sistray.exe[4040] ntdll.dll!NtCreateSymbolicLinkObject + 4 7C90D1A2 2 Bytes [77, 71] {JA 0x73}
.text C:\WINDOWS\system32\sistray.exe[4040] ntdll.dll!NtOpenFile 7C90D59E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\sistray.exe[4040] ntdll.dll!NtOpenFile + 4 7C90D5A2 2 Bytes [74, 71] {JZ 0x73}
.text C:\WINDOWS\system32\sistray.exe[4040] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00A40001
.text C:\WINDOWS\system32\sistray.exe[4040] kernel32.dll!LoadLibraryA 7C801D7B 6 Bytes JMP 71720F5A
.text C:\WINDOWS\system32\sistray.exe[4040] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 71A20F5A
.text C:\WINDOWS\system32\sistray.exe[4040] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 71A50F5A
.text C:\WINDOWS\system32\sistray.exe[4040] kernel32.dll!CloseHandle 7C809BE7 6 Bytes JMP 71960F5A
.text C:\WINDOWS\system32\sistray.exe[4040] kernel32.dll!LoadLibraryW 7C80AEEB 6 Bytes JMP 716F0F5A
.text C:\WINDOWS\system32\sistray.exe[4040] kernel32.dll!CreateFileW 7C810800 6 Bytes JMP 71990F5A
.text C:\WINDOWS\system32\sistray.exe[4040] user32.dll!RegisterHotKey 7E41EBB3 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\sistray.exe[4040] user32.dll!RegisterHotKey + 4 7E41EBB7 2 Bytes [89, 71]
.text C:\WINDOWS\system32\sistray.exe[4040] user32.dll!ExitWindowsEx 7E45A275 6 Bytes JMP 719F0F5A
.text C:\WINDOWS\system32\sistray.exe[4040] user32.dll!DdeClientTransaction 7E46A6A2 6 Bytes JMP 718D0F5A
.text C:\WINDOWS\system32\sistray.exe[4040] user32.dll!RegisterRawInputDevices 7E46CE0E 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\sistray.exe[4040] user32.dll!RegisterRawInputDevices + 4 7E46CE12 2 Bytes [86, 71]
.text C:\WINDOWS\system32\sistray.exe[4040] GDI32.dll!DeleteDC 77F16E5F 6 Bytes JMP 717E0F5A
.text C:\WINDOWS\system32\sistray.exe[4040] GDI32.dll!BitBlt 77F16F79 6 Bytes JMP 717B0F5A
.text C:\WINDOWS\system32\sistray.exe[4040] GDI32.dll!CreateDCA 77F1B7D2 6 Bytes JMP 71840F5A
.text C:\WINDOWS\system32\sistray.exe[4040] GDI32.dll!CreateDCW 77F1BE38 6 Bytes JMP 71810F5A
.text C:\WINDOWS\system32\sistray.exe[4040] advapi32.dll!CreateServiceA 77E37211 6 Bytes JMP 71930F5A
.text C:\WINDOWS\system32\sistray.exe[4040] advapi32.dll!CreateServiceW 77E373A9 6 Bytes JMP 71900F5A
.text C:\WINDOWS\system32\sistray.exe[4040] WS2_32.dll!socket 71AB4211 6 Bytes JMP 71AF0F5A
.text C:\WINDOWS\system32\sistray.exe[4040] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 719C0F5A

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Emsisoft)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Emsisoft)
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Emsisoft)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ...

---- EOF - GMER 1.0.15 ----

When I tried to attach the ark.txt file, as mentioned on the prep guide page, I got an error stating that I wasn't "permitted to upload this kind of file". I also tried renaming the ark file and zipping as well, obviously neither of those worked. Please let me know if I'm doing something incorrectly, or what the next step is. Thanks in advance!

I also should note that after reading a few of these posts, I was alerted to the fact that I was running a very old adobe reader 7. So just before I started the steps to post on here, I did uninstall 7 and replace it with 10.

EDIT: Posts merged ~Budapest

This post has been edited by Budapest: 26 June 2011 - 06:09 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• Please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
  
• Click the Disable button to disable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

Please download DDS by sUBs from one of the links below and save it to your desktop:


Download DDS and save it to your desktop

Link1
Link2
Link3

Please disable any anti-malware program that will block scripts from running before running DDS.


• Double-Click on dds.scr and a command window will appear. This is normal.
  
• Shortly after two logs will appear:
  
  • DDS.txt
    
  • Attach.txt
  
  
• A window will open instructing you save & post the logs
  
• Save the logs to a convenient place such as your desktop
  
• Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

• Please Download Rootkit Unhooker Save it to your desktop.
  
• Now double-click on RKUnhookerLE.exe to run it.
  
• Click the Report tab, then click Scan.
  
• Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  
• Wait till the scanner has finished and then click File, Save Report.
  
• Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

In your next post I need the following


• .logs from DDS
  
• log from RKUnHooker
  
• let me know of any problems you may have had

Gringo

Hello Gringo,
Thanks for your help. Before I got started on here I ran the defogger, and I thought I completed that DDS log in my first posting. Did I miss something, do I need to do that again as 5 days have passed? When I get home in a couple of hours I will run that last program you mentioned, RKUhooker, and post the log. Thanks again!
Brad

I like to see a new DDS report if more than 5n days have passed


malware can change on a daily bases

Gringo

Hello again Gringo, sorry I couldn't get to these last night, but here they are... I went through all the steps. I downloaded the RKunhooker from the link you provided, double clicked on it, clicked run, saw an hourglass for a few seconds, then nothing. Do I need to run it in safe mode?

The only other problem I've experienced besides the redirects, is when I first open a browser it seems really slow, like it gets hung up for a minute or so. Thanks again for the help.


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Mr. Nation at 11:55:44 on 2011-07-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.657 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Online Armor Firewall *Enabled*
FW: Symantec Endpoint Protection *Disabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Online Armor\oaui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LManager] c:\program files\launch manager\QtZgAcer.EXE
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [@OnlineArmor GUI] "c:\program files\online armor\oaui.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301128383500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167447739656
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://142.22.58.150/activex/AxisCamControl.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Coupons.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.gamehouse.com/realarcade-webgames/astropop/popcaploader.cab
DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v54/wwspades/wwspades.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.belo.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{76A53BBF-515B-48C4-8C8F-2129BDA0186B} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
Hosts: 127.0.0.1 www.spywareinfo.com
Hosts: 69.249.196.166 idenupdate.motorola.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mr. nation\application data\mozilla\firefox\profiles\dic8xp6a.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-3-27 11608]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2011-3-27 202064]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [2011-3-27 38856]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2011-3-27 25000]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2011-3-27 29272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-3-27 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-27 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-27 61960]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-5 366640]
R2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2011-3-27 380784]
R2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2011-3-27 3652696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-5 22712]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-9-26 297472]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2006-5-21 16194]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-7-21 42112]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\drivers\wg511nd5.sys [2006-5-21 449888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [2006-9-5 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [2006-9-5 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [2006-9-5 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [2006-9-5 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [2006-9-5 69632]
S4 RFNP32;WebDrive; [x]
.
=============== Created Last 30 ================
.
2011-06-24 07:47:15 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-24 07:47:15 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-22 00:17:02 -------- d-----w- c:\program files\Paint
2011-06-16 05:16:01 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-06 16:55:30 183696 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-06-06 16:55:30 183696 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-06-27 16:43:53 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 08:52:22 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2007-06-28 08:19:25 774144 -c--a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 11:59:17.34 ===============



.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/22/2011 1:57:36 AM
System Uptime: 7/1/2011 11:48:50 AM (0 hours ago)
.
Motherboard: Acer, Inc. | | Lugano M
Processor: AMD Turion™ 64 Mobile Technology ML-30 | Socket A | 1600/400mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 45 GiB total, 0.763 GiB free.
D: is FIXED (FAT32) - 45 GiB total, 1.148 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SiS 900-Based PCI Fast Ethernet Adapter
Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_00831025&REV_91\3&267A616A&0&20
Manufacturer: SiS
Name: SiS 900-Based PCI Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_00831025&REV_91\3&267A616A&0&20
Service: SISNICXP
.
==== System Restore Points ===================
.
RP99: 6/17/2011 11:34:31 AM - System Checkpoint
RP100: 6/18/2011 11:51:13 PM - System Checkpoint
RP101: 6/19/2011 3:03:06 PM - Installed Java™ 6 Update 26
RP102: 6/20/2011 10:27:48 PM - System Checkpoint
RP103: 6/21/2011 8:16:58 PM - Paint.NET v3.5.8
RP104: 6/23/2011 2:15:08 PM - System Checkpoint
RP105: 6/24/2011 7:54:03 PM - System Checkpoint
RP106: 6/25/2011 4:21:39 PM - Removed Adobe Reader 7.1.0
RP107: 6/25/2011 4:40:54 PM - Installed Adobe Reader X (10.1.0).
RP108: 6/26/2011 7:34:49 PM - System Checkpoint
RP109: 6/27/2011 8:41:35 PM - System Checkpoint
RP110: 6/29/2011 4:31:46 AM - System Checkpoint
RP111: 6/30/2011 11:35:19 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
7 Wonders
ACDSee 4.0.1 Standard
Acer eManager for Notebook
Acer GridVista
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Photoshop 5.5
Adobe Reader X (10.1.0)
Adobe Shockwave Player
Agere Systems AC'97 Modem
AIM 6
Airport Mania
allTunes
Amazon Games & Software Downloader
Amazon MP3 Downloader 1.0.12
Apple Application Support
Apple Software Update
Ashampoo Burning Studio Elements 10.0.9
Atlantis
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
Azada
BBSAK
Bejeweled Deluxe 1.862
Big Fish Games Client
Big Kahuna Reef
Broadcom 802.11 Network Adapter
BurnAware Free 2.3.8
Cake Mania
CCleaner
Chainz 2 (remove only)
Chuzzle Deluxe 1.0
Cleaner 5 EZ
COLLAPSE!
CPCC E-Locker Webdrive
CrackUtil
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Vision M
Diner Dash
Drive Manager
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab 7.0.6.7 (30/05/2010)
DVDFab 8.0.6.8 (05/01/2011)
Egg vs. Chicken
Free FLV Converter V 6.8.0
Free M4a to MP3 Converter 6.1
Garmin Communicator Plugin
Garmin USB Drivers
Glary Utilities Pro 2.34.0.1190
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
iDEN Phonebook Manager
Inpaint 2.4
Java Auto Updater
Java™ 6 Update 26
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
Jewel Quest 2
LAME v3.98.2 for Audacity
Launch Manager
Logitech Harmony Remote
Logitech Harmony Remote Software 7
Logitech SetPoint
Luxor 2 (remove only)
Mad Caps
Magic Berry
Magic Vines™
Malwarebytes' Anti-Malware version 1.51.0.1200
MediaMonkey 3.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WinUsb 1.0
Microsoft XML Parser
Motorola Driver Installation
Mozilla Firefox 5.0 (x86 en-US)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
NAVIGON Fresh 1.4.9
NETGEAR 108 Mbps Wireless PC Card WG511T
NoteWorthy Player
Online Armor 4.5
overland
Paint.NET v3.5.8
PayPal Plug-In
PhotoScape
PHP 4.3.9
Picasa 3
QBz
QuickTime
RealArcade
Realtek AC'97 Audio
Remote Control USB Driver
Ricochet Xtreme
Ricochet: Recharged
Samsung ML-2510 Series
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
Sparkle
SUPERAntiSpyware
Sveerz
Swarm Gold
Synaptics Pointing Device Driver
TagScanner 5.1 build 551
The Great Tree
The Scruffs
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC_MergeModuleToMSI
WD Diagnostics
WebFldrs XP
Wik and the Fable of Souls
Winamp
Windows Driver Package - (mr7910) Image 06/28/2005 1.3.0.0
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Service Pack 3
WinRAR archiver
WinX DVD Ripper Platinum 5.1.1
XviD & MP3 Codec Pack (remove only)
Zuma Deluxe 1.0
.
==== Event Viewer Messages From Past Week ========
.
6/25/2011 5:40:40 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond

within the timeout period.
6/25/2011 4:24:02 PM, error: Service Control Manager [7023] - The Application Management service

terminated with the following error: The specified module could not be found.
6/25/2011 10:43:09 AM, error: Service Control Manager [7000] - The SSPORT service failed to

start due to the following error: The system cannot find the file specified.
6/25/2011 10:43:09 AM, error: Service Control Manager [7000] - The DgiVecp service failed to

start due to the following error: The system cannot find the device specified.
6/25/2011 10:43:09 AM, error: Service Control Manager [7000] - The adfs service failed to start

due to the following error: The system cannot find the file specified.
.
==== End Of File ===========================

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Hey Gringo!

I had no problems running combofix, no need for a restart. I haven't played with the browser to see if the redirects are still happening, I will check it out later this evening. Here is the log from combofix. Thanks again.



ComboFix 11-06-30.05 - Mr. Nation 07/01/2011 13:07:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.808 [GMT -4:00]
Running from: c:\documents and settings\Mr. Nation\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Mr. Nation\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Mr. Nation\Application Data\Adobe\plugs
c:\documents and settings\Mr. Nation\Application Data\inst.exe
c:\documents and settings\Mr. Nation\Application Data\OfferBox
c:\documents and settings\Mr. Nation\Application Data\OfferBox\config.dat
c:\documents and settings\Mr. Nation\Application Data\OfferBox\config.xml
c:\documents and settings\Mr. Nation\Local Settings\Application Data\{2E9655BB-774D-4630-9C26-F1E6569470DD}
c:\documents and settings\Mr. Nation\Local Settings\Application Data\{2E9655BB-774D-4630-9C26-F1E6569470DD}\chrome.manifest
c:\documents and settings\Mr. Nation\Local Settings\Application Data\{2E9655BB-774D-4630-9C26-F1E6569470DD}\chrome\content\_cfg.js
c:\documents and settings\Mr. Nation\Local Settings\Application Data\{2E9655BB-774D-4630-9C26-F1E6569470DD}\chrome\content\overlay.xul
c:\documents and settings\Mr. Nation\Local Settings\Application Data\{2E9655BB-774D-4630-9C26-F1E6569470DD}\install.rdf
c:\documents and settings\Mr. Nation\WINDOWS
.
----- BITS: Possible infected sites -----
.
hxxp://au.download.windowsupdate.comj+|Cv+@J:NGD_DQ{zGD_DQ{zGD_DQ{zGD_DQ{z+@J:Nj+|CvadS-1-5-18`HT4?? 6VwoQZCDHMx
.
((((((((((((((((((((((((( Files Created from 2011-06-01 to 2011-07-01 )))))))))))))))))))))))))))))))
.
.
2011-07-01 06:14 . 2008-04-14 10:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2011-06-24 07:47 . 2011-06-24 07:47 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-24 07:47 . 2011-06-24 07:47 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-22 00:17 . 2011-06-22 00:17 -------- d-----w- c:\program files\Paint
2011-06-16 05:16 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-06-06 16:55 . 2011-06-06 16:55 183696 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-27 16:43 . 2011-05-13 06:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 13:11 . 2010-06-06 00:37 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-06-06 00:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 08:52 . 2011-05-01 12:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2007-05-28 01:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2006-05-21 18:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-04 00:56 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-03 23:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-04 00:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 00:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 16:11 . 2004-08-04 00:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 12:01 . 2004-08-03 22:59 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-03 23:15 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2007-06-28 08:19 . 2007-06-28 08:19 774144 -c--a-w- c:\program files\RngInterstitial.dll
2011-06-24 07:47 . 2011-05-14 01:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-05-19 86105]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"SiSPower"="SiSPower.dll" [2005-02-26 49152]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-03-10 28160]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 88363]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"SoundMan"="SOUNDMAN.EXE" [2005-02-24 77824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-10 281768]
"@OnlineArmor GUI"="c:\program files\Online Armor\oaui.exe" [2010-10-27 2345000]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-9-14 113664]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2006-5-21 331776]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2010-10-27 353992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Mr. Nation^Start Menu^Programs^Startup^BBYLP.EXE]
backup=c:\windows\pss\BBYLP.EXEStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msegmwra
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AmazonGSDownloaderTray]
2009-05-20 18:17 223744 ----a-w- c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/27/2011 5:50 PM 202064]
R1 oahlpXX;Online Armor helper driver;c:\windows\system32\drivers\oahlp32.sys [3/27/2011 5:50 PM 38856]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/27/2011 5:50 PM 25000]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/27/2011 5:50 PM 29272]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/27/2011 2:35 AM 136360]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/5/2010 8:38 PM 366640]
R2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [3/27/2011 5:50 PM 380784]
R2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [3/27/2011 5:50 PM 3652696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/5/2010 8:37 PM 22712]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [9/26/2009 4:40 AM 297472]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [5/21/2006 5:15 PM 16194]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [7/21/2009 3:33 AM 42112]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\drivers\wg511nd5.sys [5/21/2006 5:15 PM 449888]
S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);c:\windows\system32\drivers\pwi_bus.sys [9/5/2006 9:17 PM 55344]
S3 pwi_mdfl;Curitel PC Card Filter;c:\windows\system32\drivers\pwi_mdfl.sys [9/5/2006 9:17 PM 9200]
S3 pwi_mdm;Curitel PC Card Drivers;c:\windows\system32\drivers\pwi_mdm.sys [9/5/2006 9:17 PM 89936]
S3 pwi_oflt;Curitel PC Card OHCI Filter;c:\windows\system32\drivers\pwi_oflt.sys [9/5/2006 9:17 PM 9472]
S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);c:\windows\system32\drivers\pwi_serd.sys [9/5/2006 9:17 PM 69632]
S4 RFNP32;WebDrive; [x]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-01 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-10-09 12:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
FF - ProfilePath - c:\documents and settings\Mr. Nation\Application Data\Mozilla\Firefox\Profiles\dic8xp6a.default\
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
SafeBoot-klmdb.sys
MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
AddRemove-WebDrive - h:\cpcc stuff\Uninst.isu
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-01 13:20
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(412)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-07-01 13:28:28
ComboFix-quarantined-files.txt 2011-07-01 17:28
.
Pre-Run: 663,003,136 bytes free
Post-Run: 679,763,968 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 423A4884B74CFE890D263FB093E6D82C

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1


and click on remove

Clear your Java Cache

• click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
  
  • On the General tab, under Temporary Internet Files, click the Settings button.
    
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    Applications and Applets
    Trace and Log Files
    
    
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    
  • Click OK to leave the Temporary Files Window
    
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM


• Double-click mbam icon
  
• go to the update tab at the top
  
• click on check for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

• Go Here to download HijackThis Installer
  
• Save HijackThis Installer to your desktop.
  
• Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
  
• Once installed it will launch Hijackthis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  
• Come back here to this thread and Paste the log in your next reply.
  
• DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following


• Log From MBAM
  
• report from Hijackthis
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Thanks Gringo, we may have fixed the problem... I tried searching via google, clicked on 10-15 links, and all but one worked. The one that didn't was when I searched for pizza, clicked to open a pizza hut link, and instead was sent to:

http://spe.atdmt.com/images/pixel.gif?gclid=CKjZvYKL46kCFQw75Qod1E0Aag

Otherwise, it may be fixed, fingers crossed...

The 1st time I opened and tried to run tfc, it froze up. I let the compupter sit for about 20 minutes, then had to force a shutdown. When it restarted all the hidden files were visable.

Upon restart tfc worked just fine, and was done in a couple of minutes.

Here's the mbam and hjt logs, let me know if I need to do anything else. Thanks again!



Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7004

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/2/2011 12:25:46 PM
mbam-log-2011-07-02 (12-25-46).txt

Scan type: Quick scan
Objects scanned: 164010
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:29:26 PM, on 7/2/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Online Armor\OAcat.exe
C:\Program Files\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Online Armor\oaui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Online Armor\OAhlp.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_26.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_26.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301128383500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167447739656
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://142.22.58.150/activex/AxisCamControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse.com/realarcade-webgames/astropop/popcaploader.cab
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v54/wwspades/wwspades.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://remote.belo.com/dana-cached/sc/JuniperSetupClient.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Online Armor\OAcat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe (file missing)
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe (file missing)
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Online Armor\oasrv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 11223 bytes

This post has been edited by concordbrad: 02 July 2011 - 11:40 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

• Run HijackThis
  
• Click on the Scan button
  
• Put a check beside all of the items listed below (if present):
  
  
  O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
  O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
  O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
  O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
  O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
  O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
  O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
  O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
  O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
  
  
  
  
• Close all open windows and browsers/email, etc...
  
• Click on the "Fix Checked" button
  
• When completed, close the application.
  
  
  NOTE**You can research each of those lines >here< and see if you want to keep them or not
  just copy the name between the brakets and paste into the search space
  O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  
  • Click Start
• When asked, allow the activex control to install
  
  • Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options
  
  Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
  
• Wait for the scan to finish
  
• Click on copy to clipboard and paste the results here in this topic
  
• you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

Hey Gringo,
I disabled the startups that you mentioned, and successfully ran the ESET scan with no items found. I did a few more google searches and always ended up on the links that I clicked on, so it's looking like we may have wiped that bastard out. I'll continue to play with both of my browsers to try to catch any more redirects.

Anything else you can recommend for this tired old laptop? I have been happy using avira, but I was recently disappointed with it trying to install some ask.com toolbar (my online armor firewall caught it). Is there something better that's free, or should I be using something paid like ESET at this point?

Do I need to/how do I go about fixing or deleting any old system restore stuff? After all this troubleshooting, I noticed that a large, hidden, system restore folder has shown up on my d: drive where there never was one prior, do that sound right?

Thanks again!



ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=ed6d4980f75ed344ad6d4b9cc2dc0044
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-03 02:39:23
# local_time=2011-07-02 10:39:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 7856899 7856899 0 0
# compatibility_mode=1797 16775141 100 93 0 45243922 0 0
# compatibility_mode=6401 16777213 66 100 3264602 20588227 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=139251
# found=0
# cleaned=0
# scan_time=10195

Hello

If you want to try a new antivirus then try this onw

Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK

Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

• turn off all active protection software
  
• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  
• please copy and past the following into the box ComboFix /Uninstall and click OK.
  
• Note the space between the X and the /Uninstall, it needs to be there.
  
• 

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  
• If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialise and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

• WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  
  
• Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  
  
• Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Gringo

Hey again Gringo!
All seems pretty well with the PC. It's been a couple of days now without any redirects. I have uninstalled Avira, and Micro Security Essentials seems just fine. It might be faster as well, but it's hard to tell now that the computer seems to be running slightly faster as well.

I did everything listed in your last post, including finding some other out of date programs as well with the help of that secunia website scanner. I was a little overwhelmed with the link to make firefox more secure, do I really need to take all those steps, should I just use another browser?

If I'm running malwarebyte's pro monitor all the time, do you think having the other two antispyware programs you listed installed would be neccesary? Thanks again for all the help, I'll be making a donation. You guys provide a greatly needed service here.

I was a little overwhelmed with the link to make firefox more secure, do I really need to take all those steps, should I just use another browser?

This is probobly the hardest to get - I would do a little at a time till I get used to it - start with no script and when you learn how to use it then move to something else

If I'm running malwarebyte's pro monitor all the time, do you think having the other two antispyware programs you listed installed would be neccesary? Thanks again for all the help, I'll be making a donation. You guys provide a greatly needed service here.

they do a different job and work well together


gringo

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.