Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iv'e got trouble


  • This topic is locked This topic is locked
11 replies to this topic

#1 jigglestick

jigglestick

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 15 April 2010 - 11:27 AM

in response to a pm request, this is for Boopme

please exscuse my ignorance in thi matter.

I followed an old related thread and did the step by step instructed, and I removed a lot of bad stuff, but I am still getting pop ups from avast so I know there is still demons onboard.

help.

here are the logs from malwarebytes.Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3953

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/4/2010 12:05:01 PM
mbam-log-2010-04-04 (12-05-01).txt

Scan type: Quick scan
Objects scanned: 142769
Time elapsed: 12 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nmklo.dll (Spyware.Zbot) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\gvtl (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet AntiVirus Pro_is1 (Rogue.InternetAntiVirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appialt_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getdo (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet antivirus pro (Rogue.InternetAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\helper (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\nmklo.dll (Spyware.Agent.H) -> Delete on reboot.
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevance32.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvun.exe (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Adobe\Update\flacor.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\msacm32.drv (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\wuasirvy.dll (Trojan.Banker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\iGSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\iMSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\iPSh.png (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\rasqervy.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\sdfinacs.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\sdfixwcs.dll (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Helper\bin\liveu.exe (Trojan.Agent) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3953

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/4/2010 4:34:16 PM
mbam-log-2010-04-04 (16-34-16).txt

Scan type: Quick scan
Objects scanned: 1
Time elapsed: 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3953

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/5/2010 12:59:04 PM
mbam-log-2010-04-05 (12-59-04).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 190511
Time elapsed: 48 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getdo (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Application Data\Adobe\Update\flacor.dat (Trojan.Agent) -> Quarantined and deleted successfully.




please inform me what else you require to help you help me.
thank you

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 15 April 2010 - 12:53 PM

Now we need these.


Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 15 April 2010 - 02:20 PM

both ATF and SAS were downloaded, saved to desktop, and ran in safe mode the first go round.
should I run then again now?

I tried to find logs for these but I could not.
I don't remember if they were saved to a file or where they are?
I'll look again...

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 15 April 2010 - 02:45 PM

Sometimes this happens and it comes back after a shut down and reboot. Also it sometimes shows up in the Admin or other user account.

How is it running?

Please run GMER.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 15 April 2010 - 02:53 PM

here is the log from SAS...

I will go through the gmer now

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/05/2010 at 02:08 PM

Application Version : 4.35.1002

Core Rules Database Version : 4744
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 00:27:19

Memory items scanned : 259
Memory threats detected : 0
Registry items scanned : 4944
Registry threats detected : 26
File items scanned : 20995
File threats detected : 8

Adware.Gamevance
HKLM\Software\Classes\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}
HKCR\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}
HKCR\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}
HKCR\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32
HKCR\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\InprocServer32#ThreadingModel
HKCR\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\ProgID
HKCR\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\Programmable
HKCR\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\TypeLib
HKCR\CLSID\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}\VersionIndependentProgID
HKCR\GamevanceText.Linker.1
HKCR\GamevanceText.Linker.1\CLSID
HKCR\GamevanceText.Linker
HKCR\GamevanceText.Linker\CLSID
HKCR\GamevanceText.Linker\CurVer
HKCR\TypeLib\{014C4232-6904-47B9-9144-7E0FB7277444}
C:\PROGRAM FILES\GAMEVANCE\GVTL.DLL
HKU\S-1-5-21-1519457148-2354007888-860844326-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}
HKCR\AppId\GamevanceText.DLL
HKCR\AppId\GamevanceText.DLL#AppID

Browser Hijacker.Favorites
C:\Documents and Settings\Administrator\Favorites\Pharmacy\Minnesota RxConnect Minnesota RxPrice Compare.url
C:\Documents and Settings\Administrator\Favorites\Pharmacy

Trojan.DNSChanger-Codec
HKLM\Software\1
HKLM\Software\1#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\1#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\1#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\9
HKLM\Software\9#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\9#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\9#31C2E1E4D78E6A11B88DFA803456A1FFA5

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP350\A0050246.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP350\A0050248.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP350\A0050249.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP350\A0050250.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1E2B5DEE-A9DF-4BEB-80A4-D17E3B9C3CEA}\RP350\A0050258.EXE

#6 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 15 April 2010 - 04:34 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 16:25:58
Windows 5.1.2600 Service Pack 3
Running: g8qj1bnr.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwtyapoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA3255C56]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA3255B12]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA32560C6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA3255FF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA32556E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA3255BEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA3255628]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA325568C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA3255D0C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA3256194]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA3255CCC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA3255E4C]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA3F12320]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA32624FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA3262322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA326245C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 247C 80501CB4 4 Bytes CALL 62F3420F
PAGE ntkrnlpa.exe!ZwLoadDriver 805795FA 7 Bytes JMP A3262460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 805A075C 7 Bytes JMP A3262326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP A325E4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP A325F972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP A3262502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwtyapob.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1720] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EE0000
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F20000
.text C:\WINDOWS\Explorer.EXE[1720] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00F00000
.text C:\WINDOWS\AGRSMMSG.exe[2320] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01000000
.text C:\WINDOWS\AGRSMMSG.exe[2320] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01040000
.text C:\WINDOWS\AGRSMMSG.exe[2320] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01020000
.text C:\WINDOWS\AGRSMMSG.exe[2320] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01650000
.text C:\WINDOWS\AGRSMMSG.exe[2320] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01610000
.text C:\WINDOWS\AGRSMMSG.exe[2320] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01630000
.text C:\WINDOWS\AGRSMMSG.exe[2320] WS2_32.dll!send 71AB4C27 5 Bytes JMP 015D0000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01550000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 01060000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 014F0000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 01590000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 014D0000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01530000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 015B0000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01510000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01570000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!InternetReadFileExW 3D963349 5 Bytes JMP 014B0000
.text C:\WINDOWS\AGRSMMSG.exe[2320] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 01080000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01060000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010A0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01080000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01600000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 015C0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 015E0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01580000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01500000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 01420000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 014A0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 01540000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 01480000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 014E0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 01560000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 014C0000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01520000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!InternetReadFileExW 3D963349 5 Bytes JMP 01460000
.text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2420] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 01440000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00990000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 009B0000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 00B90000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 00B50000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 00B70000
.text C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe[2624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 009F0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01620000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01660000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01640000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017E0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01860000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01820000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01840000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01760000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01680000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01700000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 017A0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 016E0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01740000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 017C0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01720000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01780000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!InternetReadFileExW 3D963349 5 Bytes JMP 016C0000
.text C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe[2736] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 016A0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FA0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FE0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 00FC0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01500000
.text C:\Program Files\Messenger\msmsgs.exe[2792] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01450000
.text C:\Program Files\Messenger\msmsgs.exe[2792] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01470000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01410000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01390000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 012B0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01330000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 013D0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 01310000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01370000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 013F0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01350000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 013B0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!InternetReadFileExW 3D963349 5 Bytes JMP 012F0000
.text C:\Program Files\Messenger\msmsgs.exe[2792] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 012D0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01330000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01370000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01350000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01570000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01530000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01550000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WS2_32.dll!send 71AB4C27 5 Bytes JMP 014F0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01470000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!InternetReadFile 3D94654B 5 Bytes JMP 01390000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01410000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 014B0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 013F0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01450000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 014D0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01430000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01490000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!InternetReadFileExW 3D963349 5 Bytes JMP 013D0000
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2848] WININET.dll!InternetReadFileExA 3D963381 5 Bytes JMP 013B0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01820000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01860000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 01840000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01A60000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01A20000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01A40000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] WS2_32.dll!send 71AB4C27 5 Bytes JMP 019E0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01960000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 01880000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01900000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 019A0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 018E0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01940000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 019C0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01920000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01980000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!InternetReadFileExW 3D963349 5 Bytes JMP 018C0000
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3360] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 018A0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 012B0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 012F0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 012D0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01BA0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 01B60000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 01B80000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] ws2_32.dll!send 71AB4C27 5 Bytes JMP 01B20000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01AA0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 019C0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 01A40000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 01AE0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 01A20000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 01A80000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 01B00000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 01A60000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01AC0000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!InternetReadFileExW 3D963349 5 Bytes JMP 01A00000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3468] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 019E0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EB0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01500000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 014E0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] ADVAPI32.dll!CryptDeriveKey 77DE9FFD 5 Bytes JMP 01700000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] ADVAPI32.dll!CryptImportKey 77DEA1F1 5 Bytes JMP 016C0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] ADVAPI32.dll!CryptGenKey 77E11849 5 Bytes JMP 016E0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01680000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!CommitUrlCacheEntryA 3D940F78 5 Bytes JMP 01600000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 01520000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!InternetQueryDataAvailable 3D94BF7F 5 Bytes JMP 015A0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 01640000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 01580000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 015E0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 01660000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!HttpSendRequestA 3D95EE89 5 Bytes JMP 015C0000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!CommitUrlCacheEntryW 3D963085 5 Bytes JMP 01620000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!InternetReadFileExW 3D963349 5 Bytes JMP 01560000
.text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[3900] wininet.dll!InternetReadFileExA 3D963381 5 Bytes JMP 01540000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[996] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[996] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- EOF - GMER 1.0.15 ----



I keep getting a warning pop up from avast.
I did disable it while I was running the GMER and it ran without a hitch by the way.

the notification on the avast popup says win32syspatch[wrm]

what next?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 15 April 2010 - 07:12 PM

Hello, we need to post a New topic in the Malware Removal forum to clean this. Title it ... pwtyapob.sys infection.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 and not here,thanks.
Use the Gmer scan you posted above.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 16 April 2010 - 12:12 PM

cannot access that forum....
"Sorry, you do not have permission to start a topic in this forum"

what exactly do i need to do to" disable script blocking programs"?
as asked to do in step 7?

Edited by jigglestick, 16 April 2010 - 12:51 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 16 April 2010 - 12:40 PM

You cannot access http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Virus, Trojan, Spyware, and Malware Removal Logs
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 jigglestick

jigglestick
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 16 April 2010 - 12:57 PM

i re tried and was able to start the new thread.
I must have done something wrong the first time.
I will take the rest of my corespondance there...

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 16 April 2010 - 01:00 PM

It happaens,that why I wanted to check.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:34 AM

Posted 16 April 2010 - 03:00 PM

Since you succesfully posted your logs, I am closing this topic to avoid confusion.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users