Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect virus


  • This topic is locked This topic is locked
3 replies to this topic

#1 jdmiller52

jdmiller52

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 05 August 2010 - 07:57 PM

When I ran the GMER scan part way through the process the computer shut down. I tried to rerun the program and the same thing happened.

Orange Blossom,

Thank you for your help

jdmiller52


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jack at 20:03:42.26 on Thu 08/05/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3006.1578 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Program FilesF-SecureAnti-Virusfsgk32st.exe
C:Program FilesF-SecureCommonFSMA32.EXE
C:Program FilesF-SecureAnti-VirusFSGK32.EXE
C:Program FilesF-SecureCommonFSHDLL32.EXE
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe
C:Windowssystem32svchost.exe -k imgsvc
C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Program FilesHewlett-PackardSharedhpqwmiex.exe
C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe
C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe
C:Program FilesHPQuickPlayKernelTVQPSched.exe
C:Program FilesF-SecureORSP Clientfsorsp.exe
C:Program FilesF-SecureAnti-Virusfssm32.exe
C:Program FilesF-SecureFWESProgramfsdfwd.exe
C:Windowssystem32taskeng.exe
C:Program FilesF-SecureAnti-Virusfsav32.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:WINDOWSSystem32rundll32.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesHPQuickPlayQPService.exe
C:WINDOWSSystem32rundll32.exe
C:Program FilesHewlett-PackardHP Quick Launch ButtonsQLBCTRL.exe
C:Program FilesHewlett-PackardHP QuickTouchHPKBDAPP.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesHPDigital ImagingbinHpqSRmon.exe
C:Program FilesHPHP Software UpdatehpwuSchd2.exe
C:Program FilesHewlett-PackardHP Wireless AssistantHPWAMain.exe
C:Program FilesHewlett-PackardHP Wireless AssistantWiFiMsg.exe
C:Program FilesF-SecureCommonFSM32.EXE
C:Program FilesWindows Sidebarsidebar.exe
C:Windowssystem32wbemwmiprvse.exe
C:Program FilesWindows Sidebarsidebar.exe
C:Program FilesSynapticsSynTPSynTPHelper.exe
C:WindowsMicrosoft.NetFrameworkv3.0WPFPresentationFontCache.exe
c:Program FilesHewlett-PackardHP Health Checkhphc_service.exe
C:Program FilesHewlett-PackardSharedHpqToaster.exe
C:Windowssystem32wuauclt.exe
C:WindowsSystem32wsqmcons.exe
C:Program FilesPanda SecurityPanda Cloud AntivirusPSANHost.exe
C:Program FilesPanda SecurityPanda Cloud AntivirusPSUNMain.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:UsersJackAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5URD2UVHZDefogger[1].exe
C:Windowssystem32SearchProtocolHost.exe
C:Windowssystem32SearchFilterHost.exe
C:UsersJackAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE58PIT3EV3dds[1].scr
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/;jsessionid=L4n
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - c:program filesf-securenrsiescriptbaselitmus.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - c:program filesf-securenrsiescriptbaselitmus.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {DD662A0C-12FE-4B38-BA53-247F7EC82F46} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [Sidebar] c:program fileswindows sidebarsidebar.exe /autoRun
uRun: [HPAdvisor] c:program fileshewlett-packardhp advisorHPAdvisor.exe autoRun
mRun: [NvSvc] RUNDLL32.EXE c:windowssystem32nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [SynTPEnh] c:program filessynapticssyntpSynTPEnh.exe
mRun: [QPService] "c:program fileshpquickplayQPService.exe"
mRun: [QlbCtrl] %ProgramFiles%Hewlett-PackardHP Quick Launch ButtonsQlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:program fileshewlett-packardhp quicktouchHPKBDAPP.exe
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [hpqSRMon] c:program fileshpdigital imagingbinhpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-PackardHP Health CheckHPHC_Scheduler.exe
mRun: [HP Software Update] c:program fileshphp software updateHPWuSchd2.exe
mRun: [hpWirelessAssistant] c:program fileshewlett-packardhp wireless assistantHPWAMain.exe
mRun: [WAWifiMessage] c:program fileshewlett-packardhp wireless assistantWiFiMsg.exe
mRun: [F-Secure Manager] "c:program filesf-securecommonFSM32.EXE" /splash
mRun: [F-Secure TNB] "c:program filesf-securefsguiTNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [PSUNMain] "c:program filespanda securitypanda cloud antivirusPSUNMain.exe" /Traybar
StartupFolder: c:progra~2micros~1windowsstartm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeofficeOSA9.EXE
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~3office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~3office12REFIEBAR.DLL
LSP: c:program filesf-securefspsprogramFSLSP.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,6064/mcfscan.cab

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:windowssystem32driversfsbts.sys [2010-7-28 41256]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:program filesf-securehipsdriversfshs.sys [2010-7-28 68064]
R1 FSES;F-Secure Email Scanning Driver;c:windowssystem32driversfses.sys [2010-7-28 35680]
R1 FSFW;F-Secure Firewall Driver;c:windowssystem32driversfsdfw.sys [2010-7-28 71040]
R1 fsvista;F-Secure Vista Support Driver;c:program filesf-secureanti-virusminifilterfsvista.sys [2010-7-28 12384]
R1 PSINKNC;PSINKNC;c:windowssystem32driversPSINKNC.sys [2010-5-4 125960]
R1 SymSMR130;SMR Utility Service 1.3.0;c:windowssystem32driversSymSMR130.SYS [2010-8-5 63536]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:program filesf-secureanti-virusfsgk32st.exe [2010-7-28 215648]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:program filespanda securitypanda cloud antivirusPSANHost.exe [2010-4-30 136448]
R2 PSINAFLT;PSINAflt;c:windowssystem32driversPSINAflt.sys [2010-5-27 141384]
R2 PSINFILE;PSINFile;c:windowssystem32driversPSINFile.sys [2010-4-30 99336]
R2 PSINPROC;PSINProc;c:windowssystem32driversPSINProc.sys [2010-4-30 111112]
R2 PSINPROT;PSINProt;c:windowssystem32driversPSINProt.sys [2010-5-12 111176]
R2 vseamps;vseamps;c:program filescommon filesauthentiumantivirus5vseamps.exe [2010-4-8 117288]
R2 vsedsps;vsedsps;c:program filescommon filesauthentiumantivirus5vsedsps.exe [2010-4-8 117288]
R2 vseqrts;vseqrts;c:program filescommon filesauthentiumantivirus5vseqrts.exe [2010-4-8 154152]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:program filesf-secureanti-virusminifilterfsgk.sys [2010-7-28 124072]
R3 FSORSPClient;F-Secure ORSP Client;c:program filesf-secureorsp clientfsorsp.exe [2010-7-28 57008]
S4 F-Secure Filter;F-Secure File System Filter;c:program filesf-secureanti-viruswin2kfsfilter.sys [2010-7-28 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:program filesf-secureanti-viruswin2kfsrec.sys [2010-7-28 25184]

=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 20:05:28.09 ===============

Merged 2 posts and removed my reply. ~ OB

When orange blossom was helping me yesterday i was not able to post the gmer log because my computer would shut down before completing the scan. Today it finished the scan so I am reposting my files.

Thank you for your help

Gmer Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-06 16:55:33
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:UsersJackAppDataLocalTempkxldypoc.sys


---- System - GMER 1.0.15 ----

SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwCreateThread [0x9068EE8C]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwLoadDriver [0x9068F1BC]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwMapViewOfSection [0x9068EBCC]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwOpenSection [0x9068F5EE]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwRenameKey [0x9069088C]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwSetSystemInformation [0x9068F43E]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwSuspendProcess [0x9068EA4C]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwSuspendThread [0x9068EEC0]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwSystemDebugControl [0x9068F042]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwTerminateProcess [0x9068E9A6]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwTerminateThread [0x9068EB06]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwWriteVirtualMemory [0x9068EF86]
SSDT ??C:Program FilesF-SecureHIPSdriversfshs.sys ZwCreateThreadEx [0x9068EEA6]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 454 81CC5B18 4 Bytes [8C, EE, 68, 90]
.text ntkrnlpa.exe!KeSetTimerEx + 5B0 81CC5C74 4 Bytes [BC, F1, 68, 90]
.text ntkrnlpa.exe!KeSetTimerEx + 5E0 81CC5CA4 4 Bytes JMP EAB8292A
.text ntkrnlpa.exe!KeSetTimerEx + 630 81CC5CF4 4 Bytes [EE, F5, 68, 90]
.text ntkrnlpa.exe!KeSetTimerEx + 748 81CC5E0C 4 Bytes [8C, 08, 69, 90]
.text ...
.text C:Windowssystem32DRIVERSnvlddmkm.sys section is writeable [0x8F608360, 0x35B0A2, 0xE8000020]
? C:Program FilesF-SecureAnti-Virusminifilterfsvista.sys The system cannot find the file specified. !
? System32driversfsdfw.sys The system cannot find the path specified. !
? System32driversfses.sys The system cannot find the path specified. !
? C:Program FilesF-SecureHIPSdriversfshs.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:Windowssystem32svchost.exe[648] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 000B000C
.text C:Windowssystem32svchost.exe[648] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 000B100C
.text C:Windowssystem32svchost.exe[648] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 000B200C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0081000C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0081100C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0081200C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 0081300C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 0081400C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 0081500C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 0081B00C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 0081600C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 0081800C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 0081900C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 0081700C
.text C:Program FilesHPQuickPlayKernelTVQPCapSvc.exe[664] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 0081A00C
.text C:Windowssystem32wininit.exe[744] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 007B000C
.text C:Windowssystem32wininit.exe[744] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 007B100C
.text C:Windowssystem32wininit.exe[744] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 007B200C
.text C:Windowssystem32wininit.exe[744] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 007B300C
.text C:Windowssystem32wininit.exe[744] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 007B400C
.text C:Windowssystem32wininit.exe[744] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 007B600C
.text C:Windowssystem32wininit.exe[744] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 007B800C
.text C:Windowssystem32wininit.exe[744] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 007B900C
.text C:Windowssystem32wininit.exe[744] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 007B700C
.text C:Windowssystem32wininit.exe[744] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 007B500C
.text C:Windowssystem32wininit.exe[744] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 007BA00C
.text C:Windowssystem32lsass.exe[820] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 001F000C
.text C:Windowssystem32lsass.exe[820] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 001F100C
.text C:Windowssystem32lsass.exe[820] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 001F200C
.text C:Windowssystem32lsass.exe[820] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 001F300C
.text C:Windowssystem32lsass.exe[820] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 001F400C
.text C:Windowssystem32lsass.exe[820] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 001F600C
.text C:Windowssystem32lsass.exe[820] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 001F800C
.text C:Windowssystem32lsass.exe[820] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 001F900C
.text C:Windowssystem32lsass.exe[820] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 001F700C
.text C:Windowssystem32lsass.exe[820] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 001F500C
.text C:Windowssystem32lsass.exe[820] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 001FB00C
.text C:Windowssystem32lsass.exe[820] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 001FA00C
.text C:Windowssystem32lsm.exe[828] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0011000C
.text C:Windowssystem32lsm.exe[828] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0011100C
.text C:Windowssystem32lsm.exe[828] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0011200C
.text C:Windowssystem32lsm.exe[828] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 0011300C
.text C:Windowssystem32lsm.exe[828] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 0011400C
.text C:Windowssystem32lsm.exe[828] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 0011600C
.text C:Windowssystem32lsm.exe[828] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 0011800C
.text C:Windowssystem32lsm.exe[828] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 0011900C
.text C:Windowssystem32lsm.exe[828] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 0011700C
.text C:Windowssystem32lsm.exe[828] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 0011500C
.text C:Windowssystem32lsm.exe[828] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 0011A00C
.text C:Windowssystem32winlogon.exe[896] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 002A000C
.text C:Windowssystem32winlogon.exe[896] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 002A100C
.text C:Windowssystem32winlogon.exe[896] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 002A200C
.text C:Windowssystem32winlogon.exe[896] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 002A300C
.text C:Windowssystem32winlogon.exe[896] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 002A400C
.text C:Windowssystem32winlogon.exe[896] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 002A600C
.text C:Windowssystem32winlogon.exe[896] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 002A800C
.text C:Windowssystem32winlogon.exe[896] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 002A900C
.text C:Windowssystem32winlogon.exe[896] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 002A700C
.text C:Windowssystem32winlogon.exe[896] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 002A500C
.text C:Windowssystem32winlogon.exe[896] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 002AB00C
.text C:Windowssystem32winlogon.exe[896] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 002AA00C
.text C:Windowssystem32svchost.exe[996] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0015000C
.text C:Windowssystem32svchost.exe[996] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0015100C
.text C:Windowssystem32svchost.exe[996] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0015200C
.text C:Windowssystem32svchost.exe[1060] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0024000C
.text C:Windowssystem32svchost.exe[1060] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0024100C
.text C:Windowssystem32svchost.exe[1060] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0024200C
.text C:WindowsSystem32svchost.exe[1104] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 010F000C
.text C:WindowsSystem32svchost.exe[1104] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 010F100C
.text C:WindowsSystem32svchost.exe[1104] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 010F200C
.text C:WindowsSystem32svchost.exe[1160] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 002F000C
.text C:WindowsSystem32svchost.exe[1160] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 002F100C
.text C:WindowsSystem32svchost.exe[1160] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 002F200C
.text C:WindowsSystem32svchost.exe[1204] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0104000C
.text C:WindowsSystem32svchost.exe[1204] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0104100C
.text C:WindowsSystem32svchost.exe[1204] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0104200C
.text C:Windowssystem32svchost.exe[1220] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 00DC000C
.text C:Windowssystem32svchost.exe[1220] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 00DC100C
.text C:Windowssystem32svchost.exe[1220] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 00DC200C
.text C:Windowssystem32svchost.exe[1300] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0021000C
.text C:Windowssystem32svchost.exe[1300] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0021100C
.text C:Windowssystem32svchost.exe[1300] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0021200C
.text C:Windowssystem32svchost.exe[1344] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0008000C
.text C:Windowssystem32svchost.exe[1344] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0008100C
.text C:Windowssystem32svchost.exe[1344] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0008200C
.text C:Windowssystem32svchost.exe[1480] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 01AB000C
.text C:Windowssystem32svchost.exe[1480] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 01AB100C
.text C:Windowssystem32svchost.exe[1480] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 01AB200C
.text C:Windowssystem32svchost.exe[1708] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0010000C
.text C:Windowssystem32svchost.exe[1708] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0010100C
.text C:Windowssystem32svchost.exe[1708] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0010200C
.text C:Windowssystem32wuauclt.exe[2052] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0007000C
.text C:Windowssystem32wuauclt.exe[2052] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0007100C
.text C:Windowssystem32wuauclt.exe[2052] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0007200C
.text C:Windowssystem32wuauclt.exe[2052] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 0007300C
.text C:Windowssystem32wuauclt.exe[2052] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 0007400C
.text C:Windowssystem32wuauclt.exe[2052] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 0007A00C
.text C:Windowssystem32wuauclt.exe[2052] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 0007500C
.text C:Windowssystem32wuauclt.exe[2052] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 0007B00C
.text C:Windowssystem32wuauclt.exe[2052] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 0007600C
.text C:Windowssystem32wuauclt.exe[2052] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 0007800C
.text C:Windowssystem32wuauclt.exe[2052] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 0007900C
.text C:Windowssystem32wuauclt.exe[2052] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 0007700C
.text C:Windowssystem32svchost.exe[2368] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0089000C
.text C:Windowssystem32svchost.exe[2368] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0089100C
.text C:Windowssystem32svchost.exe[2368] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0089200C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0023000C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0023100C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0023200C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 0023300C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 0023400C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 0023600C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 0023800C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 0023900C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 0023700C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 0023500C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vsedsps.exe[2404] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 0023A00C
.text C:WindowsSystem32svchost.exe[2452] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0022000C
.text C:WindowsSystem32svchost.exe[2452] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0022100C
.text C:WindowsSystem32svchost.exe[2452] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0022200C
.text C:Windowssystem32SearchIndexer.exe[2472] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 055D000C
.text C:Windowssystem32SearchIndexer.exe[2472] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 055D100C
.text C:Windowssystem32SearchIndexer.exe[2472] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 055D200C
.text C:Windowssystem32SearchIndexer.exe[2472] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 055D300C
.text C:Windowssystem32SearchIndexer.exe[2472] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 055D400C
.text C:Windowssystem32SearchIndexer.exe[2472] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 055D600C
.text C:Windowssystem32SearchIndexer.exe[2472] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 055D800C
.text C:Windowssystem32SearchIndexer.exe[2472] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 055D900C
.text C:Windowssystem32SearchIndexer.exe[2472] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 055D700C
.text C:Windowssystem32SearchIndexer.exe[2472] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 055D500C
.text C:Windowssystem32SearchIndexer.exe[2472] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 055DB00C
.text C:Windowssystem32SearchIndexer.exe[2472] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 055DA00C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 007B000C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 007B100C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 007B200C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 007B300C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 007B400C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 007B500C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 007BB00C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 007B600C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 007B800C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 007B900C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 007B700C
.text C:Program FilesHewlett-PackardSharedhpqwmiex.exe[2524] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 007BA00C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 003B000C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 003B100C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 003B200C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 003B300C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 003B400C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 003B600C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 003B800C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 003B900C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 003B700C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 003B500C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseamps.exe[2584] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 003BA00C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 003F000C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 003F100C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 003F200C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 003F300C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 003F400C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 003F600C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 003F800C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 003F900C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 003F700C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 003F500C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 003FB00C
.text C:Program FilesCommon FilesAuthentiumAntiVirus5vseqrts.exe[2664] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 003FA00C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 003F000C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 003F100C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 003F200C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 003F300C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 003F400C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 003F500C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 003FB00C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 003F600C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 003F800C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 003F900C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 003F700C
.text C:Program FilesHPQuickPlayKernelTVQPSched.exe[2804] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 003FA00C
.text C:Windowssystem32taskeng.exe[2952] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0031000C
.text C:Windowssystem32taskeng.exe[2952] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0031100C
.text C:Windowssystem32taskeng.exe[2952] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0031200C
.text C:Windowssystem32taskeng.exe[2952] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 0031300C
.text C:Windowssystem32taskeng.exe[2952] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 0031400C
.text C:Windowssystem32taskeng.exe[2952] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 0031600C
.text C:Windowssystem32taskeng.exe[2952] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 0031800C
.text C:Windowssystem32taskeng.exe[2952] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 0031900C
.text C:Windowssystem32taskeng.exe[2952] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 0031700C
.text C:Windowssystem32taskeng.exe[2952] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 0031500C
.text C:Windowssystem32taskeng.exe[2952] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 0031B00C
.text C:Windowssystem32taskeng.exe[2952] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 0031A00C
.text C:Windowssystem32taskeng.exe[3384] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0206000C
.text C:Windowssystem32taskeng.exe[3384] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0206100C
.text C:Windowssystem32taskeng.exe[3384] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0206200C
.text C:Windowssystem32taskeng.exe[3384] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 0206300C
.text C:Windowssystem32taskeng.exe[3384] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 0206400C
.text C:Windowssystem32taskeng.exe[3384] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 0206600C
.text C:Windowssystem32taskeng.exe[3384] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 0206800C
.text C:Windowssystem32taskeng.exe[3384] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 0206900C
.text C:Windowssystem32taskeng.exe[3384] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 0206700C
.text C:Windowssystem32taskeng.exe[3384] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 0206500C
.text C:Windowssystem32taskeng.exe[3384] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 0206B00C
.text C:Windowssystem32taskeng.exe[3384] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 0206A00C
.text C:Windowssystem32Dwm.exe[3412] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0163000C
.text C:Windowssystem32Dwm.exe[3412] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0163100C
.text C:Windowssystem32Dwm.exe[3412] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0163200C
.text C:Windowssystem32Dwm.exe[3412] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 0163300C
.text C:Windowssystem32Dwm.exe[3412] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 0163400C
.text C:Windowssystem32Dwm.exe[3412] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 0163600C
.text C:Windowssystem32Dwm.exe[3412] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 0163800C
.text C:Windowssystem32Dwm.exe[3412] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 0163900C
.text C:Windowssystem32Dwm.exe[3412] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 0163700C
.text C:Windowssystem32Dwm.exe[3412] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 0163500C
.text C:Windowssystem32Dwm.exe[3412] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 0163B00C
.text C:Windowssystem32Dwm.exe[3412] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 0163A00C
.text C:WindowsExplorer.EXE[3480] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 01D2000C
.text C:WindowsExplorer.EXE[3480] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 01D2100C
.text C:WindowsExplorer.EXE[3480] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 01D2200C
.text C:WindowsExplorer.EXE[3480] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 01D2300C
.text C:WindowsExplorer.EXE[3480] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 01D2400C
.text C:WindowsExplorer.EXE[3480] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 01D2600C
.text C:WindowsExplorer.EXE[3480] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 01D2800C
.text C:WindowsExplorer.EXE[3480] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 01D2900C
.text C:WindowsExplorer.EXE[3480] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 01D2700C
.text C:WindowsExplorer.EXE[3480] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 01D2500C
.text C:WindowsExplorer.EXE[3480] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 01D2B00C
.text C:WindowsExplorer.EXE[3480] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 01D2A00C
.text C:Windowssystem32wbemwmiprvse.exe[3604] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0006000C
.text C:Windowssystem32wbemwmiprvse.exe[3604] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0006100C
.text C:Windowssystem32wbemwmiprvse.exe[3604] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0006200C
.text C:Windowssystem32wbemwmiprvse.exe[3604] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 0006300C
.text C:Windowssystem32wbemwmiprvse.exe[3604] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 0006400C
.text C:Windowssystem32wbemwmiprvse.exe[3604] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 0006600C
.text C:Windowssystem32wbemwmiprvse.exe[3604] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 0006800C
.text C:Windowssystem32wbemwmiprvse.exe[3604] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 0006900C
.text C:Windowssystem32wbemwmiprvse.exe[3604] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 0006700C
.text C:Windowssystem32wbemwmiprvse.exe[3604] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 0006500C
.text C:Windowssystem32wbemwmiprvse.exe[3604] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 0006B00C
.text C:Windowssystem32wbemwmiprvse.exe[3604] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 0006A00C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] ntdll.dll!NtCreateProcess 773280C8 5 Bytes JMP 0037000C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] ntdll.dll!NtCreateProcessEx 773280D8 5 Bytes JMP 0037100C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] ntdll.dll!NtCreateUserProcess 77329438 5 Bytes JMP 0037200C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] kernel32.dll!LoadLibraryExW 76F530C3 5 Bytes JMP 0037300C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] kernel32.dll!TerminateThread 76F53B73 5 Bytes JMP 0037400C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] USER32.dll!SetWindowsHookExW 77237B69 5 Bytes JMP 0037500C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] USER32.dll!DdeConnect 7727997F 5 Bytes JMP 0037B00C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] ADVAPI32.dll!OpenServiceW 7599FFC3 5 Bytes JMP 0037600C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] ADVAPI32.dll!CloseServiceHandle 759A00CD 5 Bytes JMP 0037800C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] ADVAPI32.dll!CreateServiceW 759C38FF 5 Bytes JMP 0037900C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] ADVAPI32.dll!ControlService 759C3B2D 5 Bytes JMP 0037700C
.text C:Program FilesHewlett-PackardSharedHpqToaster.exe[4780] ole32.dll!CoCreateInstanceEx 7705E1CB 5 Bytes JMP 0037A00C

---- Devices - GMER 1.0.15 ----

AttachedDevice Driverkbdclass DeviceKeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:Program (*** hidden *** ) @ C:WindowsExplorer.EXE [3480] 0x33C70000
Library C:Program (*** hidden *** ) @ C:WindowsExplorer.EXE [3480] 0x300C0000
Library C:Program (*** hidden *** ) @ C:WindowsExplorer.EXE [3480] 0x30090000

---- Registry - GMER 1.0.15 ----

Reg HKLMSYSTEMCurrentControlSetControlSession Manager@PendingFileRenameOperations ???t?&?????t???t?????t?t?t?t?t?t?t?ts???? ??t?????????e????Storage volumes???????:??t????????h????????????????????????????t????system32driversWdf01000.sys????????????????????????????????????????t?t?t?t?t?to&????`??t?????????e????Microsoft Windows Management Interface for ACPI??????????t??????p???Extended Base???????????????t???? ???????t?????????????%????????????????????? ???????t?????t???????#??L????????? ??????:MS??? ???????t?????t???????#????????????&????????????????????u??? ???????t?????t???????#????????????????????? ???????t???????????o?#?????????????????????????????????????????????????????????t???z?z?z?z?t??system32DRIVERSusbohci.sys?usbohci.sys???????????????t????? ???????t?????t???????#????????????&????????????????????L?????t???t????? ???????t?????t???????#????????????????????? ???????t???????????q?#????????????????????system32DRIVERSumbus.sys?sumbus.sys???????t?????t????? ???????t?????t???????#?????????????????????u?u?u?u?u??? ???????t???????????q?#????????????????????????????????t??????????

---- EOF - GMER 1.0.15 ----

Merged topics then posts removing redundant content. ~ OB

Attached Files


Edited by Orange Blossom, 06 August 2010 - 09:07 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:53 AM

Posted 13 August 2010 - 04:37 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:53 AM

Posted 16 August 2010 - 12:35 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:53 AM

Posted 19 August 2010 - 08:33 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users