Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections - Not All Removed


  • This topic is locked This topic is locked
31 replies to this topic

#1 EdPell

EdPell

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 20 September 2010 - 08:44 AM

Using Dell Precision T3400 (2.99 GHz; 3.25GB RAM), Win XP Pro SP3, SAS Pro, MBAM, NOD32

I first started seeing indications of a problem a few weeks ago and tried to attack them by seeking remedies for each individual problem, eg, blank Firefox windows, missing files such as rundll32 and both the NOD32 and COMODO GUI modules, etc etc.

Neither MBAM nor NOD32 found anything. SAS Pro was prevented from running because of a buffer overrun in its executable. Because I spent a great deal of time searching forums for answers to specific problems and because a few times everything worked okay for a few days, a lot of time has passed.

I continued running the AV programs and, for some reason, SAS Pro was finally able to be updated and run. It found 1,403 file threats in 38 Adware, 54 Trojan, 57 Malware, 207 Rogue, 15 Rootkit, and three Dialer categories, and one keylogger!! All this from one infection?!

Although SAS Pro cleaned things up and has run clean several times (along with MBAM and NOD32), there remains a problem - I'm not able to get a network connection and I believe the problem lies within the PC.

I have two PCs; the infected primary is hard-wired to a Linksys WRT54GL router - the secondary PC and printer are wireless. The primary PC cannot access the internet, the printer, or the secondary PC. The secondary PC cannot access the primary PC, but can print and access the internet. There are no error messages other than the standard Firefox/IE message when it can't access a site and the icon in the System Tray is emblazoned with an exclamation mark indicating no connectivity.

The latest detector I ran was SDFix which found and deleted a Trojan in a TMP file, but the problem remains.

About an hour after I posted this to the "Am I infected" forum, network communication returned to the infected PC just as it has done several times since I began having problems. It's anyone's guess when it'll be disabled again.

Incidentally, when the connection is up, I'm able to download Windows update files, but the install procedure fails on every update.

After I ran Steps 6-9 as recommended and was preparing this note, Comodo suddenly went to 98% CPU usage and was unable to display its main page. Normal shutdown was taking too long, so I shut the PC down with its on/off button. (They don't call it the BRS anymore, do they).

I hope someone here can offer some advice.

Thanks
EdP

DDS (Ver_10-03-17.01) - NTFSx86
Run by Ed at 8:52:32.70 on Mon 09/20/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2681 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\DCX\DCRServ.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Everything\Everything.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Misc Downloads\Process Explorer\procexp.exe
D:\Misc Downloads\TClockLite\tclock.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
svchost.exe
C:\Program Files\Sound Control\SC.EXE
C:\WINDOWS\EzDesk.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ed\Desktop\Bleeping Info\Defogger.exe
C:\Documents and Settings\Ed\Desktop\Bleeping Info\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///D:/Misc%20Downloads/Page%201/My%20Page.htm
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Ask Toolbar Quick View: {b0de3308-5d5a-470d-81b9-634fc078393b} - c:\windows\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERANTISPYWARE.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\01_pro~1.lnk - d:\misc downloads\process explorer\procexp.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\02_tcl~1.lnk - d:\misc downloads\tclocklite\tclock.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\03_moz~1.lnk - c:\program files\mozilla firefox\firefox.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\04_win~1.lnk - c:\program files\winamp\winamp.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\05_sou~1.lnk - c:\program files\sound control\SC.EXE
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\06_ezw~1.lnk - c:\windows\EzDesk.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\07_wor~1.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\sept.lnk - f:\personal\calendars\2010\2010_09.dec
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\egui.lnk - c:\program files\eset\eset nod32 antivirus\egui.exe
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1284731846140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1284670407578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\utfh50w3.xfr profile\
FF - prefs.js: browser.startup.homepage - file:///D:/Misc%20Downloads/Page%201/My%20Page.htm
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\documents and settings\ed\application data\mozilla\firefox\profiles\utfh50w3.xfr profile\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 DCR;DCR;c:\windows\system32\drivers\DCR.sys [2009-1-19 294120]
R0 DCVP;DCVP;c:\windows\system32\drivers\DCVP.sys [2009-1-19 19624]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-5 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-8-30 28552]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-9-15 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-15 24208]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R2 cmdAgent;COMODO Firewall Pro Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2010-9-15 519936]
R2 DriveCryptService;DriveCrypt Service;c:\program files\dcx\DCRServ.exe [2009-1-19 96680]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-8-12 810144]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-7-5 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-7-5 8456]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1355416]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 NRKCTL32;NRKCTL32;d:\misc downloads\cpu-id\nrkctl32.sys [2008-2-29 3968]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-9-15 27064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2008-2-6 15576]
S4 crd;crd;c:\docume~1\ed\locals~1\temp\ixp001.tmp\poststp.exe --> c:\docume~1\ed\locals~1\temp\ixp001.tmp\poststp.exe [?]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2010-09-20 12:51:27 0 ----a-w- c:\documents and settings\ed\defogger_reenable
2010-09-19 15:41:14 0 d-----w- c:\windows\ERUNT
2010-09-19 15:38:12 0 d-----w- C:\SDFix
2010-09-19 15:30:55 1529241 ----a-w- C:\SDFix.exe
2010-09-17 13:58:11 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-09-17 13:54:34 0 d-----w- C:\WUAGENT
2010-09-16 12:09:44 27432 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-09-15 21:19:55 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2010-09-15 14:08:09 87056 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-09-15 14:08:09 24208 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-15 14:08:09 143104 ----a-w- c:\windows\system32\guard32.dll
2010-09-15 14:08:09 0 d-----w- c:\docume~1\ed\applic~1\Comodo
2010-09-15 14:08:09 0 d-----w- c:\docume~1\alluse~1\applic~1\comodo
2010-09-15 14:07:58 0 d-----w- c:\program files\COMODO
2010-09-15 12:40:53 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-09-15 12:40:52 0 d-----w- c:\program files\Revo Uninstaller Pro
2010-09-14 21:28:42 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-14 21:28:25 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-14 21:28:24 0 d-----w- c:\docume~1\ed\applic~1\SUPERAntiSpyware.com
2010-09-14 21:28:24 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-14 21:28:00 0 d--h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-09-14 13:16:06 108480 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-09-13 19:53:39 0 d-----w- c:\docume~1\ed\applic~1\SUPERAntiSpyware(2).com
2010-09-13 19:53:39 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware(2).com
2010-09-13 19:53:32 0 d-----w- c:\program files\SUPERAntiSpyware(2)
2010-09-12 19:13:25 98816 ----a-w- c:\windows\sed.exe
2010-09-12 19:13:25 77312 ----a-w- c:\windows\MBR.exe
2010-09-12 19:13:25 256512 ----a-w- c:\windows\PEV.exe
2010-09-12 19:13:25 161792 ----a-w- c:\windows\SWREG.exe
2010-09-12 19:13:20 0 d-----w- C:\ComboFix
2010-09-04 21:02:32 11111 ----a-w- C:\menu.jpg
2010-09-04 20:58:39 0 d-----w- c:\program files\FastStone Capture
2010-09-03 21:34:13 0 d-----w- C:\VritualRoot
2010-09-03 20:33:33 0 d-----w- c:\docume~1\ed\applic~1\Foxit Software
2010-08-30 21:05:45 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-30 21:05:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-08-30 21:05:31 0 d-----w- c:\program files\Hitman Pro 3.5
2010-08-30 19:58:56 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-29 22:24:59 0 d-----w- c:\program files\Panda Security
2010-08-29 22:19:36 0 d-----w- c:\docume~1\ed\applic~1\QuickScan
2010-08-29 22:07:05 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-08-29 22:07:05 33280 ----a-w- c:\windows\system32\dllcache\rundll32.exe
2010-08-29 20:15:59 33599 ----a-w- c:\windows\system32\dllcache\watv04nt.sys
2010-08-29 20:14:58 211968 ----a-w- c:\windows\system32\dllcache\um54scan.dll
2010-08-29 20:13:58 10240 ----a-w- c:\windows\system32\dllcache\swpidflt.dll
2010-08-29 20:12:59 28160 ----a-w- c:\windows\system32\dllcache\sm91w.dll
2010-08-29 20:11:59 61504 ----a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2010-08-29 20:10:59 7168 ----a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-08-29 20:09:59 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2010-08-29 20:08:59 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2010-08-29 20:07:58 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-08-29 20:06:59 50751 ----a-w- c:\windows\system32\dllcache\hsf_tone.sys
2010-08-29 20:05:59 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2010-08-29 20:04:59 29696 ----a-w- c:\windows\system32\dllcache\dm9pci5.sys
2010-08-29 20:03:59 66082 ----a-w- c:\windows\system32\dllcache\c_28596.nls
2010-08-23 11:35:21 0 d-----w- c:\program files\PlotSoft
2010-08-23 11:35:21 0 d-----w- c:\docume~1\alluse~1\applic~1\PlotSoft

==================== Find3M ====================

2010-08-12 20:05:08 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-04 15:50:36 140752 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-08-03 17:28:36 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-07-29 17:31:26 115008 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-07-27 06:30:35 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-07-12 08:55:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\dllcache\schannel.dll
2010-06-27 20:49:54 1774720 ----a-w- c:\windows\system32\BootMan.exe
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\dllcache\win32k.sys
2010-06-23 12:06:51 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-06-23 12:06:51 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-05-03 18:11:41 108 --sha-r- c:\windows\neoqaz2.dll
2008-02-16 19:00:29 23 --sha-w- c:\windows\system32\dfdffd3_r.dll
2010-03-28 18:41:59 23 --sha-w- c:\windows\system32\edacded0.dat
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2010-01-19 15:35:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010011920100120\index.dat

============= FINISH: 8:53:19.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:51 AM

Posted 27 September 2010 - 08:15 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 EdPell

EdPell
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 27 September 2010 - 10:42 AM

Elise ...

Thanks very much for lending me your time and expertise - I really appreciate it.

Ed
Post too long - attached OTL logs as a single file
---------------------------------------
Per your request:

Dell T3400 w/Win XP Pro SP3 (Primary) Hard-wired to router
Dell Dim8200 w/Win XP Home SP3 (Secondary) Wireless
HP6980dt printer Wireless
LinkSys WRT54GL V1.1 router

Problem:
No internet connection for days at a time
Primary PC cannot access the internet, the printer, or the secondary PC.
Secondary PC cannot access the primary PC, but can access the internet and printer.

Background:
Unusual behavior, eg, blank web pages, NOD32 & Comodo GUI modules missing and rundll32 missing, suggested the PC contracted a virus. MBAM and NOD32 turned up nothing and SAS Pro could not run because of a buffer overrun. Eventually SAS Pro was able to run and found/cleaned a huge number (1,403) of threats.
Subsequent runs of NOD32 and SAS turned up two more viruses that were cleaned.
Multiple current runs with NOD32, SAS, MBAM, and Kaspersky Removal Tool are clean.

Bypassed the router by connecting the modem directly to the PC - problem persists.
Reset TCP/IP
Output of ipconfig /all for primary PC significanlty truncated compared to secondary PC
Network adapter port lights indicate no network activity, but a good 100Mbps connection between network and PC
Updated Broadcom integrated controller driver - network connection restored but gone after reboot.

................................................
Most recent occurrence:
After five days of being disabled, connections returned with no intervention on my part.
9/26/10 - At boot, connections were disabled. Relevant Event Log entries:
Event Log 8:38:07
Warning - Source: DHCP
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001D09293C16. The following error occurred:
The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Event Log 8:38:18
Warning - Source: DHCP
Your computer has automatically configured the IP address for the Network Card with network address 001D09293C16. The IP address being used is 169.254.224.153.

Connections enabled. ipconfig /all indicated lease obtained at 9:25:06
Relevant Event Log entry for that time:
Event Log 9:25:06
Information - Source: Browser

The browser has forced an election on network \Device\NetBT_Tcpip_{8BFBDA30-CD73-4A28-962C-E5F762E378F8} because a master browser was stopped.
..........................................

NOTE: The logs in this post were created while the internet connections were working.
The logs in my initial post were created (9/20/10 - above) when the internet connections were NOT working.
>>>>>>>>>>>>> LOGS <<<<<<<<<<<<<<<<


DDS (Ver_10-03-17.01) - NTFSx86
Run by Ed at 10:05:56.50 on Mon 09/27/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2582 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\DCX\DCRServ.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Everything\Everything.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Misc Downloads\Process Explorer\procexp.exe
D:\Misc Downloads\TClockLite\tclock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Sound Control\SC.EXE
C:\WINDOWS\EzDesk.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\xplorer2\xplorer2_UC.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe
C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
F:\Personal\Virus - Fall 2010\Bleeping Info\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///D:/Misc%20Downloads/Page%201/My%20Page.htm
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Ask Toolbar Quick View: {b0de3308-5d5a-470d-81b9-634fc078393b} - c:\windows\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERANTISPYWARE.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [Everything] "c:\program files\everything\Everything.exe" -startup
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\01_pro~1.lnk - d:\misc downloads\process explorer\procexp.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\02_tcl~1.lnk - d:\misc downloads\tclocklite\tclock.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\03_moz~1.lnk - c:\program files\mozilla firefox\firefox.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\04_win~1.lnk - c:\program files\winamp\winamp.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\05_sou~1.lnk - c:\program files\sound control\SC.EXE
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\06_ezw~1.lnk - c:\windows\EzDesk.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\07_wor~1.lnk - c:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\ed\startm~1\programs\startup\sept.lnk - f:\personal\calendars\2010\2010_09.dec
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\egui.lnk - c:\program files\eset\eset nod32 antivirus\egui.exe
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1285103159062
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1284731846140
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1284670407578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\utfh50w3.xfr profile\
FF - prefs.js: browser.startup.homepage - file:///D:/Misc%20Downloads/Page%201/My%20Page.htm
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\ed\application data\mozilla\firefox\profiles\utfh50w3.xfr profile\extensions\{1bc9ba34-1eed-42ca-a505-6d2f1a935bbb}\plugins\npietab2.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll
FF - plugin: c:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 82233402;82233402 Boot Guard Driver;c:\windows\system32\drivers\82233402.sys [2010-9-22 37392]
R0 DCR;DCR;c:\windows\system32\drivers\DCR.sys [2009-1-19 294120]
R0 DCVP;DCVP;c:\windows\system32\drivers\DCVP.sys [2009-1-19 19624]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-8-30 28552]
R1 82233401;82233401;c:\windows\system32\drivers\82233401.sys [2010-9-22 128016]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-9-15 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-15 24208]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 setup_9.0.0.722_21.09.2010_16-25drv;setup_9.0.0.722_21.09.2010_16-25drv;c:\windows\system32\drivers\8223340.sys [2010-9-22 315408]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2007-6-20 79168]
R2 cmdAgent;COMODO Firewall Pro Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2010-9-15 519936]
R2 DriveCryptService;DriveCrypt Service;c:\program files\dcx\DCRServ.exe [2009-1-19 96680]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-8-12 810144]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf squeezemysql --> c:\progra~1\squeez~1\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\docume~1\alluse~1\applic~1\squeez~1\cache\my.cnf SqueezeMySQL [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-7-5 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-7-5 8456]
S3 NRKCTL32;NRKCTL32;d:\misc downloads\cpu-id\nrkctl32.sys [2008-2-29 3968]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-7-7 14904]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-9-15 27064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2008-2-6 15576]
S4 crd;crd;c:\docume~1\ed\locals~1\temp\ixp001.tmp\poststp.exe --> c:\docume~1\ed\locals~1\temp\ixp001.tmp\poststp.exe [?]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2010-09-27 14:03:51 0 ----a-w- c:\documents and settings\ed\defogger_reenable
2010-09-26 20:57:11 0 d-----w- c:\program files\Everything
2010-09-25 18:24:02 0 d-----w- c:\program files\Trend Micro
2010-09-25 15:07:55 0 d-----w- c:\program files\Support Tools
2010-09-22 15:09:26 37392 ----a-w- c:\windows\system32\drivers\82233402.sys
2010-09-22 15:09:25 315408 ----a-w- c:\windows\system32\drivers\8223340.sys
2010-09-22 15:09:25 128016 ----a-w- c:\windows\system32\drivers\82233401.sys
2010-09-21 22:40:44 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-09-19 15:41:14 0 d-----w- c:\windows\ERUNT
2010-09-19 15:38:12 0 d-----w- C:\SDFix
2010-09-19 15:30:55 1529241 ----a-w- C:\SDFix.exe
2010-09-17 13:58:11 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2010-09-17 13:54:34 0 d-----w- C:\WUAGENT
2010-09-16 12:09:44 27432 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-09-15 21:19:55 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2010-09-15 14:08:09 87056 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-09-15 14:08:09 24208 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-15 14:08:09 143104 ----a-w- c:\windows\system32\guard32.dll
2010-09-15 14:08:09 0 d-----w- c:\docume~1\ed\applic~1\Comodo
2010-09-15 14:08:09 0 d-----w- c:\docume~1\alluse~1\applic~1\comodo
2010-09-15 14:07:58 0 d-----w- c:\program files\COMODO
2010-09-15 12:40:53 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-09-15 12:40:52 0 d-----w- c:\program files\Revo Uninstaller Pro
2010-09-14 21:28:42 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-14 21:28:25 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-14 21:28:24 0 d-----w- c:\docume~1\ed\applic~1\SUPERAntiSpyware.com
2010-09-14 21:28:24 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-14 13:16:06 108480 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-09-13 19:53:39 0 d-----w- c:\docume~1\ed\applic~1\SUPERAntiSpyware(2).com
2010-09-13 19:53:39 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware(2).com
2010-09-13 19:53:32 0 d-----w- c:\program files\SUPERAntiSpyware(2)
2010-09-12 19:13:25 98816 ----a-w- c:\windows\sed.exe
2010-09-12 19:13:25 77312 ----a-w- c:\windows\MBR.exe
2010-09-12 19:13:25 256512 ----a-w- c:\windows\PEV.exe
2010-09-12 19:13:25 161792 ----a-w- c:\windows\SWREG.exe
2010-09-12 19:13:20 0 d-----w- C:\ComboFix
2010-09-04 21:02:32 11111 ----a-w- C:\menu.jpg
2010-09-04 20:58:39 0 d-----w- c:\program files\FastStone Capture
2010-09-03 21:34:13 0 d-----w- C:\VritualRoot
2010-09-03 20:33:33 0 d-----w- c:\docume~1\ed\applic~1\Foxit Software
2010-08-30 21:05:45 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-30 21:05:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-08-30 21:05:31 0 d-----w- c:\program files\Hitman Pro 3.5
2010-08-30 19:58:56 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-29 22:24:59 0 d-----w- c:\program files\Panda Security
2010-08-29 22:19:36 0 d-----w- c:\docume~1\ed\applic~1\QuickScan
2010-08-29 22:07:05 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-08-29 22:07:05 33280 ----a-w- c:\windows\system32\dllcache\rundll32.exe
2010-08-29 20:15:59 33599 ----a-w- c:\windows\system32\dllcache\watv04nt.sys
2010-08-29 20:14:58 211968 ----a-w- c:\windows\system32\dllcache\um54scan.dll
2010-08-29 20:13:58 10240 ----a-w- c:\windows\system32\dllcache\swpidflt.dll
2010-08-29 20:12:59 28160 ----a-w- c:\windows\system32\dllcache\sm91w.dll
2010-08-29 20:11:59 61504 ----a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2010-08-29 20:10:59 7168 ----a-w- c:\windows\system32\dllcache\pnrmc.sys
2010-08-29 20:09:59 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2010-08-29 20:08:59 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2010-08-29 20:07:58 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-08-29 20:06:59 50751 ----a-w- c:\windows\system32\dllcache\hsf_tone.sys
2010-08-29 20:05:59 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2010-08-29 20:04:59 29696 ----a-w- c:\windows\system32\dllcache\dm9pci5.sys
2010-08-29 20:03:59 66082 ----a-w- c:\windows\system32\dllcache\c_28596.nls

==================== Find3M ====================

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\dllcache\spoolsv.exe
2010-08-12 20:05:08 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-04 15:50:36 140752 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-08-03 17:28:36 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-07-29 17:31:26 115008 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-07-27 06:30:35 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\dllcache\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\dllcache\schannel.dll
2009-05-03 18:11:41 108 --sha-r- c:\windows\neoqaz2.dll
2008-02-16 19:00:29 23 --sha-w- c:\windows\system32\dfdffd3_r.dll
2010-03-28 18:41:59 23 --sha-w- c:\windows\system32\edacded0.dat
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2010-01-19 15:35:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010011920100120\index.dat

============= FINISH: 10:06:31.50 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/30/2008 11:00:42 AM
System Uptime: 9/27/2010 7:45:34 AM (3 hours ago)

Motherboard: Dell Inc. | | 0TP412
Processor: Intel® Core™2 Duo CPU E6850 @ 3.00GHz | CPU | 2992/1333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 98 GiB total, 73.503 GiB free.
D: is FIXED (NTFS) - 20 GiB total, 14.58 GiB free.
E: is FIXED (NTFS) - 39 GiB total, 32.168 GiB free.
F: is FIXED (NTFS) - 142 GiB total, 77.769 GiB free.
G: is FIXED (NTFS) - 466 GiB total, 235.594 GiB free.
H: is CDROM ()
I: is CDROM ()
K: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E967-E325-11CE-BFC1-08002BE10318}
Description: Disk drive
Device ID: USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_HS-CF&REV_4.44\071012200975&0
Manufacturer: (Standard disk drives)
Name: Generic Flash HS-CF USB Device
PNP Device ID: USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_HS-CF&REV_4.44\071012200975&0
Service: disk

Class GUID: {4D36E967-E325-11CE-BFC1-08002BE10318}
Description: Disk drive
Device ID: USBSTOR\DISK&VEN_TEAC&PROD_USB___HS-CF_CARD&REV_4.08\0000030706F0&0
Manufacturer: (Standard disk drives)
Name: TEAC USB HS-CF Card USB Device
PNP Device ID: USBSTOR\DISK&VEN_TEAC&PROD_USB___HS-CF_CARD&REV_4.08\0000030706F0&0
Service: disk

Class GUID: {4D36E967-E325-11CE-BFC1-08002BE10318}
Description: Disk drive
Device ID: USBSTOR\DISK&VEN_TEAC&PROD_USB___HS-MS_CARD&REV_4.08\0000030706F0&2
Manufacturer: (Standard disk drives)
Name: TEAC USB HS-MS Card USB Device
PNP Device ID: USBSTOR\DISK&VEN_TEAC&PROD_USB___HS-MS_CARD&REV_4.08\0000030706F0&2
Service: disk

Class GUID: {4D36E967-E325-11CE-BFC1-08002BE10318}
Description: Disk drive
Device ID: USBSTOR\DISK&VEN_TEAC&PROD_USB___HS-SD_CARD&REV_4.08\0000030706F0&3
Manufacturer: (Standard disk drives)
Name: TEAC USB HS-SD Card USB Device
PNP Device ID: USBSTOR\DISK&VEN_TEAC&PROD_USB___HS-SD_CARD&REV_4.08\0000030706F0&3
Service: disk

==== System Restore Points ===================

RP830: 9/21/2010 6:10:54 PM - Installed Windows XP KB2347290.
RP831: 9/21/2010 6:11:25 PM - Installed Windows Media Player KB975558.
RP832: 9/21/2010 6:11:55 PM - Installed Windows XP KB981322.
RP833: 9/21/2010 6:12:24 PM - Installed Windows XP KB982802.
RP834: 9/21/2010 6:40:44 PM - Installed Security Update for CAPICOM (KB931906)
RP835: 9/23/2010 7:49:55 AM - System Checkpoint
RP836: 9/24/2010 1:05:46 PM - System Checkpoint
RP837: 9/25/2010 11:07:53 AM - Installed Windows Support Tools
RP838: 9/25/2010 1:40:59 PM - Installed Windows XP KB2141007.
RP839: 9/25/2010 2:24:02 PM - Installed HiJackThis
RP840: 9/25/2010 5:27:47 PM - Installed Broadcom Gigabit Integrated Controller.
RP841: 9/26/2010 7:24:47 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Acronis True Image
Active@ Hard Disk Monitor
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Illustrator 9.0
Adobe Photoshop 6.0
Adobe SVG Viewer
Aiseesoft Total Video Converter
Alt-Tab Task Switcher Powertoy for Windows XP
Aneesoft Flash Gallery Classic GOTD Edition
Any Video Converter 3.0.6
AnyDVD
APC PowerChute Personal Edition
Apple Application Support
Apple Software Update
Audacity 1.3.11 (Unicode)
Avi2Dvd 0.4.5 beta
Avidemux 2.5
AviSynth 2.5
Beyond Compare 1.9e
Broadcom ASF Management Applications
Broadcom Gigabit Integrated Controller
Broadcom Management Programs
Browser Address Error Redirector
BufferChm
Canon CanoScan 8800F User Registration
Canon MP Navigator EX 1.0
CanoScan 8800F
Cartoonist 1.3
CDex extraction audio
CloneCD
CloneDVD2
CombiMovie Version 1.31
Combined Community Codec Pack 2008-09-21 16:18
COMODO Firewall Pro
CompuPic
ConvertHelper 2.2
ConvertXtoDVD 2.2.3.258
Coupon Printer for Windows
Crash Analysis Tool
Daniusoft Video Converter(Build 2.3.2.0)
DAO 3.5
dAP Skin Narler-N_T_Music
dAP Skin PEDEKOs - Blue Car
Data Lifeguard Tools
dBpoweramp DSP Effects
Dell ETS Factory Installation
Destinations
Detto IntelliMover
DeviceManagementQFolder
DivxToDVD 0.5.2b
dj_taplugin
dj6980
DriveCrypt 5.1
DriverMax 3
DVD Flick
DVD Identifier
DVD Shrink 3.2
EASEUS Data Recovery Wizard 4.3.6
EASEUS Partition Master 6.0.1 Professional
EndItAll 2.0
Eraser
ESET NOD32 Antivirus
eSupportQFolder
EVEREST Home Edition v2.20
Everything 1.2.1.371
Exact Audio Copy 0.99pb5
EzWare EzDesk (remove only)
F.lux
FastStone Capture 5.3
FastStone Image Viewer 4.2
ffdshow [rev 3055] [2009-08-16]
FFmpeg for Audacity on Windows
FinePrint pdfFactory
Font Xplorer 1.2.2
FormatFactory 2.45
Forté Agent
Foto-Mosaik-Edda 5.4.4
Foxit Reader
Foxit Toolbar
Free Studio version 4.3
Google Earth
Google Update Helper
Google Video Player
gPhotoShow Screen Saver
Hard Disk Low Level Format Tool 2.36 build 1181
High Definition Audio Driver Package - KB835221
HiJackThis
HijackThis 2.0.2
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 6900 series
HP Imaging Device Functions 6.0
HP Photosmart Essential
HP Software Update
HP Solution Center and Imaging Support Tools 6.0
hpf_ProductContext
HPProductAssistant
HTML Slideshow Powertoy for Windows XP
Huffyuv AVI lossless video codec (Remove Only)
IcoFX 1.6.4
ImgBurn (Remove Only)
Indeo® Software
Intel® Matrix Storage Manager
Internet Explorer (Enable DEP)
ioIsland.com ClearTweak
IrfanView (remove only)
IsoBuster 2.5.5
iWisoft Free Video Converter 1.2
IZArc 3.81
J2SE Runtime Environment 5.0 Update 6
JAS
Java Auto Updater
Java™ 6 Update 20
JGsoft EditPad Lite 5.0.0
jv16 PowerTools 2010
K-Lite Codec Pack 2.20 Full
Karen's Cookie Viewer
Karen's Directory Printer
Karen's Directory Printer (C:\Program Files\DirPrn\)
Karen's Replicator
Karen's Window Watcher
Logitech MouseWare 9.80
Lotus SmartSuite Release 9.5
LP6980_Help
LP6980Trb
Macromedia Dreamweaver 4
Macromedia Extension Manager
Macromedia Flash 5
MainConcept MJPEG Codec Demo
MainConcept MJPG software codec (Remove Only)
Malwarebytes' Anti-Malware
MediaCoder 0.6.0
MediaInfo 0.7.8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Image Composite Editor
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Mmm
Mozilla Firefox (3.6.10)
Mp3tag v2.46a
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
MultiRen Shell Extension
Nero 6 Ultra Edition
Nero Digital
NewsBin Pro
NVIDIA Drivers
NVIDIA Performance Drivers
Paint Shop Pro 7
Panda ActiveScan 2.0
PC Inspector smart recovery
Peck's Power Join
Pixo
Player
PowerDVD
PowerQuest PartitionMagic 7.0
Prism Video Converter
Process Hacker 1.11
Quicken Deluxe 99
QuickTime
Readme
Revo Uninstaller Pro 2.4.1
ScanSoft OmniPage SE 4
SearchAssist
SeaTools for Windows
Secunia PSI
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SequoiaView
Snood for Windows version 3.51-W
SolutionCenter
SolveigMM AVI Trimmer
Sonic Activation Module
Sound Control v2.15
SoundMAX
Spybot - Search & Destroy
SpywareBlaster 4.4
Squeezebox Server 7.5.0
Startup Cop
Status
STOIK Video Converter 2
SUPER © Version 2010.bld.38 (May 2, 2010)
SUPERAntiSpyware Professional
System Explorer 1.5
TaxACT 2008
TaxACT 2008 New York
TaxACT 2009
TaxACT 2009 New York
TrayApp
TrueCrypt
Tweak UI
Uninstall 1.0.0.1
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
What's my computer doing 1.xx
Winamp
Winamp Detector Plug-in
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Support Tools
Windows XP Service Pack 3
WinHTTrack Website Copier 3.43-9
WinRAR archiver
WordWeb
XnView 1.95.4
xplorer˛ professional 32 bit
Xvid 1.2.2 final uninstall
xVideoServiceThief

==== Event Viewer Messages From Past Week ========

9/24/2010 6:22:42 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load:
9/23/2010 5:05:26 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.timefreq.bldrdoc.gov,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/22/2010 2:01:05 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.timefreq.bldrdoc.gov,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/22/2010 12:00:56 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.timefreq.bldrdoc.gov,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/22/2010 11:00:49 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.timefreq.bldrdoc.gov,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/22/2010 10:30:47 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.timefreq.bldrdoc.gov,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/22/2010 10:15:46 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time-a.timefreq.bldrdoc.gov,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
9/21/2010 7:24:27 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001D09293C16 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
9/21/2010 6:04:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
9/21/2010 6:00:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BANTExt cmdGuard cmdHlp ehdrv ElbyCDIO epfwtdir Fips intelppm IPSec MRxSmb NetBIOS NetBT pavboot RasAcd Rdbss SASDIFSV SASKUTIL Tcpip truecrypt
9/21/2010 6:00:21 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/21/2010 6:00:21 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
9/21/2010 6:00:21 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
9/20/2010 8:10:28 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 001D09293C16 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
82233401 AFD BANTExt cmdGuard cmdHlp ehdrv ElbyCDIO epfwtdir Fips intelppm IPSec MRxSmb NetBIOS NetBT ohci1394 pavboot RasAcd Rdbss SASDIFSV SASKUTIL setup_9.0.0.722_21.09.2010_16-25drv Tcpip truecrypt

==== End Of File ===========================

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-27 10:19:29
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Ed\LOCALS~1\Temp\fftoapog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xAE984C8C]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xAE913610]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0xAE9843C4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0xAE9848A0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateKey [0xAE98543C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0xAE984080]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0xAE986084]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xAE984E72]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateThread [0xAE983C50]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xAE913C10]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteKey [0xAE9850B8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteValueKey [0xAE985268]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0xAE983B02]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0xAE985D24]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenFile [0xAE984AB0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenProcess [0xAE983822]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0xAE984744]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenThread [0xAE9839AA]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xAE9136D0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRenameKey [0xAE9857F2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xAE984196]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSecureConnectPort [0xAE985AE6]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xAE913690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xAE913650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xAE9137D0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0xAE985EC4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetValueKey [0xAE985602]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0xAE9845D2]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xAE913510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xAE913590]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSystemDebugControl [0xAE984638]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAE7B1620]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0xAE983E18]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xAE913750]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [10, 35, 91, AE, 90, 35, 91, ...] {ADC [0x3590ae91], DH; XCHG ECX, EAX; SCASB ; CMP [ESI-0x68], AL; SCASB }
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB819C360, 0x348EE7, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB08DBA00]
? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[696] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[716] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[716] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[716] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[716] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[716] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\winlogon.exe[716] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[716] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[760] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[760] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[760] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[760] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[760] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[760] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[760] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[760] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[760] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\services.exe[760] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[760] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[772] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[772] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[772] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[772] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[772] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[772] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[772] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[772] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[772] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\lsass.exe[772] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[772] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[944] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[944] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[944] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[944] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[944] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[944] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\svchost.exe[944] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[944] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\svchost.exe[992] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[992] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1076] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1076] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1076] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1076] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1076] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1076] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1076] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1076] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1076] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\System32\svchost.exe[1076] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1076] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1172] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1172] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1172] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1172] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1172] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1172] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1172] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\svchost.exe[1172] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1172] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1256] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1256] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1256] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1256] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1256] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1256] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\spoolsv.exe[1256] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1256] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1256] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1256] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1256] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe[1420] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00965060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00964F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 00964C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 009616D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00961550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00961860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00961230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 009613C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [A4, 88]
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00964960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[1440] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 00964AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 005D5060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 005D4F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 005D4C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 005D16D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] USER32.dll!keybd_event 7E466783 5 Bytes JMP 005D1550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 005D1860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 005D1230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 005D13C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [6B, 88]
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 005D4960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe[1472] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 005D4AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[1492] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\HPZipm12.exe[1748] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\HPZipm12.exe[1748] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\HPZipm12.exe[1748] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\HPZipm12.exe[1748] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\HPZipm12.exe[1748] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\HPZipm12.exe[1748] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\HPZipm12.exe[1748] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\HPZipm12.exe[1748] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\HPZipm12.exe[1748] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\HPZipm12.exe[1748] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\HPZipm12.exe[1748] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe[1776] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1824] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1824] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1824] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1824] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1824] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1824] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1824] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1824] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1824] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\System32\alg.exe[1824] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[1824] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1900] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1900] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1900] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1900] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1900] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1900] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1900] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1900] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1900] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\svchost.exe[1900] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1900] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1932] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1932] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1932] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1932] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1932] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1932] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1932] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1932] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1932] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\wdfmgr.exe[1932] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1932] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[2332] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[2332] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[2332] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[2332] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[2332] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[2332] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\Explorer.EXE[2332] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[2332] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[2332] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[2332] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[2332] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2480] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Everything\Everything.exe[2500] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Everything\Everything.exe[2500] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Everything\Everything.exe[2500] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Everything\Everything.exe[2500] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Everything\Everything.exe[2500] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Everything\Everything.exe[2500] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Program Files\Everything\Everything.exe[2500] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Everything\Everything.exe[2500] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Everything\Everything.exe[2500] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Everything\Everything.exe[2500] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Everything\Everything.exe[2500] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fppdis1.exe[2568] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2592] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2592] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2592] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2592] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2592] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2592] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2592] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2592] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2592] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\ctfmon.exe[2592] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[2592] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2600] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00395060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00394F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00391860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00391230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 003913C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [47, 88]
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 00394C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 003916D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00391550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00394960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Logitech\MouseWare\system\em_exec.exe[2728] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 00394AD0 C:\WINDOWS\system32\guard32.dll
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text D:\Misc Downloads\Process Explorer\procexp.exe[2828] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00DE5060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00DE4F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00DE1860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00DE1230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 00DE13C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [EC, 88]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 00DE4C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 00DE16D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00DE1550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00DE4960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2888] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 00DE4AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[3000] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[3000] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[3000] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[3000] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[3000] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[3000] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[3000] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[3000] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[3000] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\svchost.exe[3000] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[3000] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Sound Control\SC.EXE[3336] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Sound Control\SC.EXE[3336] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Sound Control\SC.EXE[3336] user32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Sound Control\SC.EXE[3336] user32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Sound Control\SC.EXE[3336] user32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Sound Control\SC.EXE[3336] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Sound Control\SC.EXE[3336] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Sound Control\SC.EXE[3336] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Sound Control\SC.EXE[3336] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Program Files\Sound Control\SC.EXE[3336] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Sound Control\SC.EXE[3336] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text F:\Personal\Virus - Fall 2010\Bleeping Info\gmer.exe[3348] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\EzDesk.exe[3400] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\EzDesk.exe[3400] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\EzDesk.exe[3400] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\EzDesk.exe[3400] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\EzDesk.exe[3400] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\EzDesk.exe[3400] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\EzDesk.exe[3400] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\EzDesk.exe[3400] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\EzDesk.exe[3400] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\EzDesk.exe[3400] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\EzDesk.exe[3400] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WordWeb\wweb32.exe[3476] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WordWeb\wweb32.exe[3476] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WordWeb\wweb32.exe[3476] user32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WordWeb\wweb32.exe[3476] user32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WordWeb\wweb32.exe[3476] user32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WordWeb\wweb32.exe[3476] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WordWeb\wweb32.exe[3476] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WordWeb\wweb32.exe[3476] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WordWeb\wweb32.exe[3476] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Program Files\WordWeb\wweb32.exe[3476] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\WordWeb\wweb32.exe[3476] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE[3636] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\xplorer2\xplorer2_UC.exe[3760] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 00CE5060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 00CE4F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 00CE1860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00CE1230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 00CE13C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [DC, 88]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 00CE4C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 103FDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 00CE16D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] USER32.dll!keybd_event 7E466783 5 Bytes JMP 00CE1550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 00CE4960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3888] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 00CE4AD0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[4076] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005060 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[4076] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 10004F90 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[4076] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10004C30 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[4076] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[4076] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[4076] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[4076] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[4076] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[4076] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Program Files\Outlook Express\msimn.exe[4076] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 10004960 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Outlook Express\msimn.exe[4076] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 10004AD0 C:\WINDOWS\system32\guard32.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs DCVP.sys
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat DCVP.sys

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ape\OpenWithProgids@lŮB\1˙˙˙\16xÍS\23zÍS\0234A\xb0\0\3

---- EOF - GMER 1.0.15 ----

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB8193000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 7434240 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 169.96 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 5783552 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 169.96 )
0xAE008000 C:\WINDOWS\system32\DRIVERS\82233401.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB9E5C000 iaStor.sys 815104 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0xADD11000 C:\WINDOWS\system32\DRIVERS\eamon.sys 684032 bytes (ESET, Amon monitor)
0xB9D86000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xAE528000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB3996000 C:\WINDOWS\system32\drivers\Senfilt.sys 393216 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
0xB8002000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xAE6A2000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xADA62000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xAE74D000 C:\WINDOWS\system32\DRIVERS\8223340.sys 331776 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wnet_x86])
0xB3A1A000 C:\WINDOWS\system32\drivers\ADIHdAud.sys 323584 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0xB9C9D000 DCR.sys 290816 bytes
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xAD20D000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAE5E5000 C:\WINDOWS\System32\drivers\truecrypt.sys 217088 bytes (TrueCrypt Foundation, TrueCrypt Driver)
0xB9D13000 timntr.sys 212992 bytes (Acronis, TrueImage Backup Archive Explorer)
0xB8060000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB9D47000 C:\WINDOWS\System32\DRIVERS\NDIS.SYS 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB8108000 C:\WINDOWS\system32\DRIVERS\b57xp32.sys 176128 bytes (Broadcom Corporation, Broadcom NetXtreme Gigabit Ethernet NDIS5.1 Driver.)
0xABF25000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAE598000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB8133000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xAE654000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAE67C000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB39F6000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB815B000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB80B8000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xAE61A000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAE5C3000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9E3C000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xAE72E000 C:\WINDOWS\system32\DRIVERS\ehdrv.sys 126976 bytes (ESET, ESET Helper driver)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9CE4000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB80DB000 C:\WINDOWS\System32\Drivers\AnyDVD.sys 102400 bytes (SlySoft, Inc., AnyDVD Filter Driver)
0xAE63C000 C:\WINDOWS\system32\DRIVERS\epfwtdir.sys 98304 bytes (ESET, ESET Antivirus Network Redirector)
0xB9E13000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB80A1000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB9CFE000 snapman.sys 86016 bytes (Acronis, Acronis Snapshot API)
0xAD5ED000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xAE79E000 C:\WINDOWS\System32\DRIVERS\cmdguard.sys 81920 bytes (COMODO, COMODO Firewall Pro Sandbox Driver)
0xB80F4000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB817F000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAE6FB000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9D74000 inspect.sys 73728 bytes (COMODO, COMODO Firewall Pro Firewall Driver)
0xB9E2A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB8090000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB8A7F000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA2C8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys 65536 bytes (Logitech, Inc., Logitech Filter Driver for Mouse Class.)
0xBA158000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA128000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA248000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xBA228000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA2D8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xAEB2B000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA218000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA138000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBA0A8000 82233402.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)
0xBA0F8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA288000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0D8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA298000 C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys 49152 bytes (Logitech, Inc., Logitech PS/2 Mouse Filter Driver.)
0xB8A9F000 C:\WINDOWS\System32\Drivers\pcouffin.sys 49152 bytes (VSO Software, low level access layer for CD/DVD/BD devices)
0xBA318000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB94F4000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA2E8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0C8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA308000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0B8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA208000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB8A8F000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0E8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA258000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA278000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA118000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB9504000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xABF70000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA108000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB9514000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB49FC000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA380000 C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 32768 bytes (Acronis, TrueImage File System Filter)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3D8000 C:\WINDOWS\System32\Drivers\ElbyCDFL.sys 28672 bytes (SlySoft, Inc., ElbyCDIO Filter Driver)
0xB432C000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB431C000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA330000 pavboot.sys 24576 bytes (Panda Security, S.L., Panda Boot Driver)
0xB49D4000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA3B0000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB49EC000 C:\WINDOWS\System32\DRIVERS\cmdhlp.sys 20480 bytes (COMODO, COMODO Firewall Pro Helper Driver)
0xB49CC000 C:\WINDOWS\System32\Drivers\ElbyCDIO.sys 20480 bytes (Elaborate Bytes AG, ElbyCD Windows NT/2000/XP I/O driver)
0xB4A04000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA328000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA338000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3F0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xBA4C4000 DCVP.sys 16384 bytes
0xB9C2C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB9B84000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB3B84000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xAE7D2000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB88AE000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB9B78000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xAD2D4000 C:\WINDOWS\system32\Drivers\PROCEXP141.SYS 12288 bytes
0xAF31F000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA66A000 C:\Program Files\Broadcom\ASFIPMon\BASFND.sys 8192 bytes (Broadcom Corporation, Broadcom NetDetect Driver.)
0xBA5AE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA66E000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5B8000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5BA000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5D8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA60C000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA7B0000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA7C1000 C:\WINDOWS\System32\Drivers\BANTExt.sys 4096 bytes
0xBA71A000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA699000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA7BC000 C:\WINDOWS\System32\Drivers\PQNTDrv.SYS 4096 bytes
==============================================
>Stealth
==============================================
0x8A3BFF53 Unknown page with executable code, 173 bytes


Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:51 AM

Posted 27 September 2010 - 11:25 AM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 EdPell

EdPell
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 27 September 2010 - 12:18 PM

Combofix Log
...................

ComboFix 10-09-26.04 - Ed 09/27/2010 13:01:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2607 [GMT -4:00]
Running from: f:\personal\Virus - Fall 2010\Bleeping Info\ComboFix.exe
AV: ESET NOD32 Antivirus 4.2 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-26 20:57 . 2010-09-27 13:49 -------- d-----w- c:\program files\Everything
2010-09-25 19:58 . 2010-09-25 19:58 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\Deployment
2010-09-25 18:24 . 2010-09-25 18:24 388096 ----a-r- c:\documents and settings\Ed\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-25 18:24 . 2010-09-25 18:24 -------- d-----w- c:\program files\Trend Micro
2010-09-25 15:07 . 2010-09-25 15:07 -------- d-----w- c:\program files\Support Tools
2010-09-22 15:09 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\82233402.sys
2010-09-22 15:09 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\8223340.sys
2010-09-22 15:09 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\82233401.sys
2010-09-21 22:40 . 2010-09-21 22:40 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-09-19 15:41 . 2010-09-19 15:41 -------- d-----w- c:\windows\ERUNT
2010-09-19 15:38 . 2010-09-19 15:53 -------- d-----w- C:\SDFix
2010-09-19 15:30 . 2010-09-19 14:26 1529241 ----a-w- C:\SDFix.exe
2010-09-17 13:54 . 2010-09-17 13:55 -------- d-----w- C:\WUAGENT
2010-09-16 12:09 . 2010-09-16 12:09 27432 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2010-09-15 21:19 . 2010-09-15 21:19 89256 ----a-w- c:\windows\system32\ElbyCDIO.dll
2010-09-15 14:08 . 2010-09-15 14:22 -------- d-----w- c:\documents and settings\All Users\Application Data\comodo
2010-09-15 14:08 . 2010-09-15 14:08 -------- d-----w- c:\documents and settings\Ed\Application Data\Comodo
2010-09-15 14:08 . 2010-09-15 14:07 87056 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-09-15 14:08 . 2010-09-15 14:07 79760 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-09-15 14:08 . 2010-09-15 14:07 24208 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-09-15 14:08 . 2010-09-15 14:07 143104 ----a-w- c:\windows\system32\guard32.dll
2010-09-15 14:07 . 2010-09-15 14:07 -------- d-----w- c:\program files\COMODO
2010-09-15 12:41 . 2010-09-15 12:41 -------- d-----w- c:\documents and settings\Ed\Local Settings\Application Data\VS Revo Group
2010-09-15 12:40 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-09-15 12:40 . 2010-09-15 12:40 -------- d-----w- c:\program files\Revo Uninstaller Pro
2010-09-14 21:28 . 2010-09-14 21:28 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-14 21:28 . 2010-09-17 14:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-14 21:28 . 2010-09-14 21:28 -------- d-----w- c:\documents and settings\Ed\Application Data\SUPERAntiSpyware.com
2010-09-14 21:28 . 2010-09-14 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-14 13:16 . 2010-09-14 13:16 108480 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-09-13 19:54 . 2010-09-13 19:54 63488 ----a-w- c:\documents and settings\Ed\Application Data\SUPERAntiSpyware(2).com\SUPERAntiSpyware(2)\SDDLLS(2)\SD10006(2).dll
2010-09-13 19:54 . 2010-09-13 19:54 52224 ----a-w- c:\documents and settings\Ed\Application Data\SUPERAntiSpyware(2).com\SUPERAntiSpyware(2)\SDDLLS(2)\SD10005(2).dll
2010-09-13 19:54 . 2010-09-13 19:54 117760 ----a-w- c:\documents and settings\Ed\Application Data\SUPERAntiSpyware(2).com\SUPERAntiSpyware(2)\SDDLLS(2)\UIREPAIR(2).DLL
2010-09-13 19:53 . 2010-09-14 21:28 -------- d-----w- c:\documents and settings\Ed\Application Data\SUPERAntiSpyware(2).com
2010-09-13 19:53 . 2010-09-14 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware(2).com
2010-09-13 19:53 . 2010-09-14 21:28 -------- d-----w- c:\program files\SUPERAntiSpyware(2)
2010-09-04 20:58 . 2010-09-04 20:58 -------- d-----w- c:\program files\FastStone Capture
2010-09-03 21:34 . 2010-09-03 21:34 -------- d-----w- C:\VritualRoot
2010-09-03 20:33 . 2010-09-03 20:33 -------- d-----w- c:\documents and settings\Ed\Application Data\Foxit Software
2010-08-30 21:05 . 2010-09-01 11:39 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-30 21:05 . 2010-08-30 21:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-30 21:05 . 2010-08-30 21:05 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-30 19:58 . 2009-06-30 13:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-29 22:24 . 2010-08-29 22:24 -------- d-----w- c:\program files\Panda Security
2010-08-29 22:19 . 2010-09-14 14:06 -------- d-----w- c:\documents and settings\Ed\Application Data\QuickScan
2010-08-29 22:07 . 2008-04-14 10:42 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-08-29 22:07 . 2008-04-14 10:42 33280 ----a-w- c:\windows\system32\dllcache\rundll32.exe
2010-08-29 20:15 . 2008-04-14 02:04 33599 ----a-w- c:\windows\system32\dllcache\watv04nt.sys
2010-08-29 20:14 . 2001-08-18 02:36 211968 ----a-w- c:\windows\system32\dllcache\um54scan.dll
2010-08-29 20:13 . 2001-08-18 02:36 10240 ----a-w- c:\windows\system32\dllcache\swpidflt.dll
2010-08-29 20:12 . 2004-08-04 11:00 26112 ----a-w- c:\windows\system32\dllcache\sm90w.dll
2010-08-29 20:11 . 2001-08-17 16:50 61504 ----a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2010-08-29 20:10 . 2004-08-04 11:00 131584 ----a-w- c:\windows\system32\dllcache\pmxviceo.dll
2010-08-29 20:09 . 2001-08-18 02:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2010-08-29 20:08 . 2001-08-17 18:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys
2010-08-29 20:07 . 2001-08-18 02:36 8192 ----a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-08-29 20:06 . 2001-08-17 17:28 50751 ----a-w- c:\windows\system32\dllcache\hsf_tone.sys
2010-08-29 20:05 . 2001-08-17 16:14 444416 ----a-w- c:\windows\system32\dllcache\fpcibase.sys
2010-08-29 20:04 . 2001-08-17 16:11 29696 ----a-w- c:\windows\system32\dllcache\dm9pci5.sys
2010-08-29 20:03 . 2001-08-17 17:51 13824 ----a-w- c:\windows\system32\dllcache\bulltlp3.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-26 17:44 . 2009-01-22 15:44 -------- d-----w- c:\program files\Lavasoft
2010-09-26 17:44 . 2009-01-22 15:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-09-26 16:41 . 2009-01-19 23:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-26 16:40 . 2009-01-22 15:51 -------- d-----w- c:\program files\SpywareBlaster
2010-09-25 21:27 . 2008-01-25 21:46 -------- d-----w- c:\program files\Broadcom
2010-09-17 14:14 . 2010-04-30 19:02 63488 ----a-w- c:\documents and settings\Ed\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-17 14:14 . 2009-03-12 20:32 117760 ----a-w- c:\documents and settings\Ed\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-14 21:28 . 2008-02-29 15:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-09-12 14:47 . 2010-08-05 12:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-05 17:08 . 2009-10-23 16:21 -------- d-----w- c:\program files\Avidemux 2.5
2010-09-05 16:48 . 2008-01-30 16:01 143928 ----a-w- c:\documents and settings\Ed\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-04 17:07 . 2010-08-11 20:17 -------- d-----w- c:\program files\jv16 PowerTools 2010
2010-09-02 21:54 . 2008-11-28 22:00 -------- d-----w- c:\documents and settings\Ed\Application Data\Audacity
2010-08-29 22:23 . 2009-09-15 15:25 -------- d-----w- c:\program files\ESET
2010-08-29 18:50 . 2008-02-24 21:01 -------- d-----w- c:\program files\IsoBuster
2010-08-25 14:56 . 2010-08-05 12:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-23 11:35 . 2010-08-23 11:35 -------- d-----w- c:\program files\PlotSoft
2010-08-23 11:35 . 2010-08-23 11:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PlotSoft
2010-08-21 15:51 . 2009-12-01 14:19 -------- d-----w- c:\program files\iWisoft Video Converter
2010-08-20 12:16 . 2009-01-21 22:00 -------- d-----w- c:\documents and settings\Ed\Application Data\IcoFX
2010-08-19 20:30 . 2008-02-19 19:04 -------- d-----w- c:\program files\FastStone Image Viewer
2010-08-19 12:06 . 2010-05-06 12:30 -------- d-----w- c:\program files\What's my computer doing
2010-08-17 13:17 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-15 00:37 . 2009-01-30 16:35 -------- d-----w- c:\program files\XnView
2010-08-13 15:13 . 2010-08-13 15:13 -------- d-----w- c:\program files\Secunia
2010-08-12 21:46 . 2010-04-11 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\xml_param
2010-08-12 20:05 . 2010-08-12 20:05 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-11 20:16 . 2010-03-28 18:41 -------- d-----w- c:\program files\jv16 PowerTools 2009
2010-08-06 20:02 . 2010-08-06 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-08-04 15:50 . 2009-05-14 19:41 140752 ----a-w- c:\windows\system32\drivers\eamon.sys
2010-08-03 17:28 . 2009-05-14 19:49 95896 ----a-w- c:\windows\system32\drivers\epfwtdir.sys
2010-07-29 17:31 . 2009-05-14 19:47 115008 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2010-07-22 15:49 . 2004-08-11 23:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-05-23 13:29 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-07 14:05 . 2010-07-07 14:05 14904 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-06-30 12:31 . 2004-08-11 23:00 149504 ----a-w- c:\windows\system32\schannel.dll
2009-05-03 18:11 . 2009-05-03 18:11 108 --sha-r- c:\windows\neoqaz2.dll
2008-02-16 19:00 . 2008-02-16 19:00 23 --sha-w- c:\windows\system32\dfdffd3_r.dll
2010-03-28 18:41 . 2010-03-28 18:41 23 --sha-w- c:\windows\system32\edacded0.dat
2006-05-03 09:06 . 2010-05-09 14:59 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2010-05-09 14:59 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2010-05-09 14:59 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 17:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE" [2010-09-17 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-26 8523776]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2010-09-15 1655552]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

c:\documents and settings\Ed\Start Menu\Programs\Startup\
01_Process Explorer.lnk - d:\misc downloads\Process Explorer\procexp.exe [2010-9-9 3887480]
02_tclock.lnk - d:\misc downloads\TClockLite\tclock.exe [2006-11-15 44544]
03_Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-1-6 910296]
04_Winamp.lnk - c:\program files\Winamp\winamp.exe [2010-5-25 1552736]
05_Sound Control.lnk - c:\program files\Sound Control\SC.EXE [2002-4-13 695808]
06_EzWare EzDesk.lnk - c:\windows\EzDesk.exe [2001-3-16 58368]
07_WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-12-5 65216]
Sept.lnk - f:\personal\Calendars\2010\2010_09.dec [2009-12-3 514005]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2009-1-13 221247]
egui.lnk - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe [2010-8-12 2215064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^What's my computer doing.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\What's my computer doing.lnk
backup=c:\windows\pss\What's my computer doing.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-12-11 13:50 20992 ------w- c:\windows\LOGI_MWX.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AnyDVD"=c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"DriveCrypt5"="c:\program files\DCX\DriveCrypt.exe" /autostart
"F.lux"="c:\documents and settings\Ed\Local Settings\Apps\F.lux\flux.exe" /noshow
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" /s
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"Net-It Launcher"=c:\windows\system32\NILaunch.exe
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"CoolSwitch"=c:\windows\system32\taskswitch.exe
"nwiz"=nwiz.exe /install
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:Squeezebox Server 9000 tcp (UI)
"9001:TCP"= 9001:TCP:Squeezebox Server 9001 tcp (UI)
"9002:TCP"= 9002:TCP:Squeezebox Server 9002 tcp (UI)
"9003:TCP"= 9003:TCP:Squeezebox Server 9003 tcp (UI)
"9004:TCP"= 9004:TCP:Squeezebox Server 9004 tcp (UI)
"9005:TCP"= 9005:TCP:Squeezebox Server 9005 tcp (UI)
"9006:TCP"= 9006:TCP:Squeezebox Server 9006 tcp (UI)
"9007:TCP"= 9007:TCP:Squeezebox Server 9007 tcp (UI)
"9008:TCP"= 9008:TCP:Squeezebox Server 9008 tcp (UI)
"9009:TCP"= 9009:TCP:Squeezebox Server 9009 tcp (UI)
"9010:TCP"= 9010:TCP:Squeezebox Server 9010 tcp (UI)
"9100:TCP"= 9100:TCP:Squeezebox Server 9100 tcp (UI)
"8000:TCP"= 8000:TCP:Squeezebox Server 8000 tcp (UI)
"10000:TCP"= 10000:TCP:Squeezebox Server 10000 tcp (UI)
"9090:TCP"= 9090:TCP:Squeezebox Server 9090 tcp (UI)
"3483:UDP"= 3483:UDP:Squeezebox Server 3483 udp
"3483:TCP"= 3483:TCP:Squeezebox Server 3483 tcp

R0 82233402;82233402 Boot Guard Driver;c:\windows\system32\drivers\82233402.sys [9/22/2010 11:09 AM 37392]
R0 DCR;DCR;c:\windows\system32\drivers\DCR.sys [1/19/2009 7:03 PM 294120]
R0 DCVP;DCVP;c:\windows\system32\drivers\DCVP.sys [1/19/2009 7:03 PM 19624]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/30/2010 3:58 PM 28552]
R1 82233401;82233401;c:\windows\system32\drivers\82233401.sys [9/22/2010 11:09 AM 128016]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [9/15/2010 10:08 AM 87056]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/15/2010 10:08 AM 24208]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [5/14/2009 3:49 PM 95896]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 setup_9.0.0.722_21.09.2010_16-25drv;setup_9.0.0.722_21.09.2010_16-25drv;c:\windows\system32\drivers\8223340.sys [9/22/2010 11:09 AM 315408]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 4:30 PM 79168]
R2 DriveCryptService;DriveCrypt Service;c:\program files\DCX\DCRServ.exe [1/19/2009 7:03 PM 96680]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [8/12/2010 2:16 PM 810144]
S2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL --> c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe --defaults-file=c:\docume~1\ALLUSE~1\APPLIC~1\SQUEEZ~1\Cache\my.cnf SqueezeMySQL [?]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/5/2010 8:47 AM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/5/2010 8:47 AM 8456]
S3 NRKCTL32;NRKCTL32;d:\misc downloads\CPU-ID\nrkctl32.sys [2/29/2008 12:35 PM 3968]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 10:05 AM 14904]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [9/15/2010 8:40 AM 27064]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 2:15 PM 12872]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2/6/2008 2:45 PM 15576]
S4 crd;crd;c:\docume~1\Ed\LOCALS~1\Temp\IXP001.TMP\poststp.exe --> c:\docume~1\Ed\LOCALS~1\Temp\IXP001.TMP\poststp.exe [?]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NORMANDY
*Deregistered* - Normandy
*Deregistered* - PROCEXP141

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = file:///D:/Misc%20Downloads/Page%201/My%20Page.htm
IE: E&xport to Microsoft Excel
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\utfh50w3.Xfr Profile\
FF - prefs.js: browser.startup.homepage - file:///D:/Misc%20Downloads/Page%201/My%20Page.htm
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\utfh50w3.Xfr Profile\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\Plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\real\browser\Plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 13:06
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\documents and settings\Ed\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Ed\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\documents and settings\Ed\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

- - - - - - - > 'lsass.exe'(772)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(2136)
c:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-09-27 13:09:07
ComboFix-quarantined-files.txt 2010-09-27 17:09
ComboFix2.txt 2010-09-12 19:20

Pre-Run: 80,428,957,696 bytes free
Post-Run: 80,465,821,696 bytes free

- - End Of File - - FCEAE5D17D6042AD3B45191CD2F328CF


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:51 AM

Posted 27 September 2010 - 01:03 PM

All active malware is gone here, so now lets concentrate on what might be wrong with your connection. smile.gif

Please right click on your Internet Connection icon in the System Tray and select Status. In the Status window click the Options button.

Look under "this connection uses the following items" and highlight Internet Protocol (TCP/IP). Click Properties.

On the General tab, make sure "Obtain an IP address automatically" and "Obtain DNS server address automatically" are both ticked.
On the Alternate Configuration tab, make sure "Automatic private IP address" is ticked.

Click OK to exit the Properties and OK to exit the other windows as well.

Now, click Start > Run and type cmd in the runbox.

A command window will open. Type ipconfig /flushdns and press enter.


Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:
CODE
@echo off
(ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print) >>Log1.txt
start notepad Log1.txt
del %0

Go to the File menu at the top of the Notepad and select Save as.
Select save in: desktop
Fill in File name: test.bat
Save as type: All file types (*.*)
Click save.
Close the Notepad.
Locate and double-click tast.bat on the desktop.
A notepad opens, copy and paste the content it (log1.txt) to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 EdPell

EdPell
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 27 September 2010 - 01:31 PM

Elise ...
Keep in mind that I currently have a good connection (but who knows what tomorrow may bring).
...............................................................

Windows IP Configuration



Host Name . . . . . . . . . . . . : D4LB0KF1

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : stny.rr.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : stny.rr.com

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-1D-09-29-3C-16

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 209.18.47.61

209.18.47.62

Lease Obtained. . . . . . . . . . : Monday, September 27, 2010 10:31:14 AM

Lease Expires . . . . . . . . . . : Tuesday, September 28, 2010 10:31:14 AM

DNS request timed out.
timeout was 2 seconds.
Server: dns-cac-lb-02.rr.com
Address: 209.18.47.62

Name: google.com
Addresses: 72.14.204.104, 72.14.204.147, 72.14.204.99, 72.14.204.103

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: yahoo.com
Addresses: 67.195.160.76, 69.147.125.65, 72.30.2.43, 98.137.149.56
209.191.122.70



Pinging google.com [72.14.204.103] with 32 bytes of data:



Reply from 72.14.204.103: bytes=32 time=37ms TTL=53

Reply from 72.14.204.103: bytes=32 time=36ms TTL=53



Ping statistics for 72.14.204.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 36ms, Maximum = 37ms, Average = 36ms



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=90ms TTL=52

Reply from 98.137.149.56: bytes=32 time=90ms TTL=52



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 90ms, Average = 90ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 1d 09 29 3c 16 ...... Broadcom NetXtreme 57xx Gigabit Controller
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 20
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 20
224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 20
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None


Windows IP Configuration



Host Name . . . . . . . . . . . . : D4LB0KF1

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : stny.rr.com



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . : stny.rr.com

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-1D-09-29-3C-16

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 209.18.47.61

209.18.47.62

Lease Obtained. . . . . . . . . . : Monday, September 27, 2010 10:31:14 AM

Lease Expires . . . . . . . . . . : Tuesday, September 28, 2010 10:31:14 AM

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: google.com
Addresses: 72.14.204.103, 72.14.204.104, 72.14.204.147, 72.14.204.99

Server: dns-cac-lb-01.rr.com
Address: 209.18.47.61

Name: yahoo.com
Addresses: 209.191.122.70, 67.195.160.76, 69.147.125.65, 72.30.2.43
98.137.149.56



Pinging google.com [72.14.204.103] with 32 bytes of data:



Reply from 72.14.204.103: bytes=32 time=41ms TTL=53

Reply from 72.14.204.103: bytes=32 time=39ms TTL=53



Ping statistics for 72.14.204.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 39ms, Maximum = 41ms, Average = 40ms



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=92ms TTL=52

Reply from 98.137.149.56: bytes=32 time=91ms TTL=52



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 91ms, Maximum = 92ms, Average = 91ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 1d 09 29 3c 16 ...... Broadcom NetXtreme 57xx Gigabit Controller
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.100 192.168.1.100 20
192.168.1.100 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.100 192.168.1.100 20
224.0.0.0 240.0.0.0 192.168.1.100 192.168.1.100 20
255.255.255.255 255.255.255.255 192.168.1.100 192.168.1.100 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:51 AM

Posted 27 September 2010 - 02:19 PM

In that case, lets monitor it till tomorrow. Just use your computer a bit and see how the connection keeps up.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 EdPell

EdPell
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 27 September 2010 - 02:37 PM

So far, it seems that the connection goes out for four or five days, then comes back on for about the same length of time.

I didn't think I'd ever be hoping for the connection to go out.

Ed

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:51 AM

Posted 27 September 2010 - 03:37 PM

The only thing I can think about is that either your network adapter might have a problem (hardware) or it is related to a certain application you may be using, if it is not from your ISP.

Try to monitor it carefully and see if you can find out anything that may trigger this.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 EdPell

EdPell
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 27 September 2010 - 04:30 PM

>Try to monitor it carefully and see if you can find out anything that may trigger this.<
I will, but it may be difficult. I don't recall ever losing the connection or gaining a lost connection while I was working - it happened only when the PC was booted.

I was very surprised yesterday when connection was restored while the PC was on. I was at the secondary PC at the time, so it wasn't anything I did or notice. That's what prompted me to open the Event Log to see what happened at boot and again when connection was restored. You saw that in my first post as well as in one of the tools you had me run.

If nothing else, it's heartening to know that the PC is clean from malware. Even though four of the highly regarded scanners found nothing, I feel more confident because you've been able to personally check it out using additional tools.

While I defer to your expertise, I can't help but believe that one of those 1,403 malware threats caused this and even though the threats have been eliminated, perhaps their effects linger on - but I know very little about malware types and how they work. This problem began around the same time I recognized the PC was infected. If the malware was not responsible, the coincidence is amazing.

Until the infestation, the only problem I had was an occasional BSOD on startup with the message, "Invalid work queue item". I understand this message might be caused by a hardware problem, so .......

Let's see what happens the next time it goes kablooie and I run the bat file you sent.


Thanks for your help and for hanging on.
Ed

#12 EdPell

EdPell
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 27 September 2010 - 05:38 PM

Elise ....

I was positive I had invoked ipconfig /all when the connection was disabled, but could not recall where (or if) I saved the result. I did save it and I did find it.

It was two days ago (9/25). I didn't do any pinging as your bat file does, but here's the result. Hope it helps.

Windows IP Configuration


Host Name . . . . . . . . . . . . : D4LB0KF1
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address. . . . . . . . . : 00-1D-09-29-3C-16
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Autoconfiguration IP Address. . . : 169.254.224.153
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:51 AM

Posted 28 September 2010 - 04:40 AM

Did you try to uninstall/reinstall the Broadcom NetXtreme 57xx Gigabit Controller

You may well be right that this is caused by malware. It often messes with installed components and when removed leaves them corrupted.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 EdPell

EdPell
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:51 AM

Posted 28 September 2010 - 09:04 AM

This past Saturday, I downloaded and ran three Broadcom updates from Dell's driver web page; the Application, Diagnostics, and Driver updates, but I can't recall the details. I've been working on this problem from several angles for a month now and my brain/memory is a bit discombobulated.

One never thinks about creating a detailed problem diary until it's too late - well, this one anyway.

To answer your question more specifically, I did not uninstall anything first, I just ran the updates. I still have the updates in the Dell driver folder.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:51 AM

Posted 28 September 2010 - 09:06 AM

It is possible that the update did anything to fix it. If not, you can try uninstalling the device and then reinstalling (first make sure you download the appropriate drivers from Dell so you can reinstall afterwards).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users