Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD error


  • This topic is locked This topic is locked
2 replies to this topic

#1 Funtikar

Funtikar

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 30 December 2010 - 03:21 AM

I cant boot in normal mode because of a BSOD error caused by zjperspros3.sys.
Apologize me since I couldnt post the logs instead i uploaded it because im using a cellphone for posting this problem.
Before my computer got BSOD my computer was slow and when i connect to the internet ,it gets worse.I've googled but nothing related came up. using MS ip monitor i think my computer is used for sending spams and lots of it.
lots of remote port 25..
viewDrive.exe - I found this in the root of my c:\ drive and removable disk storage. I also found mfp3lr9.exe AND 0e9i.exe both were in unusual registry startup path and im sure only
these two files that were launched via registry eventhough i got rid both files but my system was still slow. other files which looks suspicious to me are fjqyhyht.sys and zjperspros3.sys
i couldnt delete or copy them.


**EDITED**
ok now im able to post the logs

i did the scan in safemode. after i googled again for the 0e9i.exe i can see that
there is some update

DDS (Ver_10-12-12.02) - NTFSx86 MINIMAL
Run by azmi at 14:36:17.25 on Thu 12/30/2010
Internet Explorer: 6.0.2900.5512

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 202.75.133.49:80
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windowsa\system32\userinit.exe
BHO: : {b70a1a54-6dfb-4ad8-9a62-2c00a3cc5bb4} - c:\progra~1\freevpn\fads.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: : {f40c2578-2578-f40c-7825-0cf478250cf4} - c:\windowsa\system32\alk2.dll
TB: {C70E30C7-140A-4166-A2E8-43557E62B41A} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [MSConfig] c:\windowsa\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 01000000
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: Download ALL with IDA
IE: Download with IDA
IE: {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: C:
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
SSODL: GootkitSSO - {BD231551-7B89-4E2A-AB74-5EA42B45A9B7} - c:\windowsa\system32\msxsltsso.dll
LSA: Authentication Packages = msv1_0 nwprovau
IFEO: taskmgr.exe - "c:\b\PROCEXP.EXE"

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-12-28 03:05:23 -------- d-----w- c:\program files\ExplorerXP
2010-12-28 02:54:28 -------- d-----w- c:\windowsa\system32\FileMap-by-BB
2010-12-28 02:54:28 -------- d-----w- c:\windowsa\FileMap-by-BB
2010-12-28 02:54:28 -------- d-----w- C:\FileMap-by-BB
2010-12-28 02:54:07 -------- d-----w- c:\program files\FileMap
2010-12-28 02:45:34 -------- d-----w- c:\program files\InCode Solutions
2010-12-27 08:10:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-12-27 07:48:25 0 ----a-w- c:\windowsa\system32\alk2.tmp
2010-12-27 07:42:46 -------- d-----w- c:\program files\Universal Extractor
2010-12-27 07:07:18 -------- d-----w- c:\program files\Copy of Nokia
2010-12-27 05:01:59 -------- d-----w- c:\docume~1\azmi\applic~1\ArtOfPing
2010-02-26 06:32:44 18176 ----a-w- c:\windowsa\system32\drivers\ccdcmb.sys
2010-02-26 06:19:00 1461992 ----a-w- c:\windowsa\system32\wdfcoinstaller01009.dll
2010-02-24 04:07:04 258048 ----a-w- c:\windowsa\system32\8988108.exe
2010-02-20 15:26:47 -------- d-----w- c:\program files\JRE
2010-02-20 15:24:06 -------- d-----w- c:\program files\OpenOffice.org 3
2010-02-20 15:20:31 -------- d-----w- c:\program files\Game_Maker6
2010-02-20 14:37:29 -------- d---a-w- C:\Counter-Strike 1.6
2010-02-20 13:40:41 411368 ----a-w- c:\windowsa\system32\deploytk.dll
2010-02-13 04:28:02 23552 ----a-w- c:\windowsa\system32\tikl.exe
2010-01-09 04:54:12 -------- d-----w- c:\program files\IDAl
2010-01-03 04:38:06 25984 ----a-w- c:\windowsa\system32\drivers\tap0901.sys
2010-01-03 04:38:05 -------- d-----w- c:\program files\FreeVPN
2009-12-31 04:21:04 204800 ----a-w- c:\program files\internet explorer\ssleay32.dll
2009-12-31 04:21:04 1052672 ----a-w- c:\program files\internet explorer\libeay32.dll
2009-12-31 04:15:33 -------- d-----w- c:\program files\SjBoy Special Edition - ChingLish
2009-12-28 04:21:41 1662 --sha-r- C:\dll.bat
2009-12-28 04:21:33 46080 ----a-w- C:\Locker.exe
2009-12-28 04:05:58 -------- d-----w- C:\dllg
2009-12-27 17:45:31 -------- d-----w- c:\program files\Your Freedom
2009-12-27 17:25:12 -------- d-----w- C:\ac
2009-12-26 04:56:03 -------- d-----w- C:\PROJEK
2009-12-26 04:42:05 148 ----a-w- C:\abc.bat
2009-11-19 04:20:18 -------- d-----w- c:\program files\OpenVPN
2009-11-17 04:29:54 -------- d-----w- C:\ROC
2009-11-15 04:30:09 -------- d-----w- C:\lcode
2009-11-14 04:36:04 -------- d-----w- c:\docume~1\azmi\applic~1\Not a Number
2009-11-13 10:46:54 -------- d-----w- c:\docume~1\azmi\locals~1\applic~1\Opera
2009-11-11 06:57:46 -------- d-----w- c:\program files\Game_Maker6g
2009-11-10 04:34:04 -------- d-----w- C:\test
2009-11-09 19:30:45 200704 ----a-w- c:\windowsa\system32\libssl32.dll
2009-11-09 19:30:45 1060864 ----a-w- c:\windowsa\system32\libeay32.dll
2009-11-09 15:28:14 -------- d-----w- c:\program files\Silent Walk FPS Creator 2
2009-11-09 14:55:40 -------- d-----w- C:\Vga
2009-11-09 10:17:16 114688 ----a-w- c:\windowsa\system32\BTCamVideoSource.dll
2009-11-09 09:17:17 266240 -c--a-w- c:\windowsa\system32\cd_clint.dll
2009-11-09 09:17:17 217088 -c--a-w- c:\windowsa\system32\cd_swf.dll
2009-11-09 09:17:17 -------- d-----w- c:\windowsa\system32\AdCache
2009-11-09 08:57:06 -------- d-----w- c:\windowsa\system32\WorldofGar
2009-11-08 15:53:09 -------- d-----w- c:\program files\Game Editor
2009-11-08 15:27:43 1760707 ----a-w- C:\fff.exe
2009-11-08 15:20:42 244416 ----a-w- c:\windowsa\system32\Msflxgrd.ocx
2009-11-08 15:20:41 647872 ----a-w- c:\windowsa\system32\Mscomct2.ocx
2009-11-08 15:17:06 53248 ----a-w- c:\windowsa\system32\zlib.dll
2009-11-08 15:17:05 430080 ----a-w- c:\windowsa\system32\cmcs21.ocx
2009-11-08 15:17:05 224016 ----a-w- c:\windowsa\system32\tabctl32.ocx
2009-11-08 15:17:05 212240 ----a-w- c:\windowsa\system32\richtx32.ocx
2009-11-08 15:17:05 132880 ----a-w- c:\windowsa\system32\msinet.ocx
2009-11-08 15:17:05 103744 ----a-w- c:\windowsa\system32\mscomm32.ocx
2009-11-08 15:11:45 93696 ----a-w- c:\windowsa\ST6UNST.EXE
2009-11-08 15:02:29 360580 ----a-w- c:\windowsa\eSellerateEngine.dll
2009-11-08 04:45:49 -------- d--h--w- c:\windowsa\system32\GroupPolicy
2009-11-07 04:55:35 84 ----a-w- C:\BOOTDISK.BAT
2009-11-07 04:55:35 35 ----a-w- C:\BOOTDISK.SYS
2009-11-05 19:21:48 -------- d---a-w- C:\SIMDATA
2009-11-01 05:22:57 2560 ------w- c:\windowsa\system32\xpsp4res.dll
2009-11-01 05:22:53 236032 -c----w- c:\windowsa\system32\dllcache\wordpad.exe
2009-11-01 05:19:06 -------- d-----w- c:\program files\Winwap Technologies
2009-11-01 05:18:56 1315328 -c----w- c:\windowsa\system32\dllcache\msoe.dll
2009-11-01 05:08:50 -------- d-----w- c:\docume~1\azmi\locals~1\applic~1\DOSBox
2009-11-01 04:59:39 -------- d-----w- c:\windowsa\system32\PreInstall
2009-11-01 04:45:20 2145280 -c----w- c:\windowsa\system32\dllcache\ntkrnlmp.exe
2009-11-01 04:45:06 2023936 -c----w- c:\windowsa\system32\dllcache\ntkrpamp.exe
2009-11-01 04:32:35 -------- d-----w- c:\docume~1\azmi\locals~1\applic~1\Winwap
2009-10-29 05:23:47 -------- d-----w- c:\docume~1\azmi\applic~1\Datarescue
2009-10-29 04:29:13 -------- d-----w- c:\windowsa\system32\Adobe
2009-10-28 05:07:24 -------- d-----w- c:\windowsa\Lhsp
2009-10-28 04:20:32 -------- d-----w- c:\windowsa\speech
2009-10-28 04:20:26 -------- d-----w- c:\program files\CoolSpeech
2009-10-16 10:58:08 2568 -c--a-w- c:\windowsa\system\realsvc.reg
2009-10-16 10:57:04 196072 -c--a-w- c:\windowsa\system32\dd.exe

==================== Find3M ====================

2010-02-24 12:37:59 1444352 ----a-w- c:\windowsa\explorer.exe
2010-02-24 04:06:52 34816 ----a-w- c:\windowsa\system32\svchost.exe
2010-02-20 13:39:33 73728 ----a-w- c:\windowsa\system32\javacpl.cpl
2009-11-09 09:16:56 785408 -c--a-w- c:\windowsa\GPInstall.exe
2009-09-04 21:03:36 58880 ----a-w- c:\windowsa\system32\msasn1.dll
2009-09-01 14:46:07 282654 ----a-w- c:\windowsa\system32\msaud32.acm
2009-08-06 11:24:18 21728 -c--a-w- c:\windowsa\system32\wucltui.dll.mui
2009-08-06 11:24:12 15072 -c--a-w- c:\windowsa\system32\wuaucpl.cpl.mui
2009-08-06 11:24:10 236248 ----a-w- c:\windowsa\system32\wuaucpl.cpl
2009-08-06 11:24:06 15064 -c--a-w- c:\windowsa\system32\wuapi.dll.mui
2009-08-06 11:24:00 17632 ----a-w- c:\windowsa\system32\wuaueng.dll.mui
2009-08-04 14:20:08 2066048 ----a-w- c:\windowsa\system32\ntkrnlpa.exe
2009-08-04 12:44:46 2189184 ----a-w- c:\windowsa\system32\ntoskrnl.exe
2009-07-29 04:37:01 81920 ----a-w- c:\windowsa\system32\fontsub.dll
2009-07-29 04:37:01 119808 ----a-w- c:\windowsa\system32\t2embed.dll
2009-06-10 01:19:38 2066432 ----a-w- c:\windowsa\system32\mstscax.dll
2009-05-07 15:32:35 345600 ----a-w- c:\windowsa\system32\localspl.dll
2009-04-03 04:15:24 485376 ----a-w- c:\windowsa\system32\wmspdmod.dll
2009-03-06 14:22:18 284160 ----a-w- c:\windowsa\system32\pdh.dll
2009-03-02 18:10:48 67584 -c--a-w- c:\windowsa\system32\ff_vfw.dll
2009-02-09 12:10:49 729088 ----a-w- c:\windowsa\system32\lsasrv.dll
2009-02-09 12:10:48 714752 ----a-w- c:\windowsa\system32\ntdll.dll
2009-02-09 12:10:48 617472 ----a-w- c:\windowsa\system32\advapi32.dll
2009-02-09 12:10:48 473600 ----a-w- c:\windowsa\system32\wbem\fastprox.dll
2009-02-09 12:10:48 453120 ----a-w- c:\windowsa\system32\wbem\wmiprvsd.dll
2009-02-09 12:10:48 401408 ----a-w- c:\windowsa\system32\rpcss.dll
2009-02-06 11:11:05 8192 ----a-w- c:\windowsa\system32\nwcwks.dll
2009-02-06 11:11:05 110592 ----a-w- c:\windowsa\system32\services.exe
2009-02-06 10:39:08 55808 ----a-w- c:\windowsa\system32\sc.exe
2009-02-06 10:10:02 248320 -c--a-w- c:\windowsa\system32\wbem\wmiprvse.exe
2009-01-07 18:14:10 60273 -c--a-w- c:\windowsa\system32\pthreadGC2.dll
2008-12-16 12:30:34 354304 ----a-w- c:\windowsa\system32\winhttp.dll
2008-12-11 00:33:26 86016 -c--a-w- c:\windowsa\system32\dpl100.dll
2008-12-07 18:08:06 795648 -c--a-w- c:\windowsa\system32\xvidcore.dll
2008-12-07 18:08:04 130048 -c--a-w- c:\windowsa\system32\xvidvfw.dll
2008-12-05 06:54:55 144896 ----a-w- c:\windowsa\system32\schannel.dll
2008-11-12 13:10:26 334338 ----a-w- c:\windowsa\system32\viwc.exe
2008-11-11 15:22:54 40960 ----a-w- c:\windowsa\system32\scrnrdr.exe
2008-11-07 10:55:30 26144 ----a-w- c:\windowsa\system32\spupdsvc.exe
2008-11-07 10:55:30 16928 ------w- c:\windowsa\system32\spmsgXP_2k3.dll
2008-11-06 16:37:32 3596288 -c--a-w- c:\windowsa\system32\qt-dx331.dll
2008-11-06 16:33:52 684032 -c--a-w- c:\windowsa\system32\divx.dll
2008-09-24 18:41:12 839680 -c--a-w- c:\windowsa\system32\lameACM.acm
2008-09-16 19:23:26 168448 -c--a-w- c:\windowsa\system32\unrar.dll
2008-09-10 01:14:56 1307648 ----a-w- c:\windowsa\system32\msxml6.dll
2008-09-04 17:15:04 1106944 ----a-w- c:\windowsa\system32\msxml3.dll
2008-07-07 20:26:58 253952 ----a-w- c:\windowsa\system32\es.dll
2008-06-12 14:23:32 956928 ----a-w- c:\windowsa\system32\msdtctm.dll
2008-06-12 14:23:32 91648 ----a-w- c:\windowsa\system32\mtxoci.dll
2008-06-12 14:23:32 66560 ----a-w- c:\windowsa\system32\mtxclu.dll
2008-06-12 14:23:32 58880 ----a-w- c:\windowsa\system32\msdtclog.dll
2008-06-12 14:23:32 428032 ----a-w- c:\windowsa\system32\msdtcprx.dll
2008-06-12 14:23:32 161792 ----a-w- c:\windowsa\system32\msdtcuiu.dll
2008-04-25 11:41:40 218624 ----a-w- c:\windowsa\system32\uxtheme.dll
2008-04-14 05:42:10 74240 -c--a-w- c:\windowsa\system32\usbui.dll
2008-04-14 05:42:08 74752 -c--a-w- c:\windowsa\system32\storprop.dll
2008-04-14 00:11:56 1028096 ----a-w- c:\windowsa\system32\mfc42.dll
2008-04-13 21:55:28 1804 -c--a-w- c:\windowsa\system32\Dcache.bin
2008-04-13 21:51:44 52736 ----a-w- c:\windowsa\system32\wzcsapi.dll
2008-04-13 21:51:44 52224 ----a-w- c:\windowsa\system32\dmutil.dll
2008-04-13 21:51:44 483840 ----a-w- c:\windowsa\system32\wzcsvc.dll
2008-04-13 21:51:44 47104 ----a-w- c:\windowsa\system32\cnbjmon.dll
2008-04-13 21:51:44 35328 ----a-w- c:\windowsa\system32\pid.dll
2008-04-13 21:51:44 23552 ----a-w- c:\windowsa\system32\wdmaud.drv
2008-04-13 21:51:44 20992 ----a-w- c:\windowsa\system32\hid.dll
2008-04-13 21:51:44 15360 ----a-w- c:\windowsa\system32\pjlmon.dll
2008-04-13 21:46:52 329728 -c--a-w- c:\windowsa\system32\netsetup.exe
2008-04-13 21:43:24 92424 -c--a-w- c:\windowsa\system32\rdpdd.dll
2008-04-13 21:43:24 87176 -c--a-w- c:\windowsa\system32\rdpwsx.dll
2008-04-13 21:43:22 12168 -c--a-w- c:\windowsa\system32\tsddd.dll
2008-04-13 21:43:02 299520 -c--a-w- c:\windowsa\system32\drmclien.dll
2008-04-13 21:41:58 97280 -c--a-w- c:\windowsa\system32\loadperf.dll
2008-04-13 21:40:58 218624 -c--a-w- c:\windowsa\system32\sysmon.ocx
2008-04-13 21:40:52 86016 ----a-w- c:\windowsa\system32\sl_anet.acm
2008-04-13 21:40:46 102912 -c--a-w- c:\windowsa\system32\dpcdll.dll
2008-04-13 21:40:36 81920 -c--a-w- c:\windowsa\system32\proctexe.ocx
2008-04-13 21:40:32 53279 -c--a-w- c:\windowsa\system32\odbcji32.dll
2008-04-13 21:40:22 110592 ----a-w- c:\windowsa\system32\msscript.ocx
2008-04-13 21:40:10 844314 ----a-w- c:\windowsa\system32\msdxm.ocx
2008-04-13 21:40:10 4126 -c--a-w- c:\windowsa\system32\msdxmlc.dll
2008-04-13 21:40:08 3584 ----a-w- c:\windowsa\system32\msafd.dll
2008-04-13 21:40:08 177152 -c--a-w- c:\windowsa\system32\MSCTFIME.IME
2008-04-13 21:40:08 14848 ----a-w- c:\windowsa\system32\msadp32.acm
2008-04-13 17:00:12 1845632 ----a-w- c:\windowsa\system32\win32k.sys
2008-04-13 16:15:00 17664 -c--a-w- c:\windowsa\system32\watchdog.sys
2008-04-13 16:13:32 12800 -c--a-w- c:\windowsa\system32\spiisupd.exe
2008-04-13 16:07:10 369664 ----a-w- c:\windowsa\system32\html.iec
2008-04-13 16:01:36 7424 -c--a-w- c:\windowsa\system32\kd1394.dll
2008-04-13 16:00:48 61440 ----a-w- c:\windowsa\system32\msvcrt40.dll
2008-04-13 15:45:00 76800 -c--a-w- c:\windowsa\system32\msshavmsg.dll
2008-04-13 15:09:30 438784 -c--a-w- c:\windowsa\system32\xpob2res.dll
2008-04-13 15:09:26 3385856 ----a-w- c:\windowsa\system32\xpsp2res.dll
2008-04-13 15:09:24 187392 ----a-w- c:\windowsa\system32\xpsp1res.dll
2008-04-13 15:08:00 306176 -c--a-w- c:\windowsa\system32\slbcsp.dll
2008-04-13 15:08:00 169984 -c--a-w- c:\windowsa\system32\sccbase.dll
2008-04-13 15:08:00 101888 -c--a-w- c:\windowsa\system32\gpkcsp.dll
2008-04-13 15:07:58 208384 ----a-w- c:\windowsa\system32\rsaenh.dll
2008-04-13 15:07:58 138752 ----a-w- c:\windowsa\system32\dssenh.dll
2008-04-13 14:58:22 2940928 ----a-w- c:\windowsa\system32\wmploc.dll
2008-04-13 14:57:20 79872 ----a-w- c:\windowsa\system32\msxml6r.dll

============= FINISH: 14:39:45.52 ===============

GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-12-28 11:37:08
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\azmi\LOCALS~1\Temp\pgwirfow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\zjperspros3.sys ZwEnumerateKey [0xFC4BB930]
Code 81206580 pIofCallDriver
Code \SystemRoot\system32\drivers\zjperspros3.sys ObInsertObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeDeregisterBugCheckReasonCallback + 153 80532CA2 5 Bytes JMP FC4C6012 \SystemRoot\system32\drivers\zjperspros3.sys
PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP FC4BB9E6 \SystemRoot\system32\drivers\zjperspros3.sys
PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 3D 8056858A 7 Bytes JMP 8129E090
PAGE ntoskrnl.exe!ZwEnumerateKey 805735A4 5 Bytes JMP FC4BB934 \SystemRoot\system32\drivers\zjperspros3.sys
.reloc C:\WINDOWSA\system32\drivers\NDIS.sys section is executable [0x811D9280, 0x32B2A, 0xE0000060]
? C:\WINDOWSA\system32\drivers\zjperspros3.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWSA\system32\winlogon.exe[216] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4892
.text C:\WINDOWSA\system32\winlogon.exe[216] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4921
.text C:\WINDOWSA\system32\winlogon.exe[216] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA492E
.text C:\WINDOWSA\system32\winlogon.exe[216] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4BB2
.text C:\WINDOWSA\system32\winlogon.exe[216] ntdll.dll!NtOpenFile 7C90D59E 1 Byte [E8]
.text C:\WINDOWSA\system32\winlogon.exe[216] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4917
.text C:\WINDOWSA\system32\winlogon.exe[216] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA496F
.text C:\WINDOWSA\system32\services.exe[264] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4892
.text C:\WINDOWSA\system32\services.exe[264] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4921
.text C:\WINDOWSA\system32\services.exe[264] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA492E
.text C:\WINDOWSA\system32\services.exe[264] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4BB2
.text C:\WINDOWSA\system32\services.exe[264] ntdll.dll!NtOpenFile 7C90D59E 1 Byte [E8]
.text C:\WINDOWSA\system32\services.exe[264] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4917
.text C:\WINDOWSA\system32\services.exe[264] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA496F
.text C:\WINDOWSA\system32\lsass.exe[280] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF94892
.text C:\WINDOWSA\system32\lsass.exe[280] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF94921
.text C:\WINDOWSA\system32\lsass.exe[280] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF9492E
.text C:\WINDOWSA\system32\lsass.exe[280] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF94BB2
.text C:\WINDOWSA\system32\lsass.exe[280] ntdll.dll!NtOpenFile 7C90D59E 1 Byte [E8]
.text C:\WINDOWSA\system32\lsass.exe[280] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF94917
.text C:\WINDOWSA\system32\lsass.exe[280] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF9496F
.rsrc C:\WINDOWSA\system32\svchost.exe[488] C:\WINDOWSA\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWSA\system32\svchost.exe[488] C:\WINDOWSA\system32\svchost.exe entry point in ".rsrc" section [0x0100A020]
.text C:\WINDOWSA\system32\svchost.exe[488] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4892
.text C:\WINDOWSA\system32\svchost.exe[488] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4921
.text C:\WINDOWSA\system32\svchost.exe[488] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA492E
.text C:\WINDOWSA\system32\svchost.exe[488] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4BB2
.text C:\WINDOWSA\system32\svchost.exe[488] ntdll.dll!NtOpenFile 7C90D59E 1 Byte [E8]
.text C:\WINDOWSA\system32\svchost.exe[488] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4917
.text C:\WINDOWSA\system32\svchost.exe[488] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA496F
.rsrc C:\WINDOWSA\system32\svchost.exe[556] C:\WINDOWSA\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWSA\system32\svchost.exe[556] C:\WINDOWSA\system32\svchost.exe entry point in ".rsrc" section [0x0100A020]
.text C:\WINDOWSA\system32\svchost.exe[556] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4892
.text C:\WINDOWSA\system32\svchost.exe[556] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4921
.text C:\WINDOWSA\system32\svchost.exe[556] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA492E
.text C:\WINDOWSA\system32\svchost.exe[556] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4BB2
.text C:\WINDOWSA\system32\svchost.exe[556] ntdll.dll!NtOpenFile 7C90D59E 1 Byte [E8]
.text C:\WINDOWSA\system32\svchost.exe[556] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4917
.text C:\WINDOWSA\system32\svchost.exe[556] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA496F
.rsrc C:\WINDOWSA\system32\svchost.exe[620] C:\WINDOWSA\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000060]
.rsrc C:\WINDOWSA\system32\svchost.exe[620] C:\WINDOWSA\system32\svchost.exe entry point in ".rsrc" section [0x0100A020]
.text C:\WINDOWSA\system32\svchost.exe[620] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4892
.text C:\WINDOWSA\system32\svchost.exe[620] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4921
.text C:\WINDOWSA\system32\svchost.exe[620] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA492E
.text C:\WINDOWSA\system32\svchost.exe[620] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4BB2
.text C:\WINDOWSA\system32\svchost.exe[620] ntdll.dll!NtOpenFile 7C90D59E 1 Byte [E8]
.text C:\WINDOWSA\system32\svchost.exe[620] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4917
.text C:\WINDOWSA\system32\svchost.exe[620] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA496F
.reloc C:\WINDOWSA\Explorer.EXE[864] C:\WINDOWSA\Explorer.EXE section is executable [0x0115A000, 0x8800, 0xE0000060]
.reloc C:\WINDOWSA\Explorer.EXE[864] C:\WINDOWSA\Explorer.EXE entry point in ".reloc" section [0x01162631]
.text C:\WINDOWSA\Explorer.EXE[864] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
.text C:\WINDOWSA\Explorer.EXE[864] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4892
.text C:\WINDOWSA\Explorer.EXE[864] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4921
.text C:\WINDOWSA\Explorer.EXE[864] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA492E
.text C:\WINDOWSA\Explorer.EXE[864] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4BB2
.text C:\WINDOWSA\Explorer.EXE[864] ntdll.dll!NtOpenFile 7C90D59E 1 Byte [E8]
.text C:\WINDOWSA\Explorer.EXE[864] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4917
.text C:\WINDOWSA\Explorer.EXE[864] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA496F
.text C:\WINDOWSA\Explorer.EXE[864] ntdll.dll!DbgUiRemoteBreakin 7C951E13 5 Bytes JMP 7C923BD8 C:\WINDOWSA\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
.text C:\WINDOWSA\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4892
.text C:\WINDOWSA\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4921
.text C:\WINDOWSA\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA492E
.text C:\WINDOWSA\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4BB2
.text C:\WINDOWSA\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtOpenFile 7C90D59E 1 Byte [E8]
.text C:\WINDOWSA\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4917
.text C:\WINDOWSA\system32\wbem\wmiprvse.exe[1116] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA496F
.text C:\Documents and Settings\azmi\My Documents\New Folder\GMER\gmer.exe[1420] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA4892
.text C:\Documents and Settings\azmi\My Documents\New Folder\GMER\gmer.exe[1420] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA4921
.text C:\Documents and Settings\azmi\My Documents\New Folder\GMER\gmer.exe[1420] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA492E
.text C:\Documents and Settings\azmi\My Documents\New Folder\GMER\gmer.exe[1420] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA4BB2
.text C:\Documents and Settings\azmi\My Documents\New Folder\GMER\gmer.exe[1420] ntdll.dll!NtOpenFile 7C90D59E 1 Byte [E8]
.text C:\Documents and Settings\azmi\My Documents\New Folder\GMER\gmer.exe[1420] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA4917
.text C:\Documents and Settings\azmi\My Documents\New Folder\GMER\gmer.exe[1420] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA496F

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT fjqyhyht.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] CC001CC2
IAT fjqyhyht.sys[ntoskrnl.exe!ZwCreateFile] 00360046
IAT fjqyhyht.sys[ntoskrnl.exe!IoGetDeviceInterfaces] 00000000
IAT fjqyhyht.sys[ntoskrnl.exe!ObfReferenceObject] 00350046
IAT fjqyhyht.sys[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 00000000
IAT fjqyhyht.sys[ntoskrnl.exe!KeTickCount] 00340046
IAT fjqyhyht.sys[ntoskrnl.exe!ZwClose] 00000000
IAT fjqyhyht.sys[ntoskrnl.exe!ObfDereferenceObject] 00330046
IAT fjqyhyht.sys[ntoskrnl.exe!KeInitializeSpinLock] 00000000
IAT fjqyhyht.sys[ntoskrnl.exe!RtlInitUnicodeString] 00320046
IAT fjqyhyht.sys[ntoskrnl.exe!DbgPrint] 00000000
IAT fjqyhyht.sys[ntoskrnl.exe!ExFreePool] 00310046
IAT fjqyhyht.sys[ntoskrnl.exe!IofCallDriver] 00000000
IAT fjqyhyht.sys[ntoskrnl.exe!ExAllocatePoolWithTag] 00310052
IAT fjqyhyht.sys[HAL.dll!KfAcquireSpinLock] 00000001
IAT fjqyhyht.sys[HAL.dll!KfReleaseSpinLock] FFFC4D83

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINDOWSA\Explorer.EXE[864] @ C:\WINDOWSA\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINDOWSA\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\NDIS \Device\Ndis [811E0984] NDIS.sys[.reloc]

---- Services - GMER 1.0.15 ----

Service C:\WINDOWSA\system32\drivers\zjperspros3.sys (*** hidden *** ) [SYSTEM] zjperspros3 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081b8621a5
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081b8621a5@0021aa2721e3 0xC5 0x15 0xE6 0xFA ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081b8621a5@00210872a297 0x86 0x9C 0x3A 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081b8621a5@0013e00764ee 0xAF 0x82 0x2D 0x17 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081b8621a5@00e003406875 0x24 0x86 0x40 0x79 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081b8621a5@00192de1b5be 0x7C 0x0D 0x12 0xEB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081b8621a5@0c6076c8885b 0x8C 0x8D 0xD7 0xD3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081b8621a5@0026ccc3c633 0xA6 0x99 0xEA 0x4F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3@Start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3@ImagePath system32\drivers\zjperspros3.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3@DisplayName zjperspros3.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3@Group Filter
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3@hwbls 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3@hwsht 0x01 0x00
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3@hwbcr 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\zjperspros3\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081b8621a5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081b8621a5@0021aa2721e3 0xC5 0x15 0xE6 0xFA ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081b8621a5@00210872a297 0x86 0x9C 0x3A 0x07 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081b8621a5@0013e00764ee 0xAF 0x82 0x2D 0x17 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081b8621a5@00e003406875 0x91 0xD9 0x1C 0x94 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081b8621a5@00192de1b5be 0x7C 0x0D 0x12 0xEB ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081b8621a5@0c6076c8885b 0x8C 0x8D 0xD7 0xD3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081b8621a5@0026ccc3c633 0xA6 0x99 0xEA 0x4F ...
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3@Start 1
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3@ImagePath system32\drivers\zjperspros3.sys
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3@DisplayName zjperspros3.sys
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3@Group Filter
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3@hwbls 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3@hwsht 0x01 0x00
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3@hwbcr 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\zjperspros3\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\. \OpenWithProgids@\xa0_auto_file
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{016B1E81-EF27-0E22-7576-7BBCE4F24852}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{016B1E81-EF27-0E22-7576-7BBCE4F24852}@iamdjbekmbcfimkome 0x69 0x61 0x66 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{016B1E81-EF27-0E22-7576-7BBCE4F24852}@hacehdhgpkckkgjn 0x69 0x61 0x66 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{25772745-2B47-F3FD-395D-9B7F4DFFC506}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{25772745-2B47-F3FD-395D-9B7F4DFFC506}@fadollfogdeb 0x66 0x61 0x61 0x65 ...

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Funtikar, 30 December 2010 - 09:22 PM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:11:59 PM

Posted 06 January 2011 - 09:33 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:59 PM

Posted 12 January 2011 - 11:11 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users