Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A whole lot of problems (redirects, laggy, unresponsive, etc.)


  • This topic is locked This topic is locked
21 replies to this topic

#1 Babine

Babine

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 11 July 2011 - 02:02 PM

Hello,

My computer appears to be quite a bit slower than it should be, and from time to time, the start-up is especially slow. I recently cleaned the dust, and that's helped a bit. But often, the computer will just crash and become unresponsive, like when I turn off the computer, it sometimes doesn't respond or when I try to open/close a program, it doesn't appear the computer has got the command.

As well, whenever I start-up, I get a RUNDLL message saying there's an error with C:\WINDOWs\wmleusy.dll. I have searched that file on google, and it seems non existent.

From time to time, my explorer.exe does not load automatically so I have to manually open it. When it does load, it usually results in an instantly slow system that requires a restart.

My audio keeps on shutting down, so I constantly have to go to services.msc to restart the audio. In addition to that, the warning/alert sound keeps on sounding off, but nothing pops up and I'm not sure what it is indicating.

And lastly, my Google search results constantly redirect me to other pages, and it's not until say the 5th try do I actually get the desired search result. On top of that, I've got ads that pop up in my tabs despite my ad-blockers. (Electric moustache, wal-mart, etc.)

Edit: I just tried to do a Windows Update via website, but it won't load, and even entering it in wikipedia brings me the Problem loading page screen.

I have run Malwarebytes, but it doesn't seem to give me any good results. My logs are as follow.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:33:18 PM, on 7/9/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Wqudodeg] rundll32.exe "C:\WINDOWS\wmleusy.dll",Startup
O4 - HKCU\..\Run: [WeatherEye] C:\Documents and Settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6087.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7844 bytes


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Run by Henry at 22:44:17 on 2011-07-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1535 [GMT -7:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Wqudodeg] rundll32.exe "c:\windows\wmleusy.dll",Startup
uRun: [WeatherEye] c:\documents and settings\henry\local settings\application data\theweathernetwork\weathereye\WeatherEye.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 64.59.144.90 64.59.144.91 64.59.150.134
TCP: Interfaces\{7CC2F5E0-9469-4E06-81DE-E0C7588BF611} : DhcpNameServer = 64.59.144.90 64.59.144.91 64.59.150.134
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\henry\application data\mozilla\firefox\profiles\4ovd82lm.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://www.questscan.com/?tmp=nemo_results_removelink&prt=QstscanPB&keywords=
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
---- FIREFOX POLICIES ----
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-4 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-4 301528]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-4-3 532224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-4 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-4 42184]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-4-1 50376]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S3 cpuz134;cpuz134;\??\c:\docume~1\henry\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\henry\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2009-12-20 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2009-12-20 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2009-12-20 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2009-12-20 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2009-12-20 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2009-12-20 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2009-12-20 109864]
.
=============== Created Last 30 ================
.
2011-07-10 05:15:58 388096 ----a-r- c:\documents and settings\henry\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-07-10 05:15:55 -------- d-----w- c:\program files\Trend Micro
2011-06-11 22:49:37 -------- d-----w- c:\documents and settings\henry\application data\OverDrive
2011-06-11 22:49:13 -------- d-----w- c:\program files\OverDrive Media Console
.
==================== Find3M ====================
.
2011-05-29 16:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-17 16:34:47 0 ----a-w- c:\windows\Icaqin.bin
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-75L9A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD3200AAKS-75L9A0___________________01.03E01#5&17ef7b8e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8ACAC27F
user & kernel MBR OK
copy of MBR has been found in sector 625137345
.
============= FINISH: 22:52:22.96 ===============

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-09 23:44:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD3200AAKS-75L9A0 rev.01.03E01
Running: u8gdrjul.exe; Driver: C:\DOCUME~1\Henry\LOCALS~1\Temp\fwryipob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9D5069CA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x9D55BA68]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0x9D9FA464]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0x9D526AF5]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x9D6EA534]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x9D508EAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x9D508F04]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x9D6E4782]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x9D50901A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0x9D5264A9]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x9D508E02]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x9D6EACC0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x9D508F54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x9D508E56]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0x9D9FA49E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x9D508FC8]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x9D6EADF6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9D5069EE]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x9D6E5398]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0x9D9FA290]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0x9D9FA302]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0x9D50929E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0x9D527026]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0x9D526E91]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x9D55BB18]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x9D5067B8]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x9D70593C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x9D705B44]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9D506A12]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x9D509412]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9D5074AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x9D508EDC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x9D508F2C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x9D6E4FAA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x9D509044]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0x9D526805]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x9D508E2E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0x9D9FA7B2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x9D508F94]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x9D508E84]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0x9D9FA68E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x9D508FF2]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0x9D9FA52A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0x9D526D0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9D507370]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0x9D526B5E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0x9D563E26]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x9D706208]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x9D6EA0F4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0x9D525B1C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9D506A36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9D506A5A]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0x9D9FA426]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x9D6E575C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0x9D706E12]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9D506812]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9D50694E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0x9D9FA38E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9D50692A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9D506972]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0x9D9FA8E6]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0x9D9FA5AE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9D506A7E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0x9D9FA5E6]

INT 0x01 \??\C:\DOCUME~1\Henry\LOCALS~1\Temp\mbr.sys A1A59C42

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C70 8050450C 16 Bytes [AC, 8E, 50, 9D, 04, 8F, 50, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2CD8 80504574 12 Bytes [EE, 69, 50, 9D, 98, 53, 6E, ...]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D68 80504604 12 Bytes [B8, 67, 50, 9D, 3C, 59, 70, ...] {MOV EAX, 0x3c9d5067; POP ECX; JO 0xffffffffffffffa5; INC ESP; POP EBX; JO 0xffffffffffffffa9}
.text ntkrnlpa.exe!ZwCallbackReturn + 2DAC 80504648 16 Bytes [DC, 8E, 50, 9D, 2C, 8F, 50, ...] {FMUL QWORD [ESI-0x70d362b0]; PUSH EAX; POPF ; STOSB ; DEC EDI; OUTSB ; POPF ; INC ESP; NOP ; PUSH EAX; POPF }
.text ntkrnlpa.exe!ZwCallbackReturn + 2F30 805047CC 5 Bytes [36, 6A, 50, 9D, 5A]
.text ...
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64A8 4 Bytes CALL 9D507E25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC556 5 Bytes JMP 9D56C29E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 805C2FDA 5 Bytes JMP 9D56DD38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
? C:\DOCUME~1\Henry\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[444] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[444] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[444] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[444] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[444] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[444] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[444] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[444] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Documents and Settings\Henry\Desktop\u8gdrjul.exe[452] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Documents and Settings\Henry\Desktop\u8gdrjul.exe[452] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[508] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[548] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00070030
.text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\winlogon.exe[892] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\winlogon.exe[892] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\winlogon.exe[892] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\winlogon.exe[892] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\winlogon.exe[892] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\winlogon.exe[892] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\services.exe[940] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\services.exe[940] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F01D4
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F015C
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0198
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\services.exe[940] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\services.exe[940] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003000E4
.text C:\WINDOWS\system32\services.exe[940] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00300120
.text C:\WINDOWS\system32\services.exe[940] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003000A8
.text C:\WINDOWS\system32\services.exe[940] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00300030
.text C:\WINDOWS\system32\services.exe[940] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0030006C
.text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\lsass.exe[952] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\lsass.exe[952] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\lsass.exe[952] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\lsass.exe[952] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\lsass.exe[952] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\lsass.exe[952] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\lsass.exe[952] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[1124] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[1124] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[1124] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[1124] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[1124] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[1176] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[1176] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0072000A
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0073000A
.text C:\WINDOWS\System32\svchost.exe[1220] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0071000C
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\System32\svchost.exe[1220] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\System32\svchost.exe[1220] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\System32\svchost.exe[1220] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\System32\svchost.exe[1220] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\System32\svchost.exe[1220] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\System32\svchost.exe[1220] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\Bonjour\mDNSResponder.exe[1256] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\Java\jre6\bin\jqs.exe[1356] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1388] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[1388] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[1388] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00080030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0008006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F01D4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F00E4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0120
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F015C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0198
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F0030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F00A8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003000E4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00300120
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003000A8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00300030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1720] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0030006C
.text C:\WINDOWS\system32\spoolsv.exe[1768] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\spoolsv.exe[1768] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\spoolsv.exe[1768] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\spoolsv.exe[1768] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\spoolsv.exe[1768] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\spoolsv.exe[1768] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\spoolsv.exe[1768] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\spoolsv.exe[1768] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\spoolsv.exe[1768] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\spoolsv.exe[1768] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\spoolsv.exe[1768] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\spoolsv.exe[1768] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\spoolsv.exe[1768] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\spoolsv.exe[1768] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\spoolsv.exe[1768] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Program Files\iPod\bin\iPodService.exe[1836] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\iPod\bin\iPodService.exe[1836] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Program Files\iPod\bin\iPodService.exe[1836] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Program Files\iPod\bin\iPodService.exe[1836] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Program Files\iPod\bin\iPodService.exe[1836] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Program Files\iPod\bin\iPodService.exe[1836] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\WINDOWS\Explorer.EXE[1996] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0167000A
.text C:\WINDOWS\Explorer.EXE[1996] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0168000A
.text C:\WINDOWS\Explorer.EXE[1996] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0166000C
.text C:\WINDOWS\Explorer.EXE[1996] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003601D4
.text C:\WINDOWS\Explorer.EXE[1996] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003600E4
.text C:\WINDOWS\Explorer.EXE[1996] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360120
.text C:\WINDOWS\Explorer.EXE[1996] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0036015C
.text C:\WINDOWS\Explorer.EXE[1996] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360198
.text C:\WINDOWS\Explorer.EXE[1996] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00360030
.text C:\WINDOWS\Explorer.EXE[1996] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0036006C
.text C:\WINDOWS\Explorer.EXE[1996] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003600A8
.text C:\WINDOWS\Explorer.EXE[1996] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003700E4
.text C:\WINDOWS\Explorer.EXE[1996] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370120
.text C:\WINDOWS\Explorer.EXE[1996] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003700A8
.text C:\WINDOWS\Explorer.EXE[1996] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00370030
.text C:\WINDOWS\Explorer.EXE[1996] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0037006C
.text C:\WINDOWS\system32\svchost.exe[2008] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\system32\svchost.exe[2008] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002E01D4
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002E00E4
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002E0120
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002E015C
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002E0198
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002E0030
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002E006C
.text C:\WINDOWS\system32\svchost.exe[2008] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002E00A8
.text C:\WINDOWS\system32\svchost.exe[2008] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002F00E4
.text C:\WINDOWS\system32\svchost.exe[2008] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002F0120
.text C:\WINDOWS\system32\svchost.exe[2008] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002F00A8
.text C:\WINDOWS\system32\svchost.exe[2008] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002F0030
.text C:\WINDOWS\system32\svchost.exe[2008] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002F006C
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000D0030
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000D006C
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003401D4
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003400E4
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00340120
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0034015C
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00340198
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00340030
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0034006C
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003400A8
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003500E4
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00350120
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003500A8
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00350030
.text C:\WINDOWS\system32\SearchIndexer.exe[2084] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0035006C
.text C:\WINDOWS\RTHDCPL.EXE[2096] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00140030
.text C:\WINDOWS\RTHDCPL.EXE[2096] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0014006C
.text C:\WINDOWS\RTHDCPL.EXE[2096] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\WINDOWS\RTHDCPL.EXE[2096] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\WINDOWS\RTHDCPL.EXE[2096] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\WINDOWS\RTHDCPL.EXE[2096] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\WINDOWS\RTHDCPL.EXE[2096] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\WINDOWS\RTHDCPL.EXE[2096] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\WINDOWS\RTHDCPL.EXE[2096] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\WINDOWS\RTHDCPL.EXE[2096] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\WINDOWS\RTHDCPL.EXE[2096] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
.text C:\WINDOWS\RTHDCPL.EXE[2096] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
.text C:\WINDOWS\RTHDCPL.EXE[2096] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
.text C:\WINDOWS\RTHDCPL.EXE[2096] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
.text C:\WINDOWS\RTHDCPL.EXE[2096] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003F00E4
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003F0120
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003F00A8
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003F0030
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003F006C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 004B01D4
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 004B00E4
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 004B0120
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 004B015C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 004B0198
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 004B0030
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 004B006C
.text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[2104] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 004B00A8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003D01D4
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003D00E4
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003D0120
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003D015C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003D0198
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003D0030
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003D006C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003D00A8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003E00E4
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003E0120
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003E00A8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003E0030
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2336] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003E006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00080030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0008006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F01D4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F00E4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0120
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F015C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0198
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F0030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F006C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F00A8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003000E4
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00300120
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003000A8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00300030
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2376] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0030006C
.text C:\WINDOWS\system32\ctfmon.exe[2480] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A0030
.text C:\WINDOWS\system32\ctfmon.exe[2480] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A006C
.text C:\WINDOWS\system32\ctfmon.exe[2480] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003601D4
.text C:\WINDOWS\system32\ctfmon.exe[2480] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003600E4
.text C:\WINDOWS\system32\ctfmon.exe[2480] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00360120
.text C:\WINDOWS\system32\ctfmon.exe[2480] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0036015C
.text C:\WINDOWS\system32\ctfmon.exe[2480] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00360198
.text C:\WINDOWS\system32\ctfmon.exe[2480] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00360030
.text C:\WINDOWS\system32\ctfmon.exe[2480] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0036006C
.text C:\WINDOWS\system32\ctfmon.exe[2480] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003600A8
.text C:\WINDOWS\system32\ctfmon.exe[2480] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003700E4
.text C:\WINDOWS\system32\ctfmon.exe[2480] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00370120
.text C:\WINDOWS\system32\ctfmon.exe[2480] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003700A8
.text C:\WINDOWS\system32\ctfmon.exe[2480] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00370030
.text C:\WINDOWS\system32\ctfmon.exe[2480] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0037006C
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003001D4
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003000E4
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00300120
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0030015C
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00300198
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00300030
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0030006C
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003000A8
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003100E4
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00310120
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003100A8
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00310030
.text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[2672] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0031006C
.text C:\WINDOWS\System32\alg.exe[2820] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00090030
.text C:\WINDOWS\System32\alg.exe[2820] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0009006C
.text C:\WINDOWS\System32\alg.exe[2820] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E00E4
.text C:\WINDOWS\System32\alg.exe[2820] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0120
.text C:\WINDOWS\System32\alg.exe[2820] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E00A8
.text C:\WINDOWS\System32\alg.exe[2820] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E0030
.text C:\WINDOWS\System32\alg.exe[2820] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E006C
.text C:\WINDOWS\System32\alg.exe[2820] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002F01D4
.text C:\WINDOWS\System32\alg.exe[2820] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002F00E4
.text C:\WINDOWS\System32\alg.exe[2820] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002F0120
.text C:\WINDOWS\System32\alg.exe[2820] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002F015C
.text C:\WINDOWS\System32\alg.exe[2820] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002F0198
.text C:\WINDOWS\System32\alg.exe[2820] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002F0030
.text C:\WINDOWS\System32\alg.exe[2820] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002F006C
.text C:\WINDOWS\System32\alg.exe[2820] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002F00A8
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003D00E4
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003D0120
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003D00A8
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003D0030
.text C:\Documents and Settings\Henry\Desktop\dds.com[3588] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003D006C
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 3 Bytes JMP 003C01D4
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ADVAPI32.dll!SetServiceObjectSecurity + 4 77E36D85 1 Byte [88]
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003C00E4
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003C0120
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003C015C
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003C0198
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003C0030
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003C006C
.text C:\DOCUME~1\Henry\LOCALS~1\Temp\nsk5.tmp\MBR.DAT[3684] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003C00A8
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 007601D4
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 007600E4
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00760120
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0076015C
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00760198
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00760030
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0076006C
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 007600A8
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 007700E4
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104A2AF4 C:\Program Files\Mozilla Firefox 4.0 Beta 3\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00770120
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 007700A8
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00770030
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0077006C
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\plugin-container.exe[3704] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104A3108 C:\Program Files\Mozilla Firefox 4.0 Beta 3\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\system32\cmd.exe[3780] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00150030
.text C:\WINDOWS\system32\cmd.exe[3780] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 0015006C
.text C:\WINDOWS\system32\cmd.exe[3780] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A00E4
.text C:\WINDOWS\system32\cmd.exe[3780] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0120
.text C:\WINDOWS\system32\cmd.exe[3780] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A00A8
.text C:\WINDOWS\system32\cmd.exe[3780] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A0030
.text C:\WINDOWS\system32\cmd.exe[3780] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A006C
.text C:\WINDOWS\system32\cmd.exe[3780] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
.text C:\WINDOWS\system32\cmd.exe[3780] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
.text C:\WINDOWS\system32\cmd.exe[3780] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
.text C:\WINDOWS\system32\cmd.exe[3780] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
.text C:\WINDOWS\system32\cmd.exe[3780] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
.text C:\WINDOWS\system32\cmd.exe[3780] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
.text C:\WINDOWS\system32\cmd.exe[3780] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
.text C:\WINDOWS\system32\cmd.exe[3780] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01AF000A
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01B0000A
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01AE000C
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 008401D4
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 008400E4
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00840120
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0084015C
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00840198
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00840030
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ADVAPI32.dll!CreateServiceW 77E373A9 3 Bytes JMP 0084006C
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ADVAPI32.dll!CreateServiceW + 4 77E373AD 1 Byte [88]
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 008400A8
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 008500E4
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00850120
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 008500A8
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00850030
.text C:\Program Files\Mozilla Firefox 4.0 Beta 3\firefox.exe[4016] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0085006C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8ACAC27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8ACAC27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-e 8ACAC27F
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD3200AAKS-75L9A0___________________01.03E01#5&17ef7b8e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109A10090400000000000F01FEC\Usage@OutlookMAPI2Intl_1033 1055458131

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Henry\Desktop\attach.txt 24309 bytes
File C:\Documents and Settings\Henry\Desktop\dds.txt 11614 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@CA1BQIND.txt 112 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@CA5MREG6.txt 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 PM

Posted 13 July 2011 - 02:22 PM

Hi,

Please do the following:

Download ComboFix from either of these locations:
Link 1
Link 2


VERY IMPORTANT !!!
Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Babine

Babine
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 13 July 2011 - 09:52 PM

Hello, thank you for helping

ComboFix 11-07-13.04 - Henry 07/13/2011 19:14:28.9.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1266 [GMT -7:00]
Running from: c:\documents and settings\Henry\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Henry\Application Data\Sun\ivzmdl_shrd
c:\documents and settings\Henry\Application Data\Sun\mnj.dat
c:\documents and settings\Henry\Application Data\Sun\pcw
c:\documents and settings\Henry\Application Data\Sun\ppkk.dat
c:\documents and settings\Henry\Local Settings\Application Data\{DFE8FCE5-04B6-4E6C-BCC4-6B0E86D9D114}\chrome.manifest
c:\documents and settings\Henry\Local Settings\Application Data\{DFE8FCE5-04B6-4E6C-BCC4-6B0E86D9D114}\chrome\content\_cfg.js
c:\documents and settings\Henry\Local Settings\Application Data\{DFE8FCE5-04B6-4E6C-BCC4-6B0E86D9D114}\chrome\content\overlay.xul
c:\documents and settings\Henry\Local Settings\Application Data\{DFE8FCE5-04B6-4E6C-BCC4-6B0E86D9D114}\install.rdf
c:\documents and settings\NetworkService\Application Data\Sun\ivzmdl_shrd
c:\windows\system32\2310541415.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-06-14 to 2011-07-14 )))))))))))))))))))))))))))))))
.
.
2011-07-13 18:19 . 2011-06-20 17:31 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-13 18:18 . 2011-07-13 18:18 -------- d-----w- c:\program files\Lavasoft
2011-07-13 17:52 . 2011-07-13 17:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-13 06:46 . 2011-07-13 06:48 -------- d-----w- c:\documents and settings\Henry\Application Data\Nitro PDF
2011-07-13 06:45 . 2011-03-21 18:15 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-07-13 06:45 . 2011-03-21 18:15 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-07-13 06:44 . 2011-07-13 06:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2011-07-13 06:44 . 2011-07-13 06:44 -------- d-----w- c:\program files\Common Files\Nitro PDF
2011-07-13 06:44 . 2011-07-13 06:44 -------- d-----w- c:\program files\Nitro PDF
2011-07-13 06:43 . 2011-07-13 06:43 -------- d-----w- c:\documents and settings\Henry\Application Data\Downloaded Installations
2011-07-10 05:15 . 2011-07-10 05:15 388096 ----a-r- c:\documents and settings\Henry\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-10 05:15 . 2011-07-10 05:15 -------- d-----w- c:\program files\Trend Micro
2011-06-25 16:15 . 2011-06-25 16:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-06-19 20:59 . 2011-06-19 20:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Deployment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2008-04-14 12:00 1858944 ------w- c:\windows\system32\win32k.sys
2011-05-29 16:11 . 2011-04-26 02:25 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2011-04-26 02:25 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2009-02-03 11:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2008-04-14 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-27 14:58 . 2011-04-27 14:58 1324 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2011-04-26 11:07 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-14 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"WeatherEye"="c:\documents and settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-08 00:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 06:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/13/2011 11:19 AM 64512]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/4/2011 5:49 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/4/2010 11:10 AM 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2010 11:10 AM 19544]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [3/21/2011 11:17 AM 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [3/21/2011 11:17 AM 68928]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [4/1/2010 10:59 PM 50376]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [6/20/2011 10:31 AM 2151128]
S3 cpuz134;cpuz134;\??\c:\docume~1\Henry\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Henry\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/25/2011 7:25 PM 39984]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00 AM 14336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [12/20/2009 2:52 PM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [12/20/2009 2:52 PM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [12/20/2009 2:52 PM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [12/20/2009 2:52 PM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [12/20/2009 2:52 PM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [12/20/2009 2:52 PM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [12/20/2009 2:52 PM 109864]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Lavasoft Kernexplorer
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-06-20 17:31]
.
2011-07-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.59.144.90 64.59.144.91 64.59.150.134
FF - ProfilePath - c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://www.questscan.com/?tmp=nemo_results_removelink&prt=QstscanPB&keywords=
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Wqudodeg - c:\windows\wmleusy.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-13 19:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\sessionstore-3.js 48608 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-75L9A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ACA4439]<<
c:\docume~1\Henry\LOCALS~1\Temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8acaa7d0]; MOV EAX, [0x8acaa84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8ACC1AB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000068[0x8ACF4F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8ACC7940]
\Driver\atapi[0x8ACC19C0] -> IRP_MJ_CREATE -> 0x8ACA4439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD3200AAKS-75L9A0___________________01.03E01#5&17ef7b8e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8ACA427F
user & kernel MBR OK
copy of MBR has been found in sector 625137345
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet008\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1976)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-13 19:49:11
ComboFix-quarantined-files.txt 2011-07-14 02:49
.
Pre-Run: 257,211,965,440 bytes free
Post-Run: 258,612,723,712 bytes free
.
Current=8 Default=8 Failed=7 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
- - End Of File - - 9CAAE02D17D18CFCB492D75C2CBE67C9

#4 Babine

Babine
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 13 July 2011 - 10:08 PM

I restarted after and the RUNDLL no longer pops up

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 PM

Posted 14 July 2011 - 09:03 AM

Hi,

Please download FixTDSS and save it to your desktop

http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe

Click on the FixTDSS.exe icon to run it > follow the prompts, please advise if anything is found

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 Babine

Babine
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 14 July 2011 - 02:27 PM

An MBR was found and repaired.

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 PM

Posted 14 July 2011 - 07:24 PM

very good

please re-run ComboFix, allow it to update if it requests to do so, post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 Babine

Babine
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 14 July 2011 - 11:26 PM

ComboFix 11-07-14.05 - Henry 07/14/2011 18:34:31.10.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1531 [GMT -7:00]
Running from: c:\documents and settings\Henry\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-15 to 2011-07-15 )))))))))))))))))))))))))))))))
.
.
2011-07-14 03:19 . 2011-07-14 03:19 122 ---ha-w- C:\aaw7boot.cmd
2011-07-13 18:19 . 2011-06-20 17:31 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-13 18:18 . 2011-07-13 18:18 -------- d-----w- c:\program files\Lavasoft
2011-07-13 17:52 . 2011-07-13 17:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-13 06:46 . 2011-07-13 06:48 -------- d-----w- c:\documents and settings\Henry\Application Data\Nitro PDF
2011-07-13 06:45 . 2011-03-21 18:15 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-07-13 06:45 . 2011-03-21 18:15 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-07-13 06:44 . 2011-07-13 06:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2011-07-13 06:44 . 2011-07-13 06:44 -------- d-----w- c:\program files\Common Files\Nitro PDF
2011-07-13 06:44 . 2011-07-13 06:44 -------- d-----w- c:\program files\Nitro PDF
2011-07-13 06:43 . 2011-07-13 06:43 -------- d-----w- c:\documents and settings\Henry\Application Data\Downloaded Installations
2011-07-10 05:15 . 2011-07-10 05:15 388096 ----a-r- c:\documents and settings\Henry\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-10 05:15 . 2011-07-10 05:15 -------- d-----w- c:\program files\Trend Micro
2011-06-25 16:15 . 2011-06-25 16:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-06-19 20:59 . 2011-06-19 20:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Deployment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2008-04-14 12:00 1858944 ------w- c:\windows\system32\win32k.sys
2011-05-29 16:11 . 2011-04-26 02:25 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2011-04-26 02:25 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2009-02-03 11:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2008-04-14 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-27 14:58 . 2011-04-27 14:58 1324 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2011-04-26 11:07 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-14 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-14_02.44.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-15 01:14 . 2011-07-15 01:14 16384 c:\windows\temp\Perflib_Perfdata_bc4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"WeatherEye"="c:\documents and settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-08 00:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 06:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/13/2011 11:19 AM 64512]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/4/2011 5:49 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/4/2010 11:10 AM 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2010 11:10 AM 19544]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [3/21/2011 11:17 AM 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [3/21/2011 11:17 AM 68928]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [4/1/2010 10:59 PM 50376]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [6/20/2011 10:31 AM 2151128]
S3 cpuz134;cpuz134;\??\c:\docume~1\Henry\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Henry\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [6/20/2011 10:31 AM 15232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/25/2011 7:25 PM 39984]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00 AM 14336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [12/20/2009 2:52 PM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [12/20/2009 2:52 PM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [12/20/2009 2:52 PM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [12/20/2009 2:52 PM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [12/20/2009 2:52 PM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [12/20/2009 2:52 PM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [12/20/2009 2:52 PM 109864]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-06-20 17:31]
.
2011-07-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.59.144.90 64.59.144.91 64.59.150.134
FF - ProfilePath - c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://www.questscan.com/?tmp=nemo_results_removelink&prt=QstscanPB&keywords=
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-14 18:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet008\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(452)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\hnetcfg.dll
.
Completion time: 2011-07-14 18:47:10
ComboFix-quarantined-files.txt 2011-07-15 01:47
ComboFix2.txt 2011-07-14 02:49
.
Pre-Run: 258,200,797,184 bytes free
Post-Run: 258,231,369,728 bytes free
.
Current=8 Default=8 Failed=7 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
- - End Of File - - A98A2C4EF83DF95107A8F1AA25FF9A04

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 PM

Posted 15 July 2011 - 08:48 AM

Hi,

Please do the following:
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FixCSet::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT




  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


NEXT


Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 Babine

Babine
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 16 July 2011 - 12:02 AM

I'm just wondering. when I dropped the file on to Combofix, it ran for a while, then it asked if I want to put ComboFix in the recycling bin. Is that normal? Also, when the computer restarted, the program ran, but nothing was happening.

Also, I forgot to mention that occasionally, the status bars and task bar suddenly turns in to the appearance of Windows 98 format.

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 PM

Posted 16 July 2011 - 05:00 AM

do you remember exactly what file it asked if you wanted to put into the recycle bin? Did you say yes or no?

also was there another log produced? Did it complete it's run? The log should be at C:\Combofix.txt

do you still have the ComboFix icon on the desktop or did it delete itself?


Please run the following:


Download FixTDSS and save it to your desktop.

Double click on the FixTDSS.exe icon to run it.

Click the "I Accept" button, then the "Proceed" button to begin

The tool will restart your computer automatically - click OK to allow it to do so

The tool will begin it's scan on reboot > click "run" to begin

It will report if an infected MBR is found > click the "repair" button


let me know if it finds and repairs anything

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 Babine

Babine
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 17 July 2011 - 08:11 PM

The recent scan found nothing.

It asked if I wanted to put the folder "ComboFix" to the Recycling Bin. I just closed the window. And no other log was produced. The ComboFix icon is still on the desktop

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 PM

Posted 17 July 2011 - 08:14 PM

OK, thanks

not sure what that little hiccup was about, please delete the copy of ComboFix from your desktop and download a fresh copy from the following link

Link 1


now boot into safe mode and run ComboFix in safe mode in case malware or your AV was interfering, post the resulting log


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 Babine

Babine
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:31 PM

Posted 17 July 2011 - 08:48 PM

ComboFix 11-07-17.03 - Henry 07/17/2011 18:13:57.13.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1339 [GMT -7:00]
Running from: c:\documents and settings\Henry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Henry\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-18 to 2011-07-18 )))))))))))))))))))))))))))))))
.
.
2011-07-17 18:05 . 2011-07-17 18:05 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-17 05:51 . 2011-07-17 05:51 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Nitro PDF
2011-07-14 03:19 . 2011-07-14 03:19 122 ---ha-w- C:\aaw7boot.cmd
2011-07-13 17:52 . 2011-07-13 17:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-13 06:46 . 2011-07-13 06:48 -------- d-----w- c:\documents and settings\Henry\Application Data\Nitro PDF
2011-07-13 06:45 . 2011-03-21 18:15 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2011-07-13 06:45 . 2011-03-21 18:15 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2011-07-13 06:44 . 2011-07-13 06:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2011-07-13 06:44 . 2011-07-13 06:44 -------- d-----w- c:\program files\Common Files\Nitro PDF
2011-07-13 06:44 . 2011-07-13 06:44 -------- d-----w- c:\program files\Nitro PDF
2011-07-13 06:43 . 2011-07-13 06:43 -------- d-----w- c:\documents and settings\Henry\Application Data\Downloaded Installations
2011-07-10 05:15 . 2011-07-10 05:15 388096 ----a-r- c:\documents and settings\Henry\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-10 05:15 . 2011-07-10 05:15 -------- d-----w- c:\program files\Trend Micro
2011-06-25 16:15 . 2011-06-25 16:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-06-19 20:59 . 2011-06-19 20:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Deployment
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2008-04-14 12:00 1858944 ------w- c:\windows\system32\win32k.sys
2011-05-29 16:11 . 2011-04-26 02:25 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2011-04-26 02:25 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2009-02-03 11:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2008-04-14 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-27 14:58 . 2011-04-27 14:58 1324 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2011-04-26 11:07 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2008-04-14 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2008-04-14 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2008-04-14 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2008-04-14 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-14_02.44.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 08:19 . 2007-11-07 08:19 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90kor.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 47104 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90jpn.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90ita.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 60416 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90fra.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esp.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esn.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90enu.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 60928 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90deu.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 41984 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90cht.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 41472 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90chs.dll
+ 2007-11-07 05:51 . 2007-11-07 05:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90u.dll
+ 2007-11-07 05:51 . 2007-11-07 05:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90.dll
+ 2011-07-18 01:27 . 2011-07-18 01:27 16384 c:\windows\temp\Perflib_Perfdata_2e4.dat
+ 2009-05-11 18:42 . 2009-05-11 18:42 59888 c:\windows\system32\pxwma.dll
+ 2009-04-17 19:28 . 2009-04-17 19:28 68080 c:\windows\system32\pxinsa64.exe
+ 2009-04-17 19:28 . 2009-04-17 19:28 68080 c:\windows\system32\pxcpya64.exe
+ 2010-03-18 16:15 . 2010-03-18 16:15 80720 c:\windows\system32\mfcm100u.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 80208 c:\windows\system32\mfcm100.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 60752 c:\windows\system32\mfc100rus.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 43344 c:\windows\system32\mfc100kor.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 43856 c:\windows\system32\mfc100jpn.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 62288 c:\windows\system32\mfc100ita.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 64336 c:\windows\system32\mfc100fra.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 63824 c:\windows\system32\mfc100esn.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 55120 c:\windows\system32\mfc100enu.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 64336 c:\windows\system32\mfc100deu.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 36176 c:\windows\system32\mfc100cht.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 36176 c:\windows\system32\mfc100chs.dll
+ 2009-04-17 19:28 . 2009-04-17 19:28 68080 c:\windows\system32\drvins64.exe
+ 2009-04-17 10:00 . 2009-04-17 10:00 44944 c:\windows\system32\drivers\pxhelp20.sys
+ 2011-07-17 18:05 . 2011-07-17 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-22 04:03 . 2011-07-17 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-08-22 04:03 . 2010-02-10 15:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-07-17 18:05 . 2011-07-17 18:05 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-07-15 02:16 . 2011-07-15 02:16 37807 c:\windows\Installer\{C46640C0-93FE-4CD7-8B5E-EB0E92C4C2C9}\RunLightroom313212_C2C2101F05384548B5AF39E0D3B3CB50.exe
+ 2011-07-15 02:16 . 2011-07-15 02:16 37807 c:\windows\Installer\{C46640C0-93FE-4CD7-8B5E-EB0E92C4C2C9}\NewShortcut4_C2C2101F05384548B5AF39E0D3B3CB50.exe
+ 2011-07-15 02:16 . 2011-07-15 02:16 37807 c:\windows\Installer\{C46640C0-93FE-4CD7-8B5E-EB0E92C4C2C9}\ARPPRODUCTICON.exe
+ 2008-03-12 10:00 . 2008-03-12 10:00 9200 c:\windows\system32\drivers\cdralw2k.sys
+ 2008-03-12 10:00 . 2008-03-12 10:00 9072 c:\windows\system32\drivers\cdr4_xp.sys
+ 2009-03-24 08:01 . 2009-03-24 08:01 100848 c:\windows\system32\vxblock.dll
+ 2009-05-11 18:42 . 2009-05-11 18:42 440816 c:\windows\system32\PxWave.dll
+ 2009-05-11 18:42 . 2009-05-11 18:42 219632 c:\windows\system32\PxMas.dll
+ 2009-04-17 19:28 . 2009-04-17 19:28 125424 c:\windows\system32\pxinsi64.exe
+ 2009-04-09 08:02 . 2009-04-09 08:02 559600 c:\windows\system32\pxdrv.dll
+ 2009-04-17 19:28 . 2009-04-17 19:28 123888 c:\windows\system32\pxcpyi64.exe
+ 2009-05-11 18:42 . 2009-05-11 18:42 678384 c:\windows\system32\Px.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 770384 c:\windows\system32\msvcr100.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 421200 c:\windows\system32\msvcp100.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 1162744 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfc90u.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 1156600 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfc90.dll
+ 2009-05-11 18:42 . 2009-05-11 18:42 2083312 c:\windows\system32\PxSFS.DLL
+ 2010-03-18 16:15 . 2010-03-18 16:15 4368720 c:\windows\system32\mfc100u.dll
+ 2010-03-18 16:15 . 2010-03-18 16:15 4342088 c:\windows\system32\mfc100.dll
+ 2011-07-15 02:16 . 2011-07-15 02:16 2681344 c:\windows\Installer\38e93a.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"WeatherEye"="c:\documents and settings\Henry\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-10-27 718232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Henry^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Henry\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-08 00:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 06:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 01:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/4/2011 5:49 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/4/2010 11:10 AM 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/4/2010 11:10 AM 19544]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [3/21/2011 11:17 AM 196928]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [3/21/2011 11:17 AM 68928]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [4/1/2010 10:59 PM 50376]
S3 cpuz134;cpuz134;\??\c:\docume~1\Henry\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Henry\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/25/2011 7:25 PM 39984]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00 AM 14336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [12/20/2009 2:52 PM 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [12/20/2009 2:52 PM 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [12/20/2009 2:52 PM 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [12/20/2009 2:52 PM 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [12/20/2009 2:52 PM 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [12/20/2009 2:52 PM 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [12/20/2009 2:52 PM 109864]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.59.144.90 64.59.144.91 64.59.150.134
FF - ProfilePath - c:\documents and settings\Henry\Application Data\Mozilla\Firefox\Profiles\4ovd82lm.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.sympatico.ca/
FF - prefs.js: keyword.URL - hxxp://www.questscan.com/?tmp=nemo_results_removelink&prt=QstscanPB&keywords=
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-17 18:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet008\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(240)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RTHDCPL.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-07-17 18:33:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-18 01:33
ComboFix2.txt 2011-07-15 01:47
ComboFix3.txt 2011-07-14 02:49
.
Pre-Run: 256,172,818,432 bytes free
Post-Run: 256,161,452,032 bytes free
.
Current=8 Default=8 Failed=7 LastKnownGood=9 Sets=1,2,3,4,5,6,7,8,9
- - End Of File - - C524754C50FE02BCC8904D2334E9240D

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 PM

Posted 17 July 2011 - 09:13 PM

OK

Now try the script again

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FixCSet::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Hopefully it will complete properly this time


Did you move on to MalwareBytes and ESET? If not, continue on with those scans and post the logs


also, please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users