Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with WIN32 : Sirefef malware/virus


  • This topic is locked This topic is locked
12 replies to this topic

#1 pariss3

pariss3

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 06 July 2012 - 02:36 PM

Hi,

I have been plagued for a few days now with the WIN64/WIN32: Sirefef infection and eventhough my Avast detects it and constantly sends things to the virus chest I am unable to completely remove this virus.

Any help would be greatly appreciated.

Thanks so much in advance.


DDS log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088
Run by pariss at 14:24:25 on 2012-07-06
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1030 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\kbd.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\USB TV\EM28XX\BDARemote.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.duckduckgo.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:55899
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: LivingPlay Text: {4a0ba746-d4d6-41a6-81ef-413e52b5f8d6} - c:\program files\livingplay\lplaytl.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\users\pariss\appdata\locallow\cyberdefender\cdmyidd.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: MyIdentityDefender: {a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} - c:\users\pariss\appdata\locallow\cyberdefender\cdmyidd.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RunSpySweeperScheduleAtStartup] "c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe" /ScheduleSweep=HPCeeScheduleForpariss
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [<NO NAME>]
mRun: [Zboard] c:\program files\ideazon\zengine\Zboard.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [LivingPlay] c:\program files\livingplay\livingplay32.exe a
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\users\pariss\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bdarem~1.lnk - c:\program files\usb tv\em28xx\BDARemote.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: igl.net\hoylegames
Trusted Zone: igl.net\www
Trusted Zone: igl.net\www3
Trusted Zone: myleague.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {64CD313F-F079-4D93-959F-4D28B5519449} - hxxp://www.worldwinner.com/games/v56/jeopardy/jeopardy.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.23.01.0/iewwload.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - hxxp://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
DPF: {A3723780-9F57-484D-BD27-83FE274717F0} - hxxp://www.ibingo.com/bin/v6/setup.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62
TCP: Interfaces\{BC64D18A-5F16-4724-997A-E64E40333055} : DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-7-4 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-7-4 353688]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-3-16 180224]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-7-4 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-7-4 57656]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-7-4 44808]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-26 24652]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-8 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-13 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-8 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-07-05 16:51:20 -------- d-----w- c:\users\pariss\appdata\local\Immunet
2012-07-05 13:49:48 159608 ----a-w- c:\windows\system32\mfevtps.exe.fd99.deleteme
2012-07-05 13:41:12 14664 ----a-w- c:\windows\stinger.sys
2012-07-05 13:40:59 159608 ----a-w- c:\windows\system32\mfevtps.exe.78f2.deleteme
2012-07-05 13:40:36 -------- d-----w- c:\program files\stinger
2012-07-04 21:08:35 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-04 21:08:35 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-04 21:08:10 41224 ----a-w- c:\windows\avastSS.scr
2012-07-04 17:00:04 -------- d-----w- c:\users\pariss\appdata\roaming\AVG2012
2012-07-04 16:55:30 -------- d--h--w- C:\$AVG
2012-07-04 16:55:30 -------- d-----w- c:\programdata\AVG2012
2012-07-03 23:04:05 -------- d-----w- c:\programdata\F4D5626800056EA40022869CEEC1FB6E
.
==================== Find3M ====================
.
2012-05-13 23:34:29 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-13 23:34:29 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 14:25:38.69 ===============



GMER log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-06 15:24:29
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\0000004c WDC_WD25 rev.10.0
Running: gmer.exe; Driver: C:\Users\pariss\AppData\Local\Temp\kxdiapod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8D821536]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8DEF47BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8D821F52]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8D82CD7A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8D82CDC6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8D82CF48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8D82CCE8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8DEF4BAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8D82CD30]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8D822146]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8D82CF02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8D8228CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8D821584]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8DEF489E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8D8211EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8D8215D2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8D8262A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8D823292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8D82CDA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8D82CDE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8D82CF6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8D82CD0E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8D82CE8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8D82CD58]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8D82CF26]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8DEF4A1E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8D82315E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0x8D822D08]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8D821620]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8D82166E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8D82274A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8D821276]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8D821426]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8D8213CC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8D822A2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8D822B88]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8D821496]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8DEF4AE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8D8225CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8D8216BC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8DEF4954]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8D8222CE]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8DF0C744]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 340 82AFE964 4 Bytes [36, 15, 82, 8D]
.text ntkrnlpa.exe!KeSetTimerEx + 364 82AFE988 4 Bytes [BA, 47, EF, 8D]
.text ntkrnlpa.exe!KeSetTimerEx + 3C4 82AFE9E8 4 Bytes [52, 1F, 82, 8D]
.text ntkrnlpa.exe!KeSetTimerEx + 404 82AFEA28 8 Bytes [7A, CD, 82, 8D, C6, CD, 82, ...]
.text ntkrnlpa.exe!KeSetTimerEx + 410 82AFEA34 4 Bytes [48, CF, 82, 8D]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C25D5E 5 Bytes JMP 8DF0961C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82C62666 4 Bytes CALL 8D823959 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82C71FC9 4 Bytes CALL 8D82396F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject 82C8E872 5 Bytes JMP 8DF0B0FE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CDA776 7 Bytes JMP 8DF0C748 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8C80E000, 0x250DAC, 0xE8000020]
.text win32k.sys!EngCreateRectRgn + 51BE 970B4121 5 Bytes JMP 8D826D72 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPaint + 2098 970C7417 5 Bytes JMP 8D8263E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCreatePalette + 3DF2 970D2D87 5 Bytes JMP 8D826E04 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + B50 970DADFC 5 Bytes JMP 8D8262DE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!XLATEOBJ_iXlate + F35 970DB1E1 5 Bytes JMP 8D8277FA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCombineRgn + 3A1 970DCD4F 5 Bytes JMP 8D826EDE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCombineRgn + 3161 970DFB0F 5 Bytes JMP 8D8266B8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngSetRectRgn + 192F 970E27DB 5 Bytes JMP 8D826538 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + 65CF 970EC989 5 Bytes JMP 8D826C2C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + 8742 970EEAFC 5 Bytes JMP 8D827B90 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + A398 970F0752 5 Bytes JMP 8D826EF6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngTransparentBlt + B931 970F1CEB 5 Bytes JMP 8D826A52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + C760 9710C173 5 Bytes JMP 8D826992 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngUnmapFontFileFD + C833 9710C246 5 Bytes JMP 8D826C58 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 3FBB 9712E250 5 Bytes JMP 8D8276C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngGradientFill + 7DEF 97132084 5 Bytes JMP 8D8265A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngMulDiv + 9253 9713BA92 5 Bytes JMP 8D826E1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngNineGrid + 442A 971445A4 5 Bytes JMP 8D8263FC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngNineGrid + 9061 971491DB 5 Bytes JMP 8D827972 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngNineGrid + 92BD 97149437 5 Bytes JMP 8D827A2A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngLpkInstalled + 17 9714D4C0 5 Bytes JMP 8D8277B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStretchBlt + 3838 9715D788 5 Bytes JMP 8D827C32 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngStrokePath + 4D52 97165F06 5 Bytes JMP 8D82776A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngCopyBits + 17BC 9716FA3E 5 Bytes JMP 8D8278C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!STROBJ_vEnumStart + 478A 971764CD 5 Bytes JMP 8D8264D4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngDeleteSemaphore + 40E 97192D0A 5 Bytes JMP 8D826790 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!CLIPOBJ_bEnum + CC9 9719CBE8 5 Bytes JMP 8D826664 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 26D9 971A0720 5 Bytes JMP 8D827AE8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngPlgBlt + 45CE 971A2615 5 Bytes JMP 8D826E34 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 30D9 971BA971 5 Bytes JMP 8D8268BC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
.text win32k.sys!EngFillPath + 6CAF 971BE547 5 Bytes JMP 8D826826 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
? C:\Users\pariss\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\taskeng.exe[200] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\csrss.exe[608] KERNEL32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\wininit.exe[672] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\csrss.exe[684] KERNEL32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\services.exe[716] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
? C:\Windows\system32\services.exe[716] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: MSWSOCK.dll
.text C:\Windows\system32\lsass.exe[728] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\lsm.exe[736] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[816] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[928] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\ehome\ehmsas.exe[952] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000801F8
.text C:\Windows\ehome\ehmsas.exe[952] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000803FC
.text C:\Windows\ehome\ehmsas.exe[952] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\ehome\ehmsas.exe[952] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000A03FC
.text C:\Windows\ehome\ehmsas.exe[952] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 000A0600
.text C:\Windows\ehome\ehmsas.exe[952] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 000A1014
.text C:\Windows\ehome\ehmsas.exe[952] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 000A0804
.text C:\Windows\ehome\ehmsas.exe[952] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 000A0A08
.text C:\Windows\ehome\ehmsas.exe[952] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 000A0C0C
.text C:\Windows\ehome\ehmsas.exe[952] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 000A0E10
.text C:\Windows\ehome\ehmsas.exe[952] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000A01F8
.text C:\Windows\ehome\ehmsas.exe[952] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 000B0804
.text C:\Windows\ehome\ehmsas.exe[952] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000B01F8
.text C:\Windows\ehome\ehmsas.exe[952] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000B03FC
.text C:\Windows\ehome\ehmsas.exe[952] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 000B0600
.text C:\Windows\ehome\ehmsas.exe[952] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 000B0A08
.text C:\Windows\system32\svchost.exe[996] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\atiesrxx.exe[1028] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000501F8
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000503FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 01190804
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 011901F8
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 011903FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 01190600
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 01190A08
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 011A03FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 011A0600
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 011A1014
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 011A0804
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 011A0A08
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 011A0C0C
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 011A0E10
.text C:\Program Files\OpenOffice.org 3\program\soffice.bin[1064] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 011A01F8
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1144] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1156] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1180] KERNEL32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000601F8
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000603FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00070804
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000701F8
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000703FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00070600
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00070A08
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000803FC
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00080600
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00081014
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00080804
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00080A08
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00080C0C
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00080E10
.text C:\Program Files\OpenOffice.org 3\program\soffice.exe[1184] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000801F8
.text C:\Windows\system32\AUDIODG.EXE[1280] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1304] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\atieclxx.exe[1440] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1596] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00170804
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001701F8
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001703FC
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00170600
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00170A08
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 001903FC
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00190600
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00191014
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00190804
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00190A08
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00190C0C
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00190E10
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1612] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 001901F8
.text C:\Windows\System32\svchost.exe[1644] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[1644] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[1644] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1644] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[1644] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[1644] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[1644] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[1644] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[1644] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[1644] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[1644] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\Dwm.exe[1768] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1776] kernel32.dll!SetUnhandledExceptionFilter 76316E2D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1776] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\Explorer.EXE[1792] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1944] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[1968] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 001501F8
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 001503FC
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00190804
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001901F8
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001903FC
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00190600
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00190A08
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 001B03FC
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 001B0600
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 001B1014
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 001B0804
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 001B0A08
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 001B0C0C
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 001B0E10
.text c:\Program Files\Common Files\LightScribe\LSSrvc.exe[2160] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 001B01F8
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 001401F8
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 001403FC
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00160804
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001601F8
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001603FC
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00160600
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00160A08
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 001703FC
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00170600
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00171014
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00170804
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00170A08
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00170C0C
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00170E10
.text C:\Program Files\USB TV\EM28XX\BDARemote.exe[2248] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 001701F8
.text C:\Windows\system32\svchost.exe[2268] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\svchost.exe[2268] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\svchost.exe[2268] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00071014
.text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00070804
.text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00070A08
.text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\svchost.exe[2268] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000701F8
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 001401F8
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 001403FC
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00160804
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001601F8
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001603FC
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00160600
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00160A08
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 001703FC
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00170600
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00171014
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00170804
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00170A08
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00170C0C
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00170E10
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[2344] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 001701F8
.text C:\Windows\System32\svchost.exe[2360] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000501F8
.text C:\Windows\System32\svchost.exe[2360] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000503FC
.text C:\Windows\System32\svchost.exe[2360] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\System32\svchost.exe[2360] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000703FC
.text C:\Windows\System32\svchost.exe[2360] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00070600
.text C:\Windows\System32\svchost.exe[2360] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00071014
.text C:\Windows\System32\svchost.exe[2360] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00070804
.text C:\Windows\System32\svchost.exe[2360] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00070A08
.text C:\Windows\System32\svchost.exe[2360] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00070C0C
.text C:\Windows\System32\svchost.exe[2360] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00070E10
.text C:\Windows\System32\svchost.exe[2360] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000701F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000401F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000403FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00060600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00061014
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00060804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00060A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00060C0C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00060E10
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00070804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000701F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000703FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00070600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2388] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00070A08
.text C:\Windows\system32\SearchIndexer.exe[2408] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\SearchIndexer.exe[2408] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\SearchIndexer.exe[2408] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[2408] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\SearchIndexer.exe[2408] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\SearchIndexer.exe[2408] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00071014
.text C:\Windows\system32\SearchIndexer.exe[2408] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00070804
.text C:\Windows\system32\SearchIndexer.exe[2408] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00070A08
.text C:\Windows\system32\SearchIndexer.exe[2408] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\SearchIndexer.exe[2408] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\SearchIndexer.exe[2408] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\SearchIndexer.exe[2408] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00080804
.text C:\Windows\system32\SearchIndexer.exe[2408] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000801F8
.text C:\Windows\system32\SearchIndexer.exe[2408] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000803FC
.text C:\Windows\system32\SearchIndexer.exe[2408] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00080600
.text C:\Windows\system32\SearchIndexer.exe[2408] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00080A08
.text C:\Windows\system32\WUDFHost.exe[2448] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000501F8
.text C:\Windows\system32\WUDFHost.exe[2448] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000503FC
.text C:\Windows\system32\WUDFHost.exe[2448] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\WUDFHost.exe[2448] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000703FC
.text C:\Windows\system32\WUDFHost.exe[2448] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00070600
.text C:\Windows\system32\WUDFHost.exe[2448] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00071014
.text C:\Windows\system32\WUDFHost.exe[2448] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00070804
.text C:\Windows\system32\WUDFHost.exe[2448] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00070A08
.text C:\Windows\system32\WUDFHost.exe[2448] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00070C0C
.text C:\Windows\system32\WUDFHost.exe[2448] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00070E10
.text C:\Windows\system32\WUDFHost.exe[2448] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000701F8
.text C:\Windows\system32\WUDFHost.exe[2448] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00080804
.text C:\Windows\system32\WUDFHost.exe[2448] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000801F8
.text C:\Windows\system32\WUDFHost.exe[2448] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000803FC
.text C:\Windows\system32\WUDFHost.exe[2448] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00080600
.text C:\Windows\system32\WUDFHost.exe[2448] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00080A08
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 001401F8
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 001403FC
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 001603FC
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00160600
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00161014
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00160804
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00160A08
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00160C0C
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00160E10
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 001601F8
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00170804
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001701F8
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001703FC
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00170600
.text C:\Windows\system32\DRIVERS\xaudio.exe[2528] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00170A08
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000401F8
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000403FC
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000603FC
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00060600
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00061014
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00060804
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00060A08
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00060C0C
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00060E10
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000601F8
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00070804
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000701F8
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000703FC
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!DialogBoxIndirectParamW 7653BD25 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!DialogBoxIndirectParamW 7653BD25 5 Bytes JMP 6F025329 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!CreateWindowExW 76543D67 5 Bytes JMP 6EF2DB04 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!DialogBoxParamW 76551FD5 5 Bytes JMP 6EE554C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00070600
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00070A08
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!DialogBoxParamA 765780B2 5 Bytes JMP 6F0252C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!DialogBoxIndirectParamA 765783DD 5 Bytes JMP 6F02538C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!MessageBoxIndirectA 7658D471 5 Bytes JMP 6F02525B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!MessageBoxIndirectW 7658D56B 5 Bytes JMP 6F0251F0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!MessageBoxExA 7658D5D1 5 Bytes JMP 6F02518E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2848] USER32.dll!MessageBoxExW 7658D5F5 5 Bytes JMP 6F02512C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000401F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000403FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00060600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00061014
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00060804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00060A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00060C0C
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00060E10
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00070804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000701F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000703FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00070600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2852] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00070A08
.text C:\hp\support\hpsysdrv.exe[3160] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 001501F8
.text C:\hp\support\hpsysdrv.exe[3160] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 001503FC
.text C:\hp\support\hpsysdrv.exe[3160] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\hp\support\hpsysdrv.exe[3160] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00170804
.text C:\hp\support\hpsysdrv.exe[3160] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001701F8
.text C:\hp\support\hpsysdrv.exe[3160] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001703FC
.text C:\hp\support\hpsysdrv.exe[3160] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00170600
.text C:\hp\support\hpsysdrv.exe[3160] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00170A08
.text C:\hp\support\hpsysdrv.exe[3160] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 001803FC
.text C:\hp\support\hpsysdrv.exe[3160] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00180600
.text C:\hp\support\hpsysdrv.exe[3160] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00181014
.text C:\hp\support\hpsysdrv.exe[3160] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00180804
.text C:\hp\support\hpsysdrv.exe[3160] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00180A08
.text C:\hp\support\hpsysdrv.exe[3160] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00180C0C
.text C:\hp\support\hpsysdrv.exe[3160] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00180E10
.text C:\hp\support\hpsysdrv.exe[3160] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 001801F8
.text C:\hp\KBD\kbd.exe[3232] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 001401F8
.text C:\hp\KBD\kbd.exe[3232] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 001403FC
.text C:\hp\KBD\kbd.exe[3232] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\hp\KBD\kbd.exe[3232] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00960804
.text C:\hp\KBD\kbd.exe[3232] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 009601F8
.text C:\hp\KBD\kbd.exe[3232] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 009603FC
.text C:\hp\KBD\kbd.exe[3232] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00960600
.text C:\hp\KBD\kbd.exe[3232] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00960A08
.text C:\hp\KBD\kbd.exe[3232] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 009703FC
.text C:\hp\KBD\kbd.exe[3232] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00970600
.text C:\hp\KBD\kbd.exe[3232] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00971014
.text C:\hp\KBD\kbd.exe[3232] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00970804
.text C:\hp\KBD\kbd.exe[3232] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00970A08
.text C:\hp\KBD\kbd.exe[3232] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00970C0C
.text C:\hp\KBD\kbd.exe[3232] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00970E10
.text C:\hp\KBD\kbd.exe[3232] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 009701F8
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000501F8
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000503FC
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000703FC
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00070600
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00071014
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00070804
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00070A08
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00070C0C
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00070E10
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000701F8
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00080804
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000801F8
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000803FC
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00080600
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[3284] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00080A08
.text C:\Windows\RtHDVCpl.exe[3388] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 001501F8
.text C:\Windows\RtHDVCpl.exe[3388] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 001503FC
.text C:\Windows\RtHDVCpl.exe[3388] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\RtHDVCpl.exe[3388] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 001703FC
.text C:\Windows\RtHDVCpl.exe[3388] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00170600
.text C:\Windows\RtHDVCpl.exe[3388] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00171014
.text C:\Windows\RtHDVCpl.exe[3388] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00170804
.text C:\Windows\RtHDVCpl.exe[3388] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00170A08
.text C:\Windows\RtHDVCpl.exe[3388] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00170C0C
.text C:\Windows\RtHDVCpl.exe[3388] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00170E10
.text C:\Windows\RtHDVCpl.exe[3388] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 001701F8
.text C:\Windows\RtHDVCpl.exe[3388] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00180804
.text C:\Windows\RtHDVCpl.exe[3388] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001801F8
.text C:\Windows\RtHDVCpl.exe[3388] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001803FC
.text C:\Windows\RtHDVCpl.exe[3388] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00180600
.text C:\Windows\RtHDVCpl.exe[3388] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00180A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000401F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000403FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 001603FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00160600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00161014
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00160804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00160A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00160C0C
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00160E10
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 001601F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00170804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001701F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001703FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00170600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3412] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00170A08
.text C:\Program Files\Ideazon\ZEngine\Zboard.exe[3460] KERNEL32.dll!LoadLibraryExW 763130C3 7 Bytes JMP 10005230 C:\Program Files\Ideazon\ZEngine\ZESystem.dll (rscoree/Remotesoft, Inc.)
.text C:\Program Files\Ideazon\ZEngine\Zboard.exe[3460] KERNEL32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Ideazon\ZEngine\Zboard.exe[3460] USER32.dll!GetSysColorBrush 7653EECC 4 Bytes JMP 6305CBDD C:\Windows\system32\wbocx.ocx (WindowBlinds : DirectSkin /Stardock Corporation)
.text C:\Program Files\Ideazon\ZEngine\Zboard.exe[3460] USER32.dll!DefWindowProcA 7653F9E1 5 Bytes JMP 630019AC C:\Windows\system32\wbocx.ocx (WindowBlinds : DirectSkin /Stardock Corporation)
.text C:\Program Files\Ideazon\ZEngine\Zboard.exe[3460] USER32.dll!GetSysColor 76549D02 4 Bytes JMP 6305DA75 C:\Windows\system32\wbocx.ocx (WindowBlinds : DirectSkin /Stardock Corporation)
.text C:\Program Files\Ideazon\ZEngine\Zboard.exe[3460] USER32.dll!DefWindowProcW 765504BD 5 Bytes JMP 630019DB C:\Windows\system32\wbocx.ocx (WindowBlinds : DirectSkin /Stardock Corporation)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 001501F8
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 001503FC
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00160804
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001601F8
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00160600
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00160A08
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 001703FC
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00170600
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00171014
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00170804
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00170A08
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00170C0C
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00170E10
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3696] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 001701F8
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000401F8
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000403FC
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] kernel32.dll!SetUnhandledExceptionFilter 76316E2D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00060804
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000601F8
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000603FC
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00060600
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00060A08
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000703FC
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00070600
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00071014
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00070804
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00070A08
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00070C0C
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00070E10
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3860] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000701F8
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000401F8
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000403FC
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000603FC
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00060600
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00061014
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00060804
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00060A08
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00060C0C
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00060E10
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000601F8
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 6EF29A91 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!CallNextHookEx 76538C33 5 Bytes JMP 6EF1D0CD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001701F8
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001703FC
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!DialogBoxIndirectParamW 7653BD25 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!DialogBoxIndirectParamW 7653BD25 5 Bytes JMP 6F025329 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!CreateWindowExW 76543D67 5 Bytes JMP 6EF2DB04 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!DialogBoxParamW 76551FD5 5 Bytes JMP 6EE554C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00170600
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 6EE9466E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!DialogBoxParamA 765780B2 5 Bytes JMP 6F0252C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!DialogBoxIndirectParamA 765783DD 5 Bytes JMP 6F02538C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!MessageBoxIndirectA 7658D471 5 Bytes JMP 6F02525B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!MessageBoxIndirectW 7658D56B 5 Bytes JMP 6F0251F0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!MessageBoxExA 7658D5D1 5 Bytes JMP 6F02518E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!MessageBoxExW 7658D5F5 5 Bytes JMP 6F02512C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ole32.dll!OleLoadFromStream 76869794 5 Bytes JMP 6F025691 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3892] ole32.dll!CoCreateInstance 7689E2D8 5 Bytes JMP 6EF2DB60 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 001601F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 001603FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 001703FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00170600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00171014
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00170804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00170A08
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00170C0C
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00170E10
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 001701F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00180804
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 001801F8
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 001803FC
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00180600
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3908] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00180A08
.text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3916] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\ehome\ehtray.exe[3928] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000501F8
.text C:\Windows\ehome\ehtray.exe[3928] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000503FC
.text C:\Windows\ehome\ehtray.exe[3928] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\ehome\ehtray.exe[3928] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000703FC
.text C:\Windows\ehome\ehtray.exe[3928] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00070600
.text C:\Windows\ehome\ehtray.exe[3928] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00071014
.text C:\Windows\ehome\ehtray.exe[3928] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00070804
.text C:\Windows\ehome\ehtray.exe[3928] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00070A08
.text C:\Windows\ehome\ehtray.exe[3928] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00070C0C
.text C:\Windows\ehome\ehtray.exe[3928] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00070E10
.text C:\Windows\ehome\ehtray.exe[3928] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000701F8
.text C:\Windows\ehome\ehtray.exe[3928] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00080804
.text C:\Windows\ehome\ehtray.exe[3928] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000801F8
.text C:\Windows\ehome\ehtray.exe[3928] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000803FC
.text C:\Windows\ehome\ehtray.exe[3928] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00080600
.text C:\Windows\ehome\ehtray.exe[3928] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00080A08
.text C:\Windows\System32\rundll32.exe[4036] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 000601F8
.text C:\Windows\System32\rundll32.exe[4036] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 000603FC
.text C:\Windows\System32\rundll32.exe[4036] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Windows\System32\rundll32.exe[4036] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 00080804
.text C:\Windows\System32\rundll32.exe[4036] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 000801F8
.text C:\Windows\System32\rundll32.exe[4036] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 000803FC
.text C:\Windows\System32\rundll32.exe[4036] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 00080600
.text C:\Windows\System32\rundll32.exe[4036] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 00080A08
.text C:\Windows\System32\rundll32.exe[4036] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 000903FC
.text C:\Windows\System32\rundll32.exe[4036] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 00090600
.text C:\Windows\System32\rundll32.exe[4036] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 00091014
.text C:\Windows\System32\rundll32.exe[4036] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 00090804
.text C:\Windows\System32\rundll32.exe[4036] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 00090A08
.text C:\Windows\System32\rundll32.exe[4036] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 00090C0C
.text C:\Windows\System32\rundll32.exe[4036] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 00090E10
.text C:\Windows\System32\rundll32.exe[4036] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 000901F8
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4076] KERNEL32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] ntdll.dll!LdrLoadDll 77A279B3 5 Bytes JMP 001501F8
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] ntdll.dll!LdrUnloadDll 77A3E5AC 5 Bytes JMP 001503FC
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] kernel32.dll!GetBinaryTypeW + 70 76341AE8 1 Byte [62]
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] ADVAPI32.dll!CreateServiceW 766638FF 5 Bytes JMP 002A03FC
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] ADVAPI32.dll!DeleteService 76663BEE 5 Bytes JMP 002A0600
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] ADVAPI32.dll!SetServiceObjectSecurity 766A66A9 5 Bytes JMP 002A1014
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] ADVAPI32.dll!ChangeServiceConfigA 766A67A9 5 Bytes JMP 002A0804
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] ADVAPI32.dll!ChangeServiceConfigW 766A6951 5 Bytes JMP 002A0A08
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] ADVAPI32.dll!ChangeServiceConfig2A 766A6A69 5 Bytes JMP 002A0C0C
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] ADVAPI32.dll!ChangeServiceConfig2W 766A6BB1 5 Bytes JMP 002A0E10
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] ADVAPI32.dll!CreateServiceA 766A6C71 5 Bytes JMP 002A01F8
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] USER32.dll!SetWindowsHookExW 76537B69 5 Bytes JMP 002B0804
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] USER32.dll!SetWinEventHook 7653915C 5 Bytes JMP 002B01F8
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] USER32.dll!UnhookWinEvent 7653B702 5 Bytes JMP 002B03FC
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] USER32.dll!SetWindowsHookExA 7655BB0E 5 Bytes JMP 002B0600
.text C:\Users\pariss\Desktop\gmer\gmer.exe[4856] USER32.dll!UnhookWindowsHookEx 765608BE 5 Bytes JMP 002B0A08

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- Files - GMER 1.0.15 ----

File C:\avast! sandbox 0 bytes
File C:\avast! sandbox\snx_rhive 262144 bytes
File C:\avast! sandbox\snx_rhive.LOG1 13312 bytes
File C:\avast! sandbox\snx_rhive.LOG2 0 bytes
File C:\avast! sandbox\snx_rhive{9f5cfd20-c794-11e1-a839-001a92417e92}.TM.blf 65536 bytes
File C:\avast! sandbox\snx_rhive{9f5cfd20-c794-11e1-a839-001a92417e92}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\avast! sandbox\snx_rhive{9f5cfd20-c794-11e1-a839-001a92417e92}.TMContainer00000000000000000002.regtrans-ms 524288 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:54 PM

Posted 06 July 2012 - 03:58 PM

Hi,

Please run the following:

Download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Boot Menu:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Choose your language settings, and then click Next.
  • Click Repair your computer.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 pariss3

pariss3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 06 July 2012 - 06:52 PM

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 07-07-2012
Ran by SYSTEM at 06-07-2012 19:40:08
Running from J:\
Windows Vista ™ Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe [65536 2006-09-28] (Hewlett-Packard Company)
HKLM\...\Run: [KBD] C:\HP\KBD\KBD.EXE [61440 2005-02-02] (Hewlett-Packard Company)
HKLM\...\Run: [RtHDVCpl] RtHDVCpl.exe [x]
HKLM\...\Run: [] [x]
HKLM\...\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe [57344 2009-06-04] (Ideazon, Inc.)
HKLM\...\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" [x]
HKLM\...\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2005-02-16] (InstallShield Software Corporation)
HKLM\...\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart [90191 2006-11-21] (NVIDIA Corporation)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [7753728 2006-11-21] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [81920 2006-11-21] (NVIDIA Corporation)
HKLM\...\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2011-01-26] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [LivingPlay] C:\Program Files\LivingPlay\livingplay32.exe a [x]
HKLM\...\Run: [TkBellExe] "C:\Program Files\Real\RealPlayer\update\realsched.exe" -osboot [296056 2011-11-28] (RealNetworks, Inc.)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4273976 2012-07-03] (AVAST Software)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1480296 2006-11-16] (Hewlett-Packard)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe [1480296 2006-11-16] (Hewlett-Packard)
HKU\pariss\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\pariss\...\Run: [RunSpySweeperScheduleAtStartup] "C:\Program Files\Hewlett-Packard\SDP\Ceement\HPCEE.exe" /ScheduleSweep=HPCeeScheduleForpariss [86016 2006-10-24] (Hewlett-Packard)
HKU\pariss\...\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup [221184 2005-02-16] (InstallShield Software Corporation)
HKU\pariss\...\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-18] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 209.18.47.61 209.18.47.62
Startup: C:\Users\All Users\Start Menu\Programs\Startup\BDARemote.lnk
ShortcutTarget: BDARemote.lnk -> C:\Program Files\USB TV\EM28XX\BDARemote.exe ()
Startup: C:\Users\pariss\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()

================================ Services (Whitelisted) ==================

2 AMD External Events Utility; C:\Windows\System32\atiesrxx.exe [180224 2009-03-16] (AMD)
2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-07-03] (AVAST Software)
2 Eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [21504 2008-01-18] (Microsoft Corporation)
2 Viewpoint Manager Service; "C:\Program Files\Viewpoint\Common\ViewpointService.exe" [24652 2007-01-04] (Viewpoint Corporation)
2 CLTNetCnService; "c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [x]
2 LightScribeService; "c:\Program Files\Common Files\LightScribe\LSSrvc.exe" [x]
3 stllssvr; "c:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

========================== Drivers (Whitelisted) =============

3 Alpham1; C:\Windows\System32\DRIVERS\Alpham1.sys [42624 2007-07-23] (Ideazon Corporation)
3 Alpham2; C:\Windows\System32\DRIVERS\Alpham2.sys [18432 2007-03-20] (Ideazon Corporation)
2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [21256 2012-07-03] (AVAST Software)
2 aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [57656 2012-07-03] (AVAST Software)
1 AswRdr; C:\Windows\System32\Drivers\AswRdr.sys [35928 2012-07-03] (AVAST Software)
1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [721000 2012-07-03] (AVAST Software)
1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [353688 2012-07-03] (AVAST Software)
1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [54232 2012-07-03] (AVAST Software)
3 AtiHdmiService; C:\Windows\System32\drivers\AtiHdmi.sys [95760 2009-02-19] (ATI Research Inc.)
4 blbdrive; C:\Windows\system32\drivers\blbdrive.sys [x]
0 dlcm; C:\Windows\System32\drivers\hegaugh.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
0 scyjruff; C:\Windows\System32\drivers\mlbvgeym.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-06 19:39 - 2012-07-06 19:39 - 00000000 ____D C:\FRST
2012-07-06 11:24 - 2012-07-06 11:24 - 00103704 ____A C:\Users\pariss\Desktop\ark.txt
2012-07-06 10:39 - 2012-07-06 10:39 - 00000000 ____D C:\Users\pariss\Desktop\gmer
2012-07-06 10:37 - 2012-07-06 10:37 - 00294216 ____A C:\Users\pariss\Desktop\gmer.zip
2012-07-06 10:35 - 2012-07-06 10:35 - 00015459 ____A C:\Users\pariss\Desktop\Attach.txt
2012-07-06 10:35 - 2012-07-06 10:35 - 00011619 ____A C:\Users\pariss\Desktop\DDS.txt
2012-07-06 10:24 - 2012-07-06 10:24 - 00000000 ____D C:\avast! sandbox
2012-07-06 10:23 - 2012-07-06 10:23 - 00607260 ____R (Swearware) C:\Users\pariss\Desktop\dds.scr
2012-07-06 04:28 - 2012-07-06 05:49 - 00019392 ____A C:\Users\pariss\My Documents\plaintiffs response to defendents response motion authority to represent.odt
2012-07-06 04:28 - 2012-07-06 05:49 - 00019392 ____A C:\Users\pariss\Documents\plaintiffs response to defendents response motion authority to represent.odt
2012-07-05 08:51 - 2012-07-05 08:51 - 00000000 ____D C:\Users\pariss\Local Settings\Immunet
2012-07-05 08:51 - 2012-07-05 08:51 - 00000000 ____D C:\Users\pariss\Local Settings\Application Data\Immunet
2012-07-05 08:51 - 2012-07-05 08:51 - 00000000 ____D C:\Users\pariss\AppData\Local\Immunet
2012-07-05 07:42 - 2012-07-05 07:42 - 00000164 ____A C:\Users\pariss\Desktop\Download Windows Malicious Software Removal Tool - Microsoft Download Center - Download Details.url
2012-07-05 05:49 - 2012-07-05 05:49 - 00159608 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe.fd99.deleteme
2012-07-05 05:41 - 2012-07-05 06:02 - 00014664 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-07-05 05:40 - 2012-07-05 06:09 - 00000000 ____D C:\Program Files\stinger
2012-07-05 05:40 - 2012-07-05 05:40 - 00159608 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe.78f2.deleteme
2012-07-05 00:52 - 2012-07-06 05:37 - 00025520 ____A C:\Users\pariss\My Documents\plaintiffs reply to defendants reply to plaintiffs response and opposition mot to dismiss.odt
2012-07-05 00:52 - 2012-07-06 05:37 - 00025520 ____A C:\Users\pariss\Documents\plaintiffs reply to defendants reply to plaintiffs response and opposition mot to dismiss.odt
2012-07-04 13:08 - 2012-07-04 13:08 - 00001831 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-07-04 13:08 - 2012-07-04 13:08 - 00001831 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk
2012-07-04 13:08 - 2012-07-03 08:21 - 00721000 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-07-04 13:08 - 2012-07-03 08:21 - 00353688 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-07-04 13:08 - 2012-07-03 08:21 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-07-04 13:08 - 2012-07-03 08:21 - 00057656 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-07-04 13:08 - 2012-07-03 08:21 - 00054232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-07-04 13:08 - 2012-07-03 08:21 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-07-04 13:08 - 2012-07-03 08:21 - 00035928 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-07-04 13:08 - 2012-07-03 08:21 - 00021256 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-07-04 11:27 - 2012-07-06 03:08 - 00156672 ____A C:\Users\pariss\My Documents\FLYER.wps
2012-07-04 11:27 - 2012-07-06 03:08 - 00156672 ____A C:\Users\pariss\Documents\FLYER.wps
2012-07-04 09:06 - 2012-07-04 09:06 - 00033758 ____A C:\Users\pariss\Local Settings\dt.dat
2012-07-04 09:06 - 2012-07-04 09:06 - 00033758 ____A C:\Users\pariss\Local Settings\Application Data\dt.dat
2012-07-04 09:06 - 2012-07-04 09:06 - 00033758 ____A C:\Users\pariss\AppData\Local\dt.dat
2012-07-04 09:00 - 2012-07-04 09:00 - 00000000 ____D C:\Users\pariss\Application Data\AVG2012
2012-07-04 09:00 - 2012-07-04 09:00 - 00000000 ____D C:\Users\pariss\AppData\Roaming\AVG2012
2012-07-04 08:55 - 2012-07-04 12:55 - 00000000 ____D C:\Users\All Users\AVG2012
2012-07-04 08:55 - 2012-07-04 12:55 - 00000000 ____D C:\Users\All Users\Application Data\AVG2012
2012-07-04 08:55 - 2012-07-04 12:51 - 00000000 ___HD C:\$AVG
2012-07-04 01:57 - 2012-07-04 01:57 - 00000000 ____D C:\Users\All Users\WindowsSearch
2012-07-04 01:57 - 2012-07-04 01:57 - 00000000 ____D C:\Users\All Users\Application Data\WindowsSearch
2012-07-03 15:04 - 2012-07-03 15:04 - 00000000 ____D C:\Users\All Users\F4D5626800056EA40022869CEEC1FB6E
2012-07-03 15:04 - 2012-07-03 15:04 - 00000000 ____D C:\Users\All Users\Application Data\F4D5626800056EA40022869CEEC1FB6E
2012-07-01 09:48 - 2012-07-01 13:04 - 00000115 ___AH C:\Users\pariss\My Documents\.~lock.Coupons.ods#
2012-07-01 09:48 - 2012-07-01 13:04 - 00000115 ___AH C:\Users\pariss\Documents\.~lock.Coupons.ods#
2012-06-30 23:43 - 2012-06-30 23:43 - 00012843 ____A C:\Users\pariss\My Documents\response to response of opposition to dismiss.odt
2012-06-30 23:43 - 2012-06-30 23:43 - 00012843 ____A C:\Users\pariss\Documents\response to response of opposition to dismiss.odt
2012-06-26 10:47 - 2012-06-26 10:47 - 00000000 ____D C:\Users\pariss\My Documents\nc%20dianne[1]
2012-06-26 10:47 - 2012-06-26 10:47 - 00000000 ____D C:\Users\pariss\Documents\nc%20dianne[1]
2012-06-26 05:06 - 2012-06-26 05:06 - 00000120 ____A C:\Users\pariss\Desktop\Mickey On Banking - The Personal Website of Mickey Paoletta - Founder of Citizen's Reform Center, Researcher on the Federal Reserve, Expert Witness on Banking Law, Author, Musician, and Former 19th Congressional District Candidate..url
2012-06-17 08:27 - 2012-06-17 08:27 - 00009728 ____A C:\Users\pariss\My Documents\Discover Dispute Letter.wps
2012-06-17 08:27 - 2012-06-17 08:27 - 00009728 ____A C:\Users\pariss\Documents\Discover Dispute Letter.wps
2012-06-14 10:10 - 2012-06-14 10:10 - 00029466 ____A C:\Users\pariss\My Documents\Updated Coupons.ods
2012-06-14 10:10 - 2012-06-14 10:10 - 00029466 ____A C:\Users\pariss\Documents\Updated Coupons.ods
2012-06-13 04:34 - 2012-06-13 04:57 - 00009728 ____A C:\Users\pariss\My Documents\liability release.wps
2012-06-13 04:34 - 2012-06-13 04:57 - 00009728 ____A C:\Users\pariss\Documents\liability release.wps
2012-06-13 04:28 - 2012-06-13 04:28 - 00000000 ____A C:\Users\pariss\My Documents\New Text Document (6).txt
2012-06-13 04:28 - 2012-06-13 04:28 - 00000000 ____A C:\Users\pariss\Documents\New Text Document (6).txt
2012-06-13 01:45 - 2012-06-13 01:45 - 00000117 ____A C:\Users\pariss\Desktop\Adventures of a Pro Se Litigant The ProSeAction.org Blog.url
2012-06-09 04:53 - 2012-06-13 06:10 - 00027792 ____A C:\Users\pariss\My Documents\Response to Motion to Dismiss.odt
2012-06-09 04:53 - 2012-06-13 06:10 - 00027792 ____A C:\Users\pariss\Documents\Response to Motion to Dismiss.odt
2012-06-07 04:25 - 2012-06-07 04:26 - 00013384 ____A C:\Users\pariss\My Documents\Direct TV Letter.odt
2012-06-07 04:25 - 2012-06-07 04:26 - 00013384 ____A C:\Users\pariss\Documents\Direct TV Letter.odt
2012-06-07 03:11 - 2012-06-07 03:11 - 00000131 ____A C:\Users\pariss\Desktop\Home - Caring With Coupons.url

============ 3 Months Modified Files ========================

2012-07-06 15:36 - 2006-11-02 05:01 - 00032572 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-06 15:36 - 2006-11-02 05:01 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-06 15:36 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-06 15:36 - 2006-11-02 04:47 - 00003568 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-06 15:35 - 2011-08-08 09:02 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-06 15:33 - 2006-11-02 04:52 - 00091774 ____A C:\Windows\setupact.log
2012-07-06 14:43 - 2012-05-13 15:34 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-06 11:24 - 2012-07-06 11:24 - 00103704 ____A C:\Users\pariss\Desktop\ark.txt
2012-07-06 10:37 - 2012-07-06 10:37 - 00294216 ____A C:\Users\pariss\Desktop\gmer.zip
2012-07-06 10:35 - 2012-07-06 10:35 - 00015459 ____A C:\Users\pariss\Desktop\Attach.txt
2012-07-06 10:35 - 2012-07-06 10:35 - 00011619 ____A C:\Users\pariss\Desktop\DDS.txt
2012-07-06 10:23 - 2012-07-06 10:23 - 00607260 ____R (Swearware) C:\Users\pariss\Desktop\dds.scr
2012-07-06 10:04 - 2012-06-04 12:05 - 00022250 ____A C:\Users\pariss\My Documents\Motion to show authority to represent.odt
2012-07-06 10:04 - 2012-06-04 12:05 - 00022250 ____A C:\Users\pariss\Documents\Motion to show authority to represent.odt
2012-07-06 10:02 - 2011-08-08 09:02 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-06 05:49 - 2012-07-06 04:28 - 00019392 ____A C:\Users\pariss\My Documents\plaintiffs response to defendents response motion authority to represent.odt
2012-07-06 05:49 - 2012-07-06 04:28 - 00019392 ____A C:\Users\pariss\Documents\plaintiffs response to defendents response motion authority to represent.odt
2012-07-06 05:37 - 2012-07-05 00:52 - 00025520 ____A C:\Users\pariss\My Documents\plaintiffs reply to defendants reply to plaintiffs response and opposition mot to dismiss.odt
2012-07-06 05:37 - 2012-07-05 00:52 - 00025520 ____A C:\Users\pariss\Documents\plaintiffs reply to defendants reply to plaintiffs response and opposition mot to dismiss.odt
2012-07-06 05:37 - 2011-05-22 02:50 - 00000424 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{8B24BF52-171F-477D-BC22-AEB221189C7D}.job
2012-07-06 04:17 - 2011-03-13 16:36 - 00000913 ____A C:\Users\Public\Desktop\World of Warcraft.lnk
2012-07-06 04:17 - 2011-03-13 16:36 - 00000913 ____A C:\Users\All Users\Desktop\World of Warcraft.lnk
2012-07-06 04:13 - 2006-12-06 03:18 - 00192664 ____A C:\Windows\PFRO.log
2012-07-06 03:11 - 2007-08-16 18:25 - 00019862 ____A C:\Users\pariss\Application Data\wklnhst.dat
2012-07-06 03:11 - 2007-08-16 18:25 - 00019862 ____A C:\Users\pariss\AppData\Roaming\wklnhst.dat
2012-07-06 03:08 - 2012-07-04 11:27 - 00156672 ____A C:\Users\pariss\My Documents\FLYER.wps
2012-07-06 03:08 - 2012-07-04 11:27 - 00156672 ____A C:\Users\pariss\Documents\FLYER.wps
2012-07-05 21:57 - 2007-03-19 07:39 - 01836693 ____A C:\Windows\WindowsUpdate.log
2012-07-05 07:42 - 2012-07-05 07:42 - 00000164 ____A C:\Users\pariss\Desktop\Download Windows Malicious Software Removal Tool - Microsoft Download Center - Download Details.url
2012-07-05 06:02 - 2012-07-05 05:41 - 00014664 ____A (McAfee, Inc.) C:\Windows\stinger.sys
2012-07-05 05:49 - 2012-07-05 05:49 - 00159608 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe.fd99.deleteme
2012-07-05 05:40 - 2012-07-05 05:40 - 00159608 ____A (McAfee, Inc.) C:\Windows\System32\mfevtps.exe.78f2.deleteme
2012-07-04 17:34 - 2006-11-02 02:23 - 00002577 ____A C:\Windows\System32\config.nt
2012-07-04 13:08 - 2012-07-04 13:08 - 00001831 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2012-07-04 13:08 - 2012-07-04 13:08 - 00001831 ____A C:\Users\All Users\Desktop\avast! Free Antivirus.lnk
2012-07-04 09:06 - 2012-07-04 09:06 - 00033758 ____A C:\Users\pariss\Local Settings\dt.dat
2012-07-04 09:06 - 2012-07-04 09:06 - 00033758 ____A C:\Users\pariss\Local Settings\Application Data\dt.dat
2012-07-04 09:06 - 2012-07-04 09:06 - 00033758 ____A C:\Users\pariss\AppData\Local\dt.dat
2012-07-04 09:00 - 2011-06-29 07:20 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-04 08:04 - 2006-11-02 02:22 - 36700160 ____A C:\Windows\System32\config\software_previous
2012-07-04 08:04 - 2006-11-02 02:22 - 30932992 ____A C:\Windows\System32\config\system_previous
2012-07-04 07:59 - 2006-11-02 02:22 - 37748736 ____A C:\Windows\System32\config\components_previous
2012-07-04 07:59 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\sam_previous
2012-07-04 02:52 - 2006-11-02 02:22 - 04980736 ____A C:\Windows\System32\config\default_previous
2012-07-04 02:52 - 2006-11-02 02:22 - 00262144 ____A C:\Windows\System32\config\security_previous
2012-07-03 08:21 - 2012-07-04 13:08 - 00721000 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2012-07-03 08:21 - 2012-07-04 13:08 - 00353688 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2012-07-03 08:21 - 2012-07-04 13:08 - 00227648 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe
2012-07-03 08:21 - 2012-07-04 13:08 - 00057656 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2012-07-03 08:21 - 2012-07-04 13:08 - 00054232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2012-07-03 08:21 - 2012-07-04 13:08 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr
2012-07-03 08:21 - 2012-07-04 13:08 - 00035928 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2012-07-03 08:21 - 2012-07-04 13:08 - 00021256 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2012-07-01 13:04 - 2012-07-01 09:48 - 00000115 ___AH C:\Users\pariss\My Documents\.~lock.Coupons.ods#
2012-07-01 13:04 - 2012-07-01 09:48 - 00000115 ___AH C:\Users\pariss\Documents\.~lock.Coupons.ods#
2012-07-01 13:04 - 2011-06-05 00:39 - 00024119 ____A C:\Users\pariss\My Documents\Coupons.ods
2012-07-01 13:04 - 2011-06-05 00:39 - 00024119 ____A C:\Users\pariss\Documents\Coupons.ods
2012-06-30 23:43 - 2012-06-30 23:43 - 00012843 ____A C:\Users\pariss\My Documents\response to response of opposition to dismiss.odt
2012-06-30 23:43 - 2012-06-30 23:43 - 00012843 ____A C:\Users\pariss\Documents\response to response of opposition to dismiss.odt
2012-06-26 05:06 - 2012-06-26 05:06 - 00000120 ____A C:\Users\pariss\Desktop\Mickey On Banking - The Personal Website of Mickey Paoletta - Founder of Citizen's Reform Center, Researcher on the Federal Reserve, Expert Witness on Banking Law, Author, Musician, and Former 19th Congressional District Candidate..url
2012-06-22 11:20 - 2007-10-09 06:15 - 00000326 ____A C:\Windows\Tasks\HPCeeScheduleForpariss.job
2012-06-22 08:41 - 2011-05-03 05:51 - 00006727 ____A C:\Windows\IE9_main.log
2012-06-22 07:52 - 2006-11-02 02:33 - 00725876 ____A C:\Windows\System32\PerfStringBackup.INI
2012-06-17 09:24 - 2011-06-27 07:28 - 00000377 ____A C:\Users\pariss\Desktop\Wilmington NC Real Estate TheWilmingtonMLS.org Homes For Sale in and around Wilmington NC.url
2012-06-17 08:27 - 2012-06-17 08:27 - 00009728 ____A C:\Users\pariss\My Documents\Discover Dispute Letter.wps
2012-06-17 08:27 - 2012-06-17 08:27 - 00009728 ____A C:\Users\pariss\Documents\Discover Dispute Letter.wps
2012-06-14 10:10 - 2012-06-14 10:10 - 00029466 ____A C:\Users\pariss\My Documents\Updated Coupons.ods
2012-06-14 10:10 - 2012-06-14 10:10 - 00029466 ____A C:\Users\pariss\Documents\Updated Coupons.ods
2012-06-13 06:10 - 2012-06-09 04:53 - 00027792 ____A C:\Users\pariss\My Documents\Response to Motion to Dismiss.odt
2012-06-13 06:10 - 2012-06-09 04:53 - 00027792 ____A C:\Users\pariss\Documents\Response to Motion to Dismiss.odt
2012-06-13 04:57 - 2012-06-13 04:34 - 00009728 ____A C:\Users\pariss\My Documents\liability release.wps
2012-06-13 04:57 - 2012-06-13 04:34 - 00009728 ____A C:\Users\pariss\Documents\liability release.wps
2012-06-13 04:28 - 2012-06-13 04:28 - 00000000 ____A C:\Users\pariss\My Documents\New Text Document (6).txt
2012-06-13 04:28 - 2012-06-13 04:28 - 00000000 ____A C:\Users\pariss\Documents\New Text Document (6).txt
2012-06-13 01:45 - 2012-06-13 01:45 - 00000117 ____A C:\Users\pariss\Desktop\Adventures of a Pro Se Litigant The ProSeAction.org Blog.url
2012-06-07 04:51 - 2011-06-27 08:54 - 00001337 ____A C:\Users\pariss\Desktop\Greater Charlotte Real Estate - Homes for Sale - Coldwell Banker United, REALTORS® -.url
2012-06-07 04:26 - 2012-06-07 04:25 - 00013384 ____A C:\Users\pariss\My Documents\Direct TV Letter.odt
2012-06-07 04:26 - 2012-06-07 04:25 - 00013384 ____A C:\Users\pariss\Documents\Direct TV Letter.odt
2012-06-07 03:11 - 2012-06-07 03:11 - 00000131 ____A C:\Users\pariss\Desktop\Home - Caring With Coupons.url
2012-06-04 07:57 - 2012-06-03 09:09 - 00019967 ____A C:\Users\pariss\My Documents\WITHDRAW MOTION FOR DEFAULT JUDGMENT.odt
2012-06-04 07:57 - 2012-06-03 09:09 - 00019967 ____A C:\Users\pariss\Documents\WITHDRAW MOTION FOR DEFAULT JUDGMENT.odt
2012-06-04 03:29 - 2012-03-05 10:04 - 00000242 ____A C:\Users\pariss\Desktop\EXCELLENT AMICI BRIEF ON UCC REQUIREMENTS « Livinglies's Weblog.url
2012-06-04 03:07 - 2011-05-17 05:17 - 00000230 ____A C:\Users\pariss\Desktop\tips_and_tricks Message NC Foreclosure Playbook.url
2012-06-04 03:03 - 2012-05-31 03:57 - 00000197 ____A C:\Users\pariss\Desktop\United States District Court, Eastern District of Tennessee.url
2012-06-04 03:02 - 2012-05-27 03:42 - 00000275 ____A C:\Users\pariss\Desktop\Complaints Filed With OCC and SEC Against Country Wide Bank of America and Brian Moynihan.url
2012-06-04 03:01 - 2012-03-15 06:56 - 00000207 ____A C:\Users\pariss\Desktop\Foreclosure Pro Se.com - How To Quiet Title.url
2012-06-03 19:35 - 2006-11-02 02:24 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-03 08:41 - 2012-06-03 04:05 - 00018861 ____A C:\Users\pariss\My Documents\Motion to dismiss motion of default judgment BAC.odt
2012-06-03 08:41 - 2012-06-03 04:05 - 00018861 ____A C:\Users\pariss\Documents\Motion to dismiss motion of default judgment BAC.odt
2012-06-03 08:23 - 2012-06-03 08:23 - 00000203 ____A C:\Users\pariss\Desktop\rod-traffic-case-4-1-11-objection-to-atty-pennie-thrower-etc.url
2012-05-31 08:13 - 2012-05-28 12:58 - 00019794 ____A C:\Users\pariss\My Documents\MOTION TO DISMISS FORECLOSURE HEARING - Bank of America.odt
2012-05-31 08:13 - 2012-05-28 12:58 - 00019794 ____A C:\Users\pariss\Documents\MOTION TO DISMISS FORECLOSURE HEARING - Bank of America.odt
2012-05-31 07:56 - 2011-06-20 00:14 - 00000202 ____A C:\Users\pariss\Desktop\NCWD Court Forms.url
2012-05-31 05:45 - 2012-05-28 09:53 - 00000206 ____A C:\Users\pariss\Desktop\0.url
2012-05-31 04:09 - 2012-05-31 04:09 - 00000121 ____A C:\Users\pariss\Desktop\The Mortgage Servicing Fraud Forum.url
2012-05-31 03:53 - 2012-05-31 03:53 - 00000141 ____A C:\Users\pariss\Desktop\IF You Lose Your Home - DO THIS - Mortgage Servicing Fraud Forum.url
2012-05-30 08:09 - 2012-03-24 06:50 - 00017544 ____A C:\Users\pariss\My Documents\bac quiet title.odt
2012-05-30 08:09 - 2012-03-24 06:50 - 00017544 ____A C:\Users\pariss\Documents\bac quiet title.odt
2012-05-30 03:02 - 2012-05-30 03:01 - 00015209 ____A C:\Users\pariss\My Documents\bill of sale - car.odt
2012-05-30 03:02 - 2012-05-30 03:01 - 00015209 ____A C:\Users\pariss\Documents\bill of sale - car.odt
2012-05-29 13:57 - 2012-05-29 13:57 - 00000153 ____A C:\Users\pariss\Desktop\09L09.wrongforeclose.url
2012-05-29 02:11 - 2012-05-29 02:11 - 00000175 ____A C:\Users\pariss\Desktop\US Bank is not the Note Holder – North Carolina Bass vs. US Bank DTC Systems.url
2012-05-28 12:57 - 2012-05-28 10:24 - 00019021 ____A C:\Users\pariss\My Documents\MOTION TO DISMISS FORECLOSURE HEARING.odt
2012-05-28 12:57 - 2012-05-28 10:24 - 00019021 ____A C:\Users\pariss\Documents\MOTION TO DISMISS FORECLOSURE HEARING.odt
2012-05-28 10:56 - 2012-05-28 10:56 - 00000143 ____A C:\Users\pariss\Desktop\11_NCBC_36.url
2012-05-28 07:42 - 2012-05-28 07:42 - 00000178 ____A C:\Users\pariss\Desktop\Significant Changes in North Carolina 2011 Real Property Law.url
2012-05-28 04:38 - 2012-05-28 04:38 - 00000161 ____A C:\Users\pariss\Desktop\672.url
2012-05-28 04:14 - 2012-05-28 01:44 - 00024067 ____A C:\Users\pariss\My Documents\INJUNCTION - BANK OF AMERICA.odt
2012-05-28 04:14 - 2012-05-28 01:44 - 00024067 ____A C:\Users\pariss\Documents\INJUNCTION - BANK OF AMERICA.odt
2012-05-28 02:00 - 2012-05-28 02:00 - 00000195 ____A C:\Users\pariss\Desktop\TemporaryRestrainingOrdersandPreliminaryInjunctions.url
2012-05-28 01:16 - 2012-05-28 01:16 - 00000200 ____A C:\Users\pariss\Desktop\preliminary_injunction_second_amended.url
2012-05-27 16:59 - 2012-05-27 16:59 - 00000184 ____A C:\Users\pariss\Desktop\Document 3 Sanderlin et al v. Hutchens, Senter, Britton, PA et al 32011cv00213 North Carolina Western District Court US Federal District Courts Cases Justia.url
2012-05-27 04:33 - 2012-05-27 04:33 - 00000147 ____A C:\Users\pariss\Desktop\Quiet Title Sample Case.url
2012-05-25 03:23 - 2012-05-25 03:23 - 00000131 ____A C:\Users\pariss\Desktop\Federal Government & Attorneys General reach landmark settlement with major banks NationalMortgageSettlement.url
2012-05-23 08:07 - 2012-05-21 05:42 - 00022016 ____A C:\Users\pariss\My Documents\Objection to Substitute Trustee Services.wps
2012-05-23 08:07 - 2012-05-21 05:42 - 00022016 ____A C:\Users\pariss\Documents\Objection to Substitute Trustee Services.wps
2012-05-13 15:34 - 2012-05-13 15:34 - 00419488 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-05-13 15:34 - 2011-07-18 04:08 - 00070304 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-05-13 05:35 - 2012-05-13 05:35 - 01269679 ____A C:\Users\pariss\Downloads\nc dianne.zip
2012-05-12 02:53 - 2012-05-12 02:53 - 00000119 ____A C:\Users\pariss\Desktop\53-2.url
2012-05-11 04:34 - 2012-05-11 04:11 - 00011776 ____A C:\Users\pariss\My Documents\certificate of mailing.wps
2012-05-11 04:34 - 2012-05-11 04:11 - 00011776 ____A C:\Users\pariss\Documents\certificate of mailing.wps
2012-05-10 06:39 - 2012-03-10 09:18 - 00043008 ____A C:\Users\pariss\My Documents\BOA Notice of Claim.wps
2012-05-10 06:39 - 2012-03-10 09:18 - 00043008 ____A C:\Users\pariss\Documents\BOA Notice of Claim.wps
2012-05-10 05:00 - 2012-05-10 05:00 - 00000148 ____A C:\Users\pariss\Desktop\United States Attorney's Office - Eastern District of Pennsylvania.url
2012-05-05 04:26 - 2012-04-08 04:01 - 00000202 ____A C:\Users\pariss\Desktop\Snoozester - Create a free Snoozester Account.url
2012-05-05 02:37 - 2012-05-05 02:37 - 00000146 ____A C:\Users\pariss\Desktop\NC Foreclosure Prevention Fund.url
2012-05-05 02:37 - 2012-05-05 02:37 - 00000144 ____A C:\Users\pariss\Desktop\What I Do - The Law Office of Benjamin D. Busch, PLLC.url
2012-05-05 00:28 - 2012-05-04 07:34 - 00000183 ____A C:\Users\pariss\Desktop\Weebly - Website Creation Made Easy.url
2012-05-02 19:39 - 2012-05-02 19:39 - 00000908 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-02 19:39 - 2012-05-02 19:39 - 00000908 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-05-02 03:58 - 2012-04-25 12:59 - 00020992 ____A C:\Users\pariss\My Documents\Objection Motion to Extend Time.wps
2012-05-02 03:58 - 2012-04-25 12:59 - 00020992 ____A C:\Users\pariss\Documents\Objection Motion to Extend Time.wps
2012-05-02 03:47 - 2012-05-02 03:43 - 00010240 ____A C:\Users\pariss\My Documents\Order denying Motion for Extension of Tiime.wps
2012-05-02 03:47 - 2012-05-02 03:43 - 00010240 ____A C:\Users\pariss\Documents\Order denying Motion for Extension of Tiime.wps
2012-05-01 02:46 - 2012-05-01 02:46 - 00000148 ____A C:\Users\pariss\Desktop\proseguide.url
2012-04-30 01:33 - 2012-04-30 01:33 - 00000191 ____A C:\Users\pariss\Desktop\Petition – Support Three-year Moratorium on Foreclosures Legislative Bill » Movement for a National Moratorium on Foreclosures & Evictions.url
2012-04-21 10:34 - 2012-04-21 10:34 - 00000140 ____A C:\Users\pariss\Desktop\Foreclosure Crisis - ProPublica.url
2012-04-17 07:11 - 2012-04-17 07:02 - 00010752 ____A C:\Users\pariss\My Documents\debt dispute CPI Security.wps
2012-04-17 07:11 - 2012-04-17 07:02 - 00010752 ____A C:\Users\pariss\Documents\debt dispute CPI Security.wps
2012-04-17 06:29 - 2012-04-17 06:29 - 00000000 ____A C:\Users\pariss\My Documents\New Text Document (5).txt
2012-04-17 06:29 - 2012-04-17 06:29 - 00000000 ____A C:\Users\pariss\Documents\New Text Document (5).txt
2012-04-11 05:31 - 2012-04-11 05:30 - 00001107 ____A C:\Users\Public\Desktop\World of Warcraft Beta.lnk
2012-04-11 05:31 - 2012-04-11 05:30 - 00001107 ____A C:\Users\All Users\Desktop\World of Warcraft Beta.lnk
2012-04-11 05:29 - 2012-04-11 05:29 - 31726720 ____A (Blizzard Entertainment) C:\Users\pariss\Downloads\World of Warcraft Beta Setup.exe
2012-04-10 04:20 - 2007-03-19 07:48 - 00000680 ____A C:\Users\pariss\Local Settings\d3d9caps.dat
2012-04-10 04:20 - 2007-03-19 07:48 - 00000680 ____A C:\Users\pariss\Local Settings\Application Data\d3d9caps.dat
2012-04-10 04:20 - 2007-03-19 07:48 - 00000680 ____A C:\Users\pariss\AppData\Local\d3d9caps.dat
2012-04-09 11:04 - 2012-04-09 11:04 - 00000139 ____A C:\Users\pariss\Desktop\untrasnferrednotes.url
2012-04-08 03:48 - 2012-04-08 03:14 - 00000267 ____A C:\Users\pariss\Desktop\Does Anybody Know of a VERY User-Friendly Way to Make Web Pages.url
2012-04-08 03:44 - 2012-04-08 03:03 - 00000246 ____A C:\Users\pariss\Desktop\What are good resources to learn webdesign.url

ZeroAccess:
C:\Windows\Installer
C:\Windows\Installer\{0f0dffb4-b82f-4076-6561-76a259bfd233}\@
C:\Windows\Installer\{0f0dffb4-b82f-4076-6561-76a259bfd233}\L
C:\Windows\Installer\{0f0dffb4-b82f-4076-6561-76a259bfd233}\U
C:\Windows\Installer\{0f0dffb4-b82f-4076-6561-76a259bfd233}\U\00000001.@
C:\Windows\Installer\{0f0dffb4-b82f-4076-6561-76a259bfd233}\U\trz1757.tmp
C:\Windows\Installer\{0f0dffb4-b82f-4076-6561-76a259bfd233}\U\trz940A.tmp
C:\Windows\Installer\{0f0dffb4-b82f-4076-6561-76a259bfd233}\U\trzDD7F.tmp

ZeroAccess:
C:\Users\pariss\AppData\Local
C:\Users\pariss\AppData\Local\{0f0dffb4-b82f-4076-6561-76a259bfd233}\@
C:\Users\pariss\AppData\Local\{0f0dffb4-b82f-4076-6561-76a259bfd233}\L
C:\Users\pariss\AppData\Local\{0f0dffb4-b82f-4076-6561-76a259bfd233}\U

ZeroAccess:
C:\Users\pariss\Local Settings\Application Data
C:\Users\pariss\Local Settings\Application Data\{0f0dffb4-b82f-4076-6561-76a259bfd233}\@
C:\Users\pariss\Local Settings\Application Data\{0f0dffb4-b82f-4076-6561-76a259bfd233}\L
C:\Users\pariss\Local Settings\Application Data\{0f0dffb4-b82f-4076-6561-76a259bfd233}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2008-12-09 18:38] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2008-05-31 12:07] - [2008-01-18 23:33] - 0279040 ____A (Microsoft Corporation) 5DC3C54FC22BBB6F66C290C7C0384DF9

C:\Windows\System32\User32.dll
[2008-05-31 12:07] - [2008-01-18 23:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269

C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys
[2008-05-31 12:07] - [2008-01-18 23:42] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9


==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 23%
Total physical RAM: 2045.94 MB
Available physical RAM: 1570.77 MB
Total Pagefile: 1789.3 MB
Available Pagefile: 1634.53 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.51 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:226.63 GB) (Free:91.47 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Recovery) (Fixed) (Total:6.25 GB) (Free:0.87 GB) NTFS ==>[System with boot components (obtained from reading drive)]
8 Drive j: () (Removable) (Total:3.73 GB) (Free:3.67 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 2000 KB
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 Online 3819 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 227 GB 32 KB
Partition 2 Primary 6401 MB 227 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C HP NTFS Partition 227 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Recovery NTFS Partition 6401 MB Healthy

==================================================================================

Partitions of Disk 5:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3819 MB 16 KB

==================================================================================

Disk: 5
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 J FAT32 Removable 3819 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-06 10:08

======================= End Of Log ==========================

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:54 PM

Posted 06 July 2012 - 07:10 PM

Is this a business machine belonging to a law firm or your private computer?

If it is a business machine, then I strongly suggest that you remove it from any company network then reformat and reinstall the operating system. This type of infection is known as a 'backdoor trojan" and it is possible that it could allow hackers access to your machine (and company network). If there are client files on the system, then you don't want to chance that their private information could be compromised.

As a precaution you should change all your online passwords from a machine that has never been infected and notify your financial institutions that your personal information may have been compromised. Keep a close watch on your accounts for the next little while.

If this is a personal machine and you wish to keep cleaning, then please do the following:



Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
HKLM\...\Run: [] [x]
0 dlcm; C:\Windows\System32\drivers\hegaugh.sys [x]
0 scyjruff; C:\Windows\System32\drivers\mlbvgeym.sys [x]
2012-07-03 15:04 - 2012-07-03 15:04 - 00000000 ____D C:\Users\All Users\F4D5626800056EA40022869CEEC1FB6E
2012-07-03 15:04 - 2012-07-03 15:04 - 00000000 ____D C:\Users\All Users\Application Data\F4D5626800056EA40022869CEEC1FB6E
C:\Windows\Installer\{0f0dffb4-b82f-4076-6561-76a259bfd233}
C:\Users\pariss\AppData\Local\{0f0dffb4-b82f-4076-6561-76a259bfd233}
C:\Users\pariss\Local Settings\Application Data\{0f0dffb4-b82f-4076-6561-76a259bfd233}
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Edited by CatByte, 06 July 2012 - 10:24 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 pariss3

pariss3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 06 July 2012 - 10:12 PM

Hi,

first of all let me thank you for all the help you have provided so far, you can not imagine hwo much I appreciate everything you are doing. The computer is my personal computer and the files you are refering to are my personal research and battles B)

I started of with saving the script on my flashdrive but I only have FRST.exe (not FRST64) so I ran that and when the system rebooted everything worked just like it was supposed to work (no more Avast warnings).

Here is the log file :

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 07-07-2012
Ran by SYSTEM at 2012-07-06 22:10:50 Run:1
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored successfully .
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
dlcm service deleted successfully.
scyjruff service deleted successfully.
C:\Users\All Users\F4D5626800056EA40022869CEEC1FB6E moved successfully.
C:\Users\All Users\Application Data\F4D5626800056EA40022869CEEC1FB6E not found.
C:\Windows\Installer\{0f0dffb4-b82f-4076-6561-76a259bfd233} moved successfully.
C:\Users\pariss\AppData\Local\{0f0dffb4-b82f-4076-6561-76a259bfd233} moved successfully.
C:\Users\pariss\Local Settings\Application Data\{0f0dffb4-b82f-4076-6561-76a259bfd233} not found.

==== End of Fixlog ====

I then disabled my Avast 7 (it's a little different then what was discribed in the forum but i figuered it out). I then d/l
'ed and ran ComboFix but it gave me a warning that MS Security Essentials was still active. I had MSE before I installed Avast but I have uninstalled it so I don't know why it said it was still running. I took my chances and continued with ComboFix and here is the logtext.

ComboFix 12-07-06.02 - pariss 07/06/2012 22:34:14.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1259 [GMT -4:00]
Running from: c:\users\pariss\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\CouponAlert_2pEI
c:\programdata\660164307
c:\users\pariss\AppData\Local\._Revolution_
c:\users\pariss\AppData\Local\{70D29785-2FEA-4C7D-A89C-8265D144128D}
c:\users\pariss\AppData\Local\{70D29785-2FEA-4C7D-A89C-8265D144128D}\chrome\content\overlay.xul
c:\users\pariss\AppData\Local\{70D29785-2FEA-4C7D-A89C-8265D144128D}\install.rdf
c:\users\pariss\AppData\Local\{A1CA35FC-F9DB-4213-82B6-F1F0E81A1E24}
c:\users\pariss\AppData\Local\{A1CA35FC-F9DB-4213-82B6-F1F0E81A1E24}\chrome.manifest
c:\users\pariss\AppData\Local\{A1CA35FC-F9DB-4213-82B6-F1F0E81A1E24}\chrome\content\overlay.xul
c:\users\pariss\AppData\Local\{A1CA35FC-F9DB-4213-82B6-F1F0E81A1E24}\install.rdf
c:\users\pariss\AppData\Roaming\Adobe\plugs
c:\users\pariss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HDD Rescue
c:\users\pariss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\pariss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
c:\users\pariss\AppData\Roaming\Mozilla\Firefox\Profiles\1jnpiff4.default\searchplugins\bing-zugo.xml
c:\users\pariss\AppData\Roaming\uid_pal
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-07 03:39 . 2012-07-07 03:39 -------- d-----w- C:\FRST
2012-07-07 02:44 . 2012-07-07 02:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-05 16:51 . 2012-07-05 16:51 -------- d-----w- c:\users\pariss\AppData\Local\Immunet
2012-07-05 16:50 . 2012-07-05 17:16 -------- dc----w- c:\windows\system32\DRVSTORE
2012-07-05 13:49 . 2012-07-05 13:49 159608 ----a-w- c:\windows\system32\mfevtps.exe.fd99.deleteme
2012-07-05 13:41 . 2012-07-05 14:02 14664 ----a-w- c:\windows\stinger.sys
2012-07-05 13:40 . 2012-07-05 13:40 159608 ----a-w- c:\windows\system32\mfevtps.exe.78f2.deleteme
2012-07-05 13:40 . 2012-07-05 14:09 -------- d-----w- c:\program files\stinger
2012-07-04 21:08 . 2012-07-03 16:21 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-04 21:08 . 2012-07-03 16:21 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-04 21:08 . 2012-07-03 16:21 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-04 21:08 . 2012-07-03 16:21 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-04 21:08 . 2012-07-03 16:21 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-04 21:08 . 2012-07-03 16:21 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-04 21:08 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
2012-07-04 21:08 . 2012-07-03 16:21 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-04 17:00 . 2012-07-04 17:00 -------- d-----w- c:\users\pariss\AppData\Roaming\AVG2012
2012-07-04 16:55 . 2012-07-04 20:55 -------- d-----w- c:\programdata\AVG2012
2012-07-04 16:55 . 2012-07-04 20:51 -------- d-----w- C:\$AVG
2012-07-04 09:57 . 2012-07-04 09:57 -------- d-----w- c:\programdata\WindowsSearch
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-13 23:34 . 2012-05-13 23:34 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-13 23:34 . 2011-07-18 12:08 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RunSpySweeperScheduleAtStartup"="c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe" [2006-10-24 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"Zboard"="c:\program files\Ideazon\ZEngine\Zboard.exe" [2009-06-04 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-21 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-21 7753728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-21 81920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 98304]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-11-28 296056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
.
c:\users\pariss\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-1-23 81997]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2343442809-3086990745-794358254-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-13 23:34]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-08 17:01]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-08 17:01]
.
2012-06-22 c:\windows\Tasks\HPCeeScheduleForpariss.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2006-12-06 23:04]
.
2012-07-07 c:\windows\Tasks\User_Feed_Synchronization-{8B24BF52-171F-477D-BC22-AEB221189C7D}.job
- c:\windows\system32\msfeedssync.exe [2011-06-29 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.duckduckgo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:55899
Trusted Zone: igl.net\hoylegames
Trusted Zone: igl.net\www
Trusted Zone: igl.net\www3
Trusted Zone: myleague.com
TCP: DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62
DPF: {A3723780-9F57-484D-BD27-83FE274717F0} - hxxp://www.ibingo.com/bin/v6/setup.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
BHO-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - c:\users\pariss\AppData\LocalLow\CyberDefender\cdmyidd.dll
Toolbar-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - c:\users\pariss\AppData\LocalLow\CyberDefender\cdmyidd.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - c:\users\pariss\AppData\LocalLow\CyberDefender\cdmyidd.dll
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
HKLM-Run-LivingPlay - c:\program files\LivingPlay\livingplay32.exe
MSConfigStartUp-xvdndkxn - c:\users\pariss\AppData\Local\kkidqfpjr\vpskaiytssd.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\RtHDVCpl.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\System32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\windows\ehome\ehmsas.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-07-06 22:56:43 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-07 02:55
.
Pre-Run: 97,990,803,456 bytes free
Post-Run: 98,384,941,056 bytes free
.
- - End Of File - - C38D29916A784F44BEEE2D199E70AC13


So far the system seems to work as normal again , been running now for almost 30 minutes and no more warnings from my Avast (I turned it back on as soon as ComboFix told me it had finished).


thanks again for all your help so far

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:54 PM

Posted 06 July 2012 - 10:23 PM

Hi,

(apologies for the typo, I meant FRST.exe, thanks for figuring it out :))

I will also script out the leftovers of MSE

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

SecCenter::
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:55899

DOMAINS::

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 pariss3

pariss3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 07 July 2012 - 07:28 AM

Combofix log :

ComboFix 12-07-07.02 - pariss 07/07/2012 5:47.2.2 - x86
Running from: c:\users\pariss\Desktop\ComboFix.exe
Command switches used :: c:\users\pariss\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-07 09:56 . 2012-07-07 09:56 8782 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2012-07-07 09:56 . 2012-07-07 09:56 7271 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2012-07-07 09:56 . 2012-07-07 09:56 23327 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2012-07-07 09:56 . 2012-07-07 09:56 20719 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2012-07-07 09:55 . 2012-07-07 09:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-07 03:39 . 2012-07-07 03:39 -------- d-----w- C:\FRST
2012-07-05 16:51 . 2012-07-05 16:51 -------- d-----w- c:\users\pariss\AppData\Local\Immunet
2012-07-05 16:50 . 2012-07-05 17:16 -------- dc----w- c:\windows\system32\DRVSTORE
2012-07-05 13:49 . 2012-07-05 13:49 159608 ----a-w- c:\windows\system32\mfevtps.exe.fd99.deleteme
2012-07-05 13:41 . 2012-07-05 14:02 14664 ----a-w- c:\windows\stinger.sys
2012-07-05 13:40 . 2012-07-05 13:40 159608 ----a-w- c:\windows\system32\mfevtps.exe.78f2.deleteme
2012-07-05 13:40 . 2012-07-05 14:09 -------- d-----w- c:\program files\stinger
2012-07-04 21:08 . 2012-07-03 16:21 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-04 21:08 . 2012-07-03 16:21 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-04 21:08 . 2012-07-03 16:21 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-04 21:08 . 2012-07-03 16:21 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-04 21:08 . 2012-07-03 16:21 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-04 21:08 . 2012-07-03 16:21 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-04 21:08 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
2012-07-04 21:08 . 2012-07-03 16:21 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-04 17:00 . 2012-07-04 17:00 -------- d-----w- c:\users\pariss\AppData\Roaming\AVG2012
2012-07-04 16:55 . 2012-07-04 20:55 -------- d-----w- c:\programdata\AVG2012
2012-07-04 16:55 . 2012-07-04 20:51 -------- d-----w- C:\$AVG
2012-07-04 09:57 . 2012-07-04 09:57 -------- d-----w- c:\programdata\WindowsSearch
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-13 23:34 . 2012-05-13 23:34 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-13 23:34 . 2011-07-18 12:08 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RunSpySweeperScheduleAtStartup"="c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe" [2006-10-24 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"Zboard"="c:\program files\Ideazon\ZEngine\Zboard.exe" [2009-06-04 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-21 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-21 7753728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-21 81920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 98304]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-11-28 296056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-1-23 81997]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2343442809-3086990745-794358254-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-13 23:34]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-08 17:01]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-08 17:01]
.
2012-06-22 c:\windows\Tasks\HPCeeScheduleForpariss.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2006-12-06 23:04]
.
2012-07-07 c:\windows\Tasks\User_Feed_Synchronization-{8B24BF52-171F-477D-BC22-AEB221189C7D}.job
- c:\windows\system32\msfeedssync.exe [2011-06-29 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.duckduckgo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
TCP: DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62
DPF: {A3723780-9F57-484D-BD27-83FE274717F0} - hxxp://www.ibingo.com/bin/v6/setup.cab
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\WUDFHost.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2012-07-07 06:05:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-07 10:04
ComboFix2.txt 2012-07-07 02:56
.
Pre-Run: 98,304,614,400 bytes free
Post-Run: 98,284,556,288 bytes free
.
- - End Of File - - 1E4DD1CB74FBAAB34C1B9445646B9265


Malwarebytes log :

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.07.04

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
pariss :: PARISS-PC [administrator]

7/7/2012 6:08:13 AM
mbam-log-2012-07-07 (06-08-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195949
Time elapsed: 6 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

ESET scan log :

C:\FRST\Quarantine\{0f0dffb4-b82f-4076-6561-76a259bfd233}\U\trz1757.tmp a variant of Win32/Sirefef.FA trojan
C:\FRST\Quarantine\{0f0dffb4-b82f-4076-6561-76a259bfd233}\U\trz940A.tmp a variant of Win32/Sirefef.FA trojan
C:\FRST\Quarantine\{0f0dffb4-b82f-4076-6561-76a259bfd233}\U\trzDD7F.tmp a variant of Win32/Sirefef.FA trojan
C:\Users\pariss\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf.dll a variant of Win32/Adware.Gamevance.BH application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XUB3JJKG\cute-sleepy-kittens-meowing[1].txt HTML/ScrInject.B.Gen virus

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:54 PM

Posted 07 July 2012 - 09:04 AM

Hi,

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\pariss\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf.dll 
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XUB3JJKG\cute-sleepy-kittens-meowing[1].txt 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 pariss3

pariss3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 07 July 2012 - 10:04 AM

Hi,

computer is running as normal again. You are a real lifesaver, thanks so much for all your proffesional help.

ComboFix log :

ComboFix 12-07-07.04 - pariss 07/07/2012 10:31:38.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1285 [GMT -4:00]
Running from: c:\users\pariss\Desktop\ComboFix.exe
Command switches used :: c:\users\pariss\Desktop\CFscript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\pariss\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf.dll"
"c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XUB3JJKG\cute-sleepy-kittens-meowing[1].txt"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\pariss\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@lplay.com\components\lptlf.dll
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XUB3JJKG\cute-sleepy-kittens-meowing[1].txt
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-07 14:41 . 2012-07-07 14:41 6429 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2012-07-07 14:41 . 2012-07-07 14:41 63115 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2012-07-07 14:41 . 2012-07-07 14:41 4599 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2012-07-07 14:39 . 2012-07-07 14:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-07 10:18 . 2012-07-07 10:18 -------- d-----w- c:\program files\ESET
2012-07-07 03:39 . 2012-07-07 03:39 -------- d-----w- C:\FRST
2012-07-05 16:51 . 2012-07-05 16:51 -------- d-----w- c:\users\pariss\AppData\Local\Immunet
2012-07-05 16:50 . 2012-07-05 17:16 -------- dc----w- c:\windows\system32\DRVSTORE
2012-07-05 13:49 . 2012-07-05 13:49 159608 ----a-w- c:\windows\system32\mfevtps.exe.fd99.deleteme
2012-07-05 13:41 . 2012-07-05 14:02 14664 ----a-w- c:\windows\stinger.sys
2012-07-05 13:40 . 2012-07-05 13:40 159608 ----a-w- c:\windows\system32\mfevtps.exe.78f2.deleteme
2012-07-05 13:40 . 2012-07-05 14:09 -------- d-----w- c:\program files\stinger
2012-07-04 21:08 . 2012-07-03 16:21 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-04 21:08 . 2012-07-03 16:21 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-04 21:08 . 2012-07-03 16:21 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-04 21:08 . 2012-07-03 16:21 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-04 21:08 . 2012-07-03 16:21 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-04 21:08 . 2012-07-03 16:21 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-04 21:08 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
2012-07-04 21:08 . 2012-07-03 16:21 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-04 17:00 . 2012-07-04 17:00 -------- d-----w- c:\users\pariss\AppData\Roaming\AVG2012
2012-07-04 16:55 . 2012-07-04 20:55 -------- d-----w- c:\programdata\AVG2012
2012-07-04 16:55 . 2012-07-04 20:51 -------- d-----w- C:\$AVG
2012-07-04 09:57 . 2012-07-04 09:57 -------- d-----w- c:\programdata\WindowsSearch
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-13 23:34 . 2012-05-13 23:34 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-13 23:34 . 2011-07-18 12:08 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"RunSpySweeperScheduleAtStartup"="c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe" [2006-10-24 86016]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 4874240]
"Zboard"="c:\program files\Ideazon\ZEngine\Zboard.exe" [2009-06-04 57344]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-21 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-21 7753728]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-21 81920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 98304]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-11-28 296056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BDARemote.lnk - c:\program files\USB TV\EM28XX\BDARemote.exe [2010-1-23 81997]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2343442809-3086990745-794358254-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-13 23:34]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-08 17:01]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-08 17:01]
.
2012-06-22 c:\windows\Tasks\HPCeeScheduleForpariss.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2006-12-06 23:04]
.
2012-07-07 c:\windows\Tasks\User_Feed_Synchronization-{8B24BF52-171F-477D-BC22-AEB221189C7D}.job
- c:\windows\system32\msfeedssync.exe [2011-06-29 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.duckduckgo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
TCP: DhcpNameServer = 192.168.1.1 209.18.47.61 209.18.47.62
DPF: {A3723780-9F57-484D-BD27-83FE274717F0} - hxxp://www.ibingo.com/bin/v6/setup.cab
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\RtHDVCpl.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\ehome\ehmsas.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-07-07 10:49:21 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-07 14:49
ComboFix2.txt 2012-07-07 10:05
ComboFix3.txt 2012-07-07 02:56
.
Pre-Run: 97,864,216,576 bytes free
Post-Run: 97,852,284,928 bytes free
.
- - End Of File - - 30658EB6D0EF1445566A1B52D7292565

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:54 PM

Posted 07 July 2012 - 10:17 AM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the DDS, FRST and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 pariss3

pariss3
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:54 AM

Posted 07 July 2012 - 11:18 AM

Hi,

System still running as it should , thanks to your step by step solutions !!

We really appreciate all the help.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:54 PM

Posted 07 July 2012 - 11:47 AM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:54 PM

Posted 14 July 2012 - 07:54 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users