Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Work PC for mOle


  • This topic is locked This topic is locked
26 replies to this topic

#1 bwrighttwo

bwrighttwo

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 13 August 2012 - 10:56 AM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.0
Run by melanie at 13:58:53 on 2012-08-11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.1030 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Secunia\PSI\PSIA.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Lexmark Z2300 Series\lxdpmon.exe
C:\Program Files\Common Files\AOL\1332271039\ee\aolsoftware.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\rundll32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_270_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOL Toolbar Loader: {3ef64538-8b54-4573-b48f-4d34b0238ab2} - c:\program files\aol toolbar\aoltb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [lxdpmon.exe] "c:\program files\lexmark z2300 series\lxdpmon.exe"
mRun: [HostManager] c:\program files\common files\aol\1332271039\ee\AOLSoftware.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: live.com
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: tbibackgrounds.com\www
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
Trusted Zone: websamsung.net\f056074
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
DPF: {3A52566B-6018-485B-B713-8B9FF660D8E8} - hxxp://f056074.websamsung.net:6200/webdvr2.17.2.15_71.0.0.0.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9282A3AA-4954-46B4-B4AE-F086CE3F1110} - hxxp://f056074.websamsung.net:6200/regtrustsite.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1 192.168.1.254
TCP: Interfaces\{B903302E-F2C3-4424-9F2F-818F9ECB2B46} : DhcpNameServer = 192.168.2.1 192.168.1.254
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2012-8-2 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2012-8-2 202928]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\melanie\desktop\emsisoftemergencykit\run\a2ddax86.sys [2012-7-7 17904]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [2012-8-2 113776]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2012-8-2 18544]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-5-22 721000]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-5-22 353688]
R1 MpKsl344467df;MpKsl344467df;c:\programdata\microsoft\microsoft antimalware\definition updates\{37997fbc-b1c7-4b56-9da8-c8b91d02faef}\MpKsl344467df.sys [2012-8-11 29904]
R1 MpKslaa334501;MpKslaa334501;c:\programdata\microsoft\microsoft antimalware\definition updates\{37997fbc-b1c7-4b56-9da8-c8b91d02faef}\MpKslaa334501.sys [2012-8-11 29904]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-5-22 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-5-22 57656]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-5-22 44808]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2012-8-2 133912]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-8-10 21504]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-6-5 47640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-8-10 1153368]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2012-7-25 1326176]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2012-7-25 681056]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-12 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-8-2 27192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-11-2 374152]
S4 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
.
=============== Created Last 30 ================
.
2012-08-11 17:31:51 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{37997fbc-b1c7-4b56-9da8-c8b91d02faef}\MpKsl344467df.sys
2012-08-11 16:43:10 29904 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{37997fbc-b1c7-4b56-9da8-c8b91d02faef}\MpKslaa334501.sys
2012-08-11 16:20:00 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{37997fbc-b1c7-4b56-9da8-c8b91d02faef}\mpengine.dll
2012-08-10 16:00:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-10 16:00:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-10 15:17:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-08-10 15:17:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-08-10 13:41:24 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-08-09 13:41:53 -------- d-----w- c:\users\melanie\appdata\local\WindowsUpdate
2012-08-09 13:40:25 -------- d-----w- c:\users\melanie\appdata\local\Secunia PSI
2012-08-09 13:40:15 -------- d-----w- c:\program files\Secunia
2012-08-02 14:35:52 -------- d-----w- c:\users\melanie\appdata\local\VS Revo Group
2012-08-02 14:35:49 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-08-02 14:34:49 -------- d-----w- c:\program files\VS Revo Group
2012-08-02 14:03:09 113776 ----a-w- c:\windows\system32\drivers\aswFW.sys
2012-08-02 14:01:21 202928 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2012-08-02 14:01:20 18544 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2012-08-02 14:00:53 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2012-08-02 13:55:51 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-24 17:22:36 2136664 ----a-w- c:\users\melanie\TDSSKiller.exe
2012-07-12 23:04:18 -------- d-----w- C:\SaveFolder
2012-07-12 23:04:11 695578 ----a-w- c:\windows\unins000.exe
2012-07-12 23:04:11 1970176 ----a-w- c:\windows\system32\vcmimm4.dll
2012-07-12 23:04:02 -------- d-----w- c:\program files\RemoteAgent
.
==================== Find3M ====================
.
2012-08-03 15:27:28 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-03 15:27:28 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-06 02:06:30 772544 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-07-06 02:06:20 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-03 16:21:53 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-03 16:21:53 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-03 16:21:32 41224 ----a-w- c:\windows\avastSS.scr
2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 00:04:25 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03:42 204288 ----a-w- c:\windows\system32\ncrypt.dll
2012-05-22 13:38:38 98816 ----a-w- c:\windows\system32\mfps.dll
2012-05-22 13:37:17 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2012-05-22 13:37:16 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2012-05-22 13:37:16 252928 ----a-w- c:\windows\system32\dxdiag.exe
2012-05-22 13:37:16 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2012-05-22 13:37:15 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2012-05-22 13:37:15 519680 ----a-w- c:\windows\system32\d3d11.dll
2012-05-22 13:37:15 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2012-05-22 13:37:15 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2012-05-16 14:25:15 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2012-05-16 14:25:11 82432 ----a-w- c:\windows\system32\axaltocm.dll
.
============= FINISH: 13:59:52.02 ===============




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-13 11:31:10
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005d ST336032 rev.3.CH
Running: gmer.exe; Driver: C:\Users\melanie\AppData\Local\Temp\afayypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8CE19536]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8D4187BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8CE19F52]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8CE24D7A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8CE24DC6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8CE24F48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8CE24CE8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8D418BAC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8CE24D30]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8CE1A146]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8CE24F02]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8CE1A8CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8CE19584]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8D41889E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8CE191EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8CE195D2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8CE1E2A8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8CE1B292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8CE24DA4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8CE24DE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8CE24F6C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8CE24D0E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8CE24E8C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8CE24D58]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8CE24F26]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8D418A1E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8CE1B15E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0x8CE1AD08]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8CE19620]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8CE1966E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8CE1A74A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8CE19276]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8CE19426]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8CE193CC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8CE1AA2C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8CE1AB88]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8CE19496]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8D418AE8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8CE1A5CA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8CE196BC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8D418954]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8CE1A2CE]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 10D 824E67D0 4 Bytes [36, 95, E1, 8C]
.text ntkrnlpa.exe!KeSetEvent + 131 824E67F4 4 Bytes [BA, 87, 41, 8D]
.text ntkrnlpa.exe!KeSetEvent + 191 824E6854 4 Bytes [52, 9F, E1, 8C] {PUSH EDX; LAHF ; LOOPZ 0xffffffffffffff90}
.text ntkrnlpa.exe!KeSetEvent + 1D1 824E6894 8 Bytes [7A, 4D, E2, 8C, C6, 4D, E2, ...]
.text ntkrnlpa.exe!KeSetEvent + 1DD 824E68A0 4 Bytes [48, 4F, E2, 8C] {DEC EAX; DEC EDI; LOOP 0xffffffffffffff90}
.text ...
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8C20F340, 0x3500C7, 0xE8000020]
? c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{37997FBC-B1C7-4B56-9DA8-C8B91D02FAEF}\MpKslaa334501.sys The system cannot find the file specified. !
? c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{37997FBC-B1C7-4B56-9DA8-C8B91D02FAEF}\MpKsl344467df.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[356] ntdll.dll!LdrLoadDll 77CF9378 5 Bytes JMP 000401F8
.text C:\Program Files\Internet Explorer\iexplore.exe[356] ntdll.dll!LdrUnloadDll 77D0B680 5 Bytes JMP 000403FC
.text C:\Program Files\Internet Explorer\iexplore.exe[356] kernel32.dll!CreateThread 77A1CB2E 5 Bytes JMP 6F5075CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[356] ADVAPI32.dll!CreateServiceW 763D9EB4 5 Bytes JMP 002203FC
.text C:\Program Files\Internet Explorer\iexplore.exe[356] ADVAPI32.dll!DeleteService 763DA07E 5 Bytes JMP 00220600
.text C:\Program Files\Internet Explorer\iexplore.exe[356] ADVAPI32.dll!SetServiceObjectSecurity 76416CD9 5 Bytes JMP 00221014
.text C:\Program Files\Internet Explorer\iexplore.exe[356] ADVAPI32.dll!ChangeServiceConfigA 76416DD9 5 Bytes JMP 00220804
.text C:\Program Files\Internet Explorer\iexplore.exe[356] ADVAPI32.dll!ChangeServiceConfigW 76416F81 5 Bytes JMP 00220A08
.text C:\Program Files\Internet Explorer\iexplore.exe[356] ADVAPI32.dll!ChangeServiceConfig2A 76417099 5 Bytes JMP 00220C0C
.text C:\Program Files\Internet Explorer\iexplore.exe[356] ADVAPI32.dll!ChangeServiceConfig2W 764171E1 5 Bytes JMP 00220E10
.text C:\Program Files\Internet Explorer\iexplore.exe[356] ADVAPI32.dll!CreateServiceA 764172A1 5 Bytes JMP 002201F8
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!SetWindowsHookExA 77916322 5 Bytes JMP 00230600
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!CreateDialogParamW 779172A2 5 Bytes JMP 6F6990F0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!GetAsyncKeyState 7791863C 5 Bytes JMP 6F4EDEAD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!SetWindowsHookExW 779187AD 5 Bytes JMP 6F5425AC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!CallNextHookEx 77918E3B 5 Bytes JMP 6F567FDF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!UnhookWindowsHookEx 779198DB 5 Bytes JMP 6F58ECE0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!SetWinEventHook 77919F3A 5 Bytes JMP 002301F8
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!UnhookWinEvent 7791C06F 5 Bytes JMP 002303FC
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!EnableWindow 7791CD8B 5 Bytes JMP 6F549EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!DefWindowProcA 7791DB88 7 Bytes JMP 6F5097F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!CreateWindowExA 7791DC2A 5 Bytes JMP 6F51362B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!CreateWindowExW 77921305 5 Bytes JMP 6F5703B7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!GetKeyState 77928CB1 5 Bytes JMP 6F4EDD87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!DefWindowProcW 779303B4 7 Bytes JMP 6F568042 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!IsDialogMessageW 77930745 5 Bytes JMP 6F699855 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!CreateDialogParamA 779317AA 5 Bytes JMP 6F6990B8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!IsDialogMessage 77931847 5 Bytes JMP 6F69982D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!CreateDialogIndirectParamA 779326F1 5 Bytes JMP 6F699128 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!CreateDialogIndirectParamW 77939A62 5 Bytes JMP 6F699160 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!SetKeyboardState 77940987 5 Bytes JMP 6F69A11D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!DialogBoxParamW 779410B0 5 Bytes JMP 6F4A187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!DialogBoxIndirectParamW 77942EF5 5 Bytes JMP 6F698D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!SendInput 77942F75 5 Bytes JMP 6F69A0C5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!EndDialog 7794326E 5 Bytes JMP 6F699B01 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!SetCursorPos 77956FB2 5 Bytes JMP 6F69A19E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!DialogBoxParamA 77958152 5 Bytes JMP 6F698D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!DialogBoxIndirectParamA 7795847D 5 Bytes JMP 6F698DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!MessageBoxIndirectA 7796D4D9 5 Bytes JMP 6F698CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!MessageBoxIndirectW 7796D5D3 5 Bytes JMP 6F698C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!MessageBoxExA 7796D639 5 Bytes JMP 6F698BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!MessageBoxExW 7796D65D 5 Bytes JMP 6F698B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] USER32.dll!keybd_event 7796D972 5 Bytes JMP 6F69A082 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[356] SHELL32.dll!SHRestricted + D95 768089A8 4 Bytes [CF, 01, 88, 73]
.text C:\Program Files\Internet Explorer\iexplore.exe[356] SHELL32.dll!SHRestricted + D9D 768089B0 8 Bytes [E0, 61, 87, 73, 79, F7, 87, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[356] ole32.dll!OleLoadFromStream 764B1E80 5 Bytes JMP 6F69955F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Windows\system32\csrss.exe[648] KERNEL32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text C:\Windows\system32\wininit.exe[700] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text C:\Windows\system32\csrss.exe[708] KERNEL32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text C:\Windows\system32\services.exe[744] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text ...
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1700] kernel32.dll!SetUnhandledExceptionFilter 779FA8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1700] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text C:\Program Files\AVAST Software\Avast\afwServ.exe[1736] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[1888] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1896] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1920] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text ...
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] ntdll.dll!LdrLoadDll 77CF9378 5 Bytes JMP 000401F8
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] ntdll.dll!LdrUnloadDll 77D0B680 5 Bytes JMP 000403FC
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] ADVAPI32.dll!CreateServiceW 763D9EB4 5 Bytes JMP 002203FC
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] ADVAPI32.dll!DeleteService 763DA07E 5 Bytes JMP 00220600
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] ADVAPI32.dll!SetServiceObjectSecurity 76416CD9 5 Bytes JMP 00221014
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] ADVAPI32.dll!ChangeServiceConfigA 76416DD9 5 Bytes JMP 00220804
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] ADVAPI32.dll!ChangeServiceConfigW 76416F81 5 Bytes JMP 00220A08
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] ADVAPI32.dll!ChangeServiceConfig2A 76417099 5 Bytes JMP 00220C0C
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] ADVAPI32.dll!ChangeServiceConfig2W 764171E1 5 Bytes JMP 00220E10
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] ADVAPI32.dll!CreateServiceA 764172A1 5 Bytes JMP 002201F8
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!SetWindowsHookExA 77916322 5 Bytes JMP 00230600
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!SetWindowsHookExW 779187AD 5 Bytes JMP 00230804
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!UnhookWindowsHookEx 779198DB 5 Bytes JMP 00230A08
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!SetWinEventHook 77919F3A 5 Bytes JMP 002301F8
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!UnhookWinEvent 7791C06F 5 Bytes JMP 002303FC
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!EnableWindow 7791CD8B 5 Bytes JMP 6F549EAC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!DialogBoxParamW 779410B0 5 Bytes JMP 6F4A187B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!DialogBoxIndirectParamW 77942EF5 5 Bytes JMP 6F698D86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!DialogBoxParamA 77958152 5 Bytes JMP 6F698D21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!DialogBoxIndirectParamA 7795847D 5 Bytes JMP 6F698DEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!MessageBoxIndirectA 7796D4D9 5 Bytes JMP 6F698CA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!MessageBoxIndirectW 7796D5D3 5 Bytes JMP 6F698C2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!MessageBoxExA 7796D639 5 Bytes JMP 6F698BCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5720] USER32.dll!MessageBoxExW 7796D65D 5 Bytes JMP 6F698B67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Windows\system32\vssvc.exe[5896] kernel32.dll!GetBinaryTypeW + 70 77A22467 1 Byte [62]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswFW.SYS (avast! Filtering TDI driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 13 August 2012 - 07:10 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

The Gmer log looks interesting. Please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Then aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#3 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 13 August 2012 - 07:17 PM

I will do these tomorrow when I get to work.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 13 August 2012 - 07:20 PM

:thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 14 August 2012 - 11:10 AM

TDDSS did not find anything but I am unable to copy the log to show you.

aswMBR has been stuck on C:\windows\winsxs\backup\x86_Networking-mpssvc-svc_31bf3856ad364e35_6.0 (there may be more but I can't expand window) for 2 hours now.

It did start again but has not finished after 6 hours.

Edited by bwrighttwo, 14 August 2012 - 02:47 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 14 August 2012 - 03:16 PM

It might be something or nothing. Let's run FRST on the machine

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Scan your computer's memory for errors.
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it in your next reply.[/list]
Posted Image
m0le is a proud member of UNITE

#7 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 14 August 2012 - 06:18 PM

The aswMBR had not finished when I left work. I will check on it tomorrow morning. As far as the frst, I think I tried to use a usb a few weeks ago and it seems none of them worked or at least the ones not being used. I will try in the morning. I will unplug something if needed.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 14 August 2012 - 07:22 PM

There's no way that aswMBR should take that long.

If getting a USB is difficult we will try a different route which will help things along.
Posted Image
m0le is a proud member of UNITE

#9 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 14 August 2012 - 07:28 PM

To be clear, I meant the usb ports, not the flash drive itself.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 14 August 2012 - 07:30 PM

Oh right, the ports. :P

The same thing applies, if the ports aren't working we'll use a different tool.
Posted Image
m0le is a proud member of UNITE

#11 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 14 August 2012 - 07:38 PM

Talk to you tomorrow. Ck your pm's if you get a chance.

#12 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 15 August 2012 - 08:15 AM

I will attempt the frst sometime today.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-14 09:24:34
-----------------------------
09:24:34.937 OS Version: Windows 6.0.6002 Service Pack 2
09:24:34.937 Number of processors: 2 586 0x6B01
09:24:34.937 ComputerName: SEVIERPAWNANDLO UserName: melanie
09:24:37.121 Initialize success
09:24:37.839 AVAST engine defs: 12081400
09:24:52.066 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005b
09:24:52.066 Disk 0 Vendor: ST336032 3.CH Size: 343399MB BusType: 6
09:24:52.097 Disk 0 MBR read successfully
09:24:52.097 Disk 0 MBR scan
09:24:52.097 Disk 0 Windows VISTA default MBR code
09:24:52.097 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 333693 MB offset 63
09:24:52.128 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 9703 MB offset 683405100
09:24:52.159 Disk 0 scanning sectors +703277505
09:24:52.253 Disk 0 scanning C:\Windows\system32\drivers
09:25:17.587 Service scanning
09:25:38.523 Modules scanning
09:25:50.394 Disk 0 trace - called modules:
09:25:50.410 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
09:25:50.925 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e92620]
09:25:50.925 3 CLASSPNP.SYS[87fa08b3] -> nt!IofCallDriver -> [0x85135f08]
09:25:50.940 5 acpi.sys[806166bc] -> nt!IofCallDriver -> \Device\0000005b[0x8513f548]
09:25:54.013 AVAST engine scan C:\
16:54:03.100 Scan finished successfully
09:08:09.664 Disk 0 MBR has been saved successfully to "C:\Users\melanie\Desktop\MBR.dat"
09:08:09.680 The log file has been saved successfully to "C:\Users\melanie\Desktop\aswMBR.txt"

#13 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 16 August 2012 - 05:15 PM

I am going to try to do a frst on this machine tomorrow. I work 20 feet from it and heard it reboot at least 6 times today with no one using it. I guess it was bluescreening or something. I did not even get on it to see.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:53 PM

Posted 16 August 2012 - 07:09 PM

:thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 bwrighttwo

bwrighttwo
  • Topic Starter

  • Members
  • 717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 AM

Posted 17 August 2012 - 09:48 AM

I found a usb port that worked while in normal mode but when I used system repair/32 mode it would not recognize it. The dvd/cd drive does not work in any mode. During a windows update restart it bluescreened and I caught the reason this time. It was "bad_pool_header". When I was trying to do the frst I also noticed that the adminisrator acct was disabled or something. If I get time and the machine will let me I am going to check the user accounts to see why.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users