Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mouse jumpy, GMER "rootkit activity".


  • Please log in to reply
11 replies to this topic

#1 Todotho

Todotho

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 25 March 2013 - 03:50 AM

Hi guys. Hopefully you can help me out. My mouse has recently started jumping across the screen. It's only happened maybe 10 times or so but it had me concerned so I ran GMER and it's telling me it detected system modification caused by rootkit activity. Can someone possibly take a look at the log? I know RK scans can have false positives...

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:22 PM

Posted 25 March 2013 - 04:14 PM

Welcome aboard p22002758.gif

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif NOTE. Make sure all logs are pasted not attached.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Todotho

Todotho
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 25 March 2013 - 08:55 PM

Hey, thanks for the help. Here's the output -

---

SecurityCheck.exe (I don't use Thunderbird and Java is completely disabled in FF) -

Results of screen317's Security Check version 0.99.61
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.70.0.1100
CCleaner
Java™ 6 Update 29
Java version out of Date!
Adobe Flash Player 11.6.602.180
Mozilla Firefox (19.0.2)
Mozilla Thunderbird 13.0.1 Thunderbird out of Date!
Google Chrome 25.0.1364.152
Google Chrome 25.0.1364.172
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````

---
FSS -

Farbar Service Scanner Version: 03-03-2013
Ran by Damon (administrator) on 25-03-2013 at 18:09:03
Running from "C:\tools"
Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-02-12 22:43] - [2013-01-02 22:05] - 1293672 ____A (Microsoft Corporation) 7C0507D2391AF5933600CBCED799F277

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

---

MiniToolBox -

MiniToolBox by Farbar Version:05-03-2013
Ran by Damon (administrator) on 25-03-2013 at 18:14:31
Running from "C:\tools"
Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0
========================= Hosts content: =================================



========================= IP Configuration: ================================

Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller = Local Area Connection (Connected)
Intel® WiFi Link 5100 AGN = Wireless Network Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : dbox
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : 00-23-AE-1C-B8-41
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::916a:18e6:dfaa:23f7%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Friday, March 15, 2013 2:59:21 AM
Lease Expires . . . . . . . . . . : Tuesday, March 26, 2013 1:17:51 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 268444590
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-63-BF-C9-00-23-AE-1C-B8-41
DNS Servers . . . . . . . . . . . : 68.94.156.1
68.94.157.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel® WiFi Link 5100 AGN
Physical Address. . . . . . . . . : 00-22-FB-10-1F-50
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{B995087B-990E-4430-BF66-F34F3BEE2A49}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{BE84448E-A8CD-4C94-ACFB-4840692F191A}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:34b1:3b2e:3f57:fe9a(Preferred)
Link-local IPv6 Address . . . . . : fe80::34b1:3b2e:3f57:fe9a%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: dnsr1.sbcglobal.net
Address: 68.94.156.1

Name: google.com
Addresses: 2001:4860:4001:800::100e
74.125.224.37
74.125.224.38
74.125.224.39
74.125.224.40
74.125.224.41
74.125.224.46
74.125.224.32
74.125.224.33
74.125.224.34
74.125.224.35
74.125.224.36


Pinging google.com [74.125.224.72] with 32 bytes of data:
Reply from 74.125.224.72: bytes=32 time=17ms TTL=54
Reply from 74.125.224.72: bytes=32 time=15ms TTL=54

Ping statistics for 74.125.224.72:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 17ms, Average = 16ms
Server: dnsr1.sbcglobal.net
Address: 68.94.156.1

Name: yahoo.com
Addresses: 206.190.36.45
98.138.253.109
98.139.183.24


Pinging yahoo.com [206.190.36.45] with 32 bytes of data:
Reply from 206.190.36.45: bytes=32 time=89ms TTL=50
Reply from 206.190.36.45: bytes=32 time=100ms TTL=50

Ping statistics for 206.190.36.45:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 89ms, Maximum = 100ms, Average = 94ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...00 23 ae 1c b8 41 ......Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
10...00 22 fb 10 1f 50 ......Intel® WiFi Link 5100 AGN
1...........................Software Loopback Interface 1
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.101 276
192.168.1.101 255.255.255.255 On-link 192.168.1.101 276
192.168.1.255 255.255.255.255 On-link 192.168.1.101 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.101 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.101 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:9d38:6ab8:34b1:3b2e:3f57:fe9a/128
On-link
11 276 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::34b1:3b2e:3f57:fe9a/128
On-link
11 276 fe80::916a:18e6:dfaa:23f7/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
11 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\System32\mswsock.dll [232448] (Microsoft Corporation)
Catalog5 06 C:\Windows\System32\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [232448] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (03/25/2013 05:17:52 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5117

Error: (03/25/2013 05:17:52 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5117

Error: (03/25/2013 05:17:52 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/24/2013 04:48:34 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 10343

Error: (03/24/2013 04:48:34 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 10343

Error: (03/24/2013 04:48:34 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/24/2013 04:48:29 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4977

Error: (03/24/2013 04:48:29 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4977

Error: (03/24/2013 04:48:29 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/22/2013 05:08:54 AM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4883


System errors:
=============
Error: (03/16/2013 00:10:30 AM) (Source: DCOM) (User: )
Description: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (03/13/2013 11:20:37 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.

Error: (03/12/2013 04:47:21 PM) (Source: Schannel) (User: dbox)
Description: The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is relay.l.google.com. The SSL connection request has failed. The attached data contains the server certificate.

Error: (03/12/2013 04:47:21 PM) (Source: Schannel) (User: dbox)
Description: The following fatal alert was generated: 43. The internal error state is 552.

Error: (03/12/2013 04:47:21 PM) (Source: Schannel) (User: dbox)
Description: The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is relay.l.google.com. The SSL connection request has failed. The attached data contains the server certificate.

Error: (03/12/2013 04:47:21 PM) (Source: Schannel) (User: dbox)
Description: The following fatal alert was generated: 43. The internal error state is 552.

Error: (03/05/2013 06:10:30 AM) (Source: DCOM) (User: )
Description: {4EB61BAC-A3B6-4760-9581-655041EF4D69}

Error: (02/16/2013 11:10:28 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR5.

Error: (02/16/2013 11:10:24 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR5.

Error: (02/16/2013 11:00:33 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR4.


Microsoft Office Sessions:
=========================
Error: (03/25/2013 05:17:52 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5117

Error: (03/25/2013 05:17:52 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5117

Error: (03/25/2013 05:17:52 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/24/2013 04:48:34 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 10343

Error: (03/24/2013 04:48:34 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 10343

Error: (03/24/2013 04:48:34 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/24/2013 04:48:29 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4977

Error: (03/24/2013 04:48:29 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4977

Error: (03/24/2013 04:48:29 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/22/2013 05:08:54 AM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4883


=========================== Installed Programs ============================

7-Zip 9.20
Adobe AIR (Version: 3.4.0.2710)
Adobe Flash Player 11 ActiveX (Version: 11.6.602.180)
Adobe Flash Player 11 Plugin (Version: 11.6.602.180)
Apple Application Support (Version: 2.1.5)
Apple Mobile Device Support (Version: 4.0.0.97)
Apple Software Update (Version: 2.1.3.127)
Audacity 1.3.14 (Unicode)
Audiosurf Demo
Bonjour (Version: 3.0.0.10)
CamStudio OSS Desktop Recorder (Version: 2.6 Beta r294)
Caustic for Windows
CCleaner (Version: 3.15)
FileZilla Client 3.5.3 (Version: 3.5.3)
Fraps
GIMP 2.6.11 (Version: 2.6.11)
GNU Privacy Guard (Version: 1.4.9)
Google App Engine (Version: 1.7.5.0)
Google Chrome (Version: 25.0.1364.172)
Google Drive (Version: 1.8.4357.4863)
Google Earth (Version: 7.0.3.8542)
Google Talk Plugin (Version: 3.16.0.12200)
Google Update Helper (Version: 1.3.21.135)
IDT Audio (Version: 1.0.6272.0)
Inkscape 0.48.2 (Version: 0.48.2)
inSSIDer (Version: 2.1.4)
iTunes (Version: 10.5.1.42)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
Magicka - Demo
Malwarebytes Anti-Malware version 1.70.0.1100 (Version: 1.70.0.1100)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Security Client (Version: 4.2.0223.1)
Microsoft Security Essentials (Version: 4.2.223.1)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft XNA Framework Redistributable 3.1 (Version: 3.1.10527.0)
Microsoft XNA Framework Redistributable 4.0 (Version: 4.0.20823.0)
Mozilla Firefox 19.0.2 (x86 en-US) (Version: 19.0.2)
Mozilla Maintenance Service (Version: 19.0.2)
Mozilla Thunderbird 13.0.1 (x86 en-US) (Version: 13.0.1)
Mumble 1.2.3 (Version: 1.2.3)
Node.js (Version: 0.8.11)
OnLive
Opera 11.64 (Version: 11.64.1403)
PhoenixRC (Version: 3.00.12)
Picasa 3 (Version: 3.9)
Picasa Uploader (Version: 0.5)
Python 2.7 comtypes-0.6.2
Python 2.7 PIL-1.1.7
Python 2.7 pyHook-1.5.1
Python 2.7 pywin32-216
Python 2.7 setuptools-0.6c11
Python 2.7.2 (Version: 2.7.2150)
Ragnarok Online (Version: 14.1.3)
SketchUp 8 (Version: 3.0.15158)
Skype 6.1 (Version: 6.1.129)
Snagit 11 (Version: 11.0.0)
Sothink SWF Decompiler (Version: 7.0)
Spybot - Search & Destroy (Version: 1.6.2)
Steam (Version: 1.0.0.0)
Sublime Text 2.0.1
synedra View Personal 3.2.0.0 (Version: 3.2.0.0)
Terraria
VLC media player 2.0.4 (Version: 2.0.4)
wxPython 2.8.12.1 (unicode) for Python 2.7 (Version: 2.8.12.1-unicode)
wxPython Docs and Demos 2.8.12.1 (Version: 2.8.12.1)

========================= Devices: ================================

Name: E:\
Description: Multi-Card
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Generic-
Service: WUDFRd
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.


========================= Memory info: ===================================

Percentage of memory in use: 52%
Total physical RAM: 3546.36 MB
Available physical RAM: 1676.96 MB
Total Pagefile: 7091.01 MB
Available Pagefile: 4880.05 MB
Total Virtual: 2047.88 MB
Available Virtual: 1941.46 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:195.21 GB) (Free:121.07 GB) NTFS

========================= Users: ========================================

User accounts for \\DBOX

Administrator Damon Guest


**** End of log ****

---

MBAM -

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.25.16

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Damon :: DBOX [administrator]

3/25/2013 6:19:57 PM
mbam-log-2013-03-25 (18-19-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 203102
Time elapsed: 8 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---

MBAR (mbar-log) -

Malwarebytes Anti-Rootkit BETA 1.01.0.1021
www.malwarebytes.org

Database version: v2013.03.25.16

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Damon :: DBOX [administrator]

3/25/2013 6:47:39 PM
mbar-log-2013-03-25 (18-47-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 28361
Time elapsed: 14 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---

MBAR (system-log) -

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1021

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 8.0.7601.17514

Java version: 1.6.0_29

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 3718631424, free: 1712660480

------------ Kernel report ------------
03/25/2013 18:32:21
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\msahci.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\system32\drivers\cdrom.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\usbuhci.sys
\SystemRoot\system32\drivers\USBPORT.SYS
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\netw5v32.sys
\SystemRoot\system32\DRIVERS\yk62x86.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\mouclass.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\drivers\umbus.sys
\SystemRoot\system32\drivers\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\stwrt.sys
\SystemRoot\system32\DRIVERS\portcls.sys
\SystemRoot\system32\DRIVERS\drmk.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_msahci.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Users\Damon\AppData\Local\Temp\pxldapog.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8637dac8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000006e\
Lower Device Object: 0xffffffff87f1f420
Lower Device Driver Name: \Driver\USBSTOR\
Device already Exists: 0xffffffff857755d8
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff860ed030
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-0\
Lower Device Object: 0xffffffff85c08908
Lower Device Driver Name: \Driver\atapi\
Device already Exists: 0xffffffff8596f420
Downloaded database version: v2013.03.25.16
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff860ed030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff860edd10, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff860ed030, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff85c08908, DeviceName: \Device\Ide\IdeDeviceP0T0L0-0\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0xffffffff8a12f550, 0xffffffff860ed030, 0xffffffff85a28ac8
Lower DeviceData: 0xffffffffb5f54080, 0xffffffff85c08908, 0xffffffff8596f420
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
<<<2>>>
Device number: 0, partition: 2
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 2F03C1E0

Partition information:

Partition 0 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 2048 Numsec = 204800
Partition file system is NTFS
Partition is bootable

Partition 1 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 206848 Numsec = 409395200

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 250059350016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-488377168-488397168)...
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff8637dac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff87b8f310, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8637dac8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff87f1f420, DeviceName: \Device\0000006e\, DriverName: \Driver\USBSTOR\
------------ End ----------
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================

---

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:22 PM

Posted 25 March 2013 - 08:59 PM

I don't see much there.

 

Can you post GMER log?


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 Todotho

Todotho
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 25 March 2013 - 10:00 PM

Here's the GMER log that detected "rootkit activity". The last 3 noname/hidden files were marked in red. -

---

GMER 2.1.19155 - http://www.gmer.net
Rootkit scan 2013-03-25 01:52:07
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9250320AS rev.DE06 232.89GB
Running: nbcsl8dh.exe; Driver: C:\Users\Damon\AppData\Local\Temp\pxldapog.sys


---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A799E9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB31C2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 2.1 ----

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[824] USER32.dll!RegisterMessagePumpHook + 2F1 77668B9E 7 Bytes JMP 6607FE5B C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[824] USER32.dll!IsDialogMessageW + 340 77674444 7 Bytes JMP 6607FDEA C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[824] USER32.dll!GetWindowInfo 77674B5E 5 Bytes JMP 65CAE982 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[824] USER32.dll!ToUnicodeEx + 71 77682223 7 Bytes JMP 65CAEE7F C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtCreateFile + 6 77A155CE 4 Bytes [28, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtCreateFile + B 77A155D3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtCreateKey + 6 77A1560E 4 Bytes [68, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtCreateKey + B 77A15613 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtCreateMutant + 6 77A1564E 4 Bytes [68, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtCreateMutant + B 77A15653 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtCreateSection + 6 77A156EE 4 Bytes [A8, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtCreateSection + B 77A156F3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtMapViewOfSection + 6 77A15C2E 4 Bytes CALL 76A16337 C:\Windows\system32\SHELL32.dll
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtMapViewOfSection + B 77A15C33 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenFile + 6 77A15CDE 4 Bytes [68, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenFile + B 77A15CE3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenKey + 6 77A15D0E 4 Bytes [A8, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenKey + B 77A15D13 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenKeyEx + 6 77A15D1E 4 Bytes CALL 76A16424 C:\Windows\system32\SHELL32.dll
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenKeyEx + B 77A15D23 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenMutant + 6 77A15D5E 4 Bytes [28, 02, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenMutant + B 77A15D63 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenProcess + 6 77A15D8E 1 Byte [68]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenProcess + 6 77A15D8E 4 Bytes [68, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenProcess + B 77A15D93 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenProcessToken + 6 77A15D9E 1 Byte [A8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenProcessToken + 6 77A15D9E 4 Bytes [A8, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenProcessToken + B 77A15DA3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenProcessTokenEx + 6 77A15DAE 4 Bytes [68, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenProcessTokenEx + B 77A15DB3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenSection + 6 77A15DCE 4 Bytes CALL 76A164D5 C:\Windows\system32\SHELL32.dll
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenSection + B 77A15DD3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenThread + 6 77A15E0E 1 Byte [28]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenThread + 6 77A15E0E 4 Bytes [28, 03, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenThread + B 77A15E13 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenThreadToken + 6 77A15E1E 4 Bytes [28, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenThreadToken + B 77A15E23 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenThreadTokenEx + 6 77A15E2E 4 Bytes [A8, 04, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtOpenThreadTokenEx + B 77A15E33 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtQueryAttributesFile + 6 77A15F3E 4 Bytes [A8, 00, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtQueryAttributesFile + B 77A15F43 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtQueryFullAttributesFile + 6 77A15FEE 4 Bytes CALL 76A166F3 C:\Windows\system32\SHELL32.dll
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtQueryFullAttributesFile + B 77A15FF3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtSetInformationFile + 6 77A1663E 4 Bytes [28, 01, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtSetInformationFile + B 77A16643 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtSetInformationThread + 6 77A1669E 1 Byte [E8]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtSetInformationThread + 6 77A1669E 4 Bytes CALL 76A16DA6 C:\Windows\system32\SHELL32.dll
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtSetInformationThread + B 77A166A3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtUnmapViewOfSection + 6 77A169BE 4 Bytes [28, 05, 07, 00]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ntdll.dll!NtUnmapViewOfSection + B 77A169C3 1 Byte [E2]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] kernel32.dll!CreateProcessW 77B1204D 5 Bytes JMP 00010030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] kernel32.dll!CreateProcessA 77B12082 5 Bytes JMP 00010070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!DeleteObject 77615F14 5 Bytes JMP 001101B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SelectObject 77616640 5 Bytes JMP 001105F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SetTextColor 77616906 5 Bytes JMP 00110A30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SetBkMode 776169B1 5 Bytes JMP 001108F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!DeleteDC 77616EAA 5 Bytes JMP 00110170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetDeviceCaps 77616F7F 5 Bytes JMP 001103B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!ExtSelectClipRgn 77617114 5 Bytes JMP 001102F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SelectClipRgn 77617242 5 Bytes JMP 001105B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SetStretchBltMode 77617705 5 Bytes JMP 001106B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetCurrentObject 77617917 5 Bytes JMP 00110370
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetTextMetricsW 77617B8F 5 Bytes JMP 00110E30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetTextAlign 77617DAF 5 Bytes JMP 00110D70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!IntersectClipRect 77617DFE 5 Bytes JMP 001103F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!ExtTextOutW 77618192 5 Bytes JMP 00110970
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SetTextAlign 7761828E 5 Bytes JMP 001109F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetClipBox 77618525 5 Bytes JMP 00110330
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!MoveToEx 77618C21 5 Bytes JMP 00110470
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!StretchDIBits 7761A53E 5 Bytes JMP 00110770
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!RestoreDC 7761A67B 5 Bytes JMP 00110530
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SaveDC 7761A74B 5 Bytes JMP 00110570
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetTextExtentPoint32W 7761B4B5 5 Bytes JMP 00110670
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetTextFaceW 7761B73A 2 Bytes JMP 00110D30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetTextFaceW + 3 7761B73D 2 Bytes [AF, 88]
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetFontData 7761BCC4 5 Bytes JMP 00110C70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SetWorldTransform 7761C90A 5 Bytes JMP 001106F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!CreateDCA 7761CCA9 5 Bytes JMP 001100B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!CreateDCW 7761CF79 5 Bytes JMP 001100F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!CreateICW 7761CFD0 5 Bytes JMP 00110130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetTextMetricsA 7761D0F2 5 Bytes JMP 00110DF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!Rectangle 7761F1FF 5 Bytes JMP 001109B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!LineTo 7761F59B 5 Bytes JMP 00110430
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SetICMMode 7761FAA4 5 Bytes JMP 00110DB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!ExtTextOutA 776203F9 5 Bytes JMP 00110930
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetTextExtentPoint32A 776207B0 5 Bytes JMP 00110630
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!ExtEscape 77622949 5 Bytes JMP 001102B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!Escape 77623939 5 Bytes JMP 00110270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetTextFaceA 77623E6A 5 Bytes JMP 00110CF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SetPolyFillMode 7762D851 5 Bytes JMP 00110B30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SetMiterLimit 7762DA0D 5 Bytes JMP 00110B70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!EndPage 776300D7 5 Bytes JMP 00110230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!ResetDCW 7763050D 5 Bytes JMP 00110AB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!GetGlyphOutlineW 7763C1BA 5 Bytes JMP 00110CB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!CreateScalableFontResourceW 7763E817 5 Bytes JMP 00110BB0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!AddFontResourceW 7763EC13 5 Bytes JMP 00110BF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!RemoveFontResourceW 7763F109 5 Bytes JMP 00110C30
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!AbortDoc 77644C63 5 Bytes JMP 00110030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!EndDoc 776450AA 5 Bytes JMP 001101F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!StartPage 77645195 5 Bytes JMP 00110730
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!StartDocW 77645BB0 5 Bytes JMP 001107F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!BeginPath 7764635D 5 Bytes JMP 00110830
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!SelectClipPath 776463B4 5 Bytes JMP 00110AF0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!CloseFigure 7764640F 5 Bytes JMP 00110070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!EndPath 77646466 5 Bytes JMP 00110A70
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!StrokePath 77646699 5 Bytes JMP 001107B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!FillPath 77646726 5 Bytes JMP 00110870
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!PolylineTo 77646B94 5 Bytes JMP 001104F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!PolyBezierTo 77646C25 5 Bytes JMP 001104B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] GDI32.dll!PolyDraw 77646CD7 5 Bytes JMP 001108B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!ActivateKeyboardLayout 77668203 5 Bytes JMP 001204F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!ScreenToClient 7766A506 7 Bytes JMP 00120670
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!RegisterClipboardFormatA 7766C091 5 Bytes JMP 001202F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!RegisterClipboardFormatW 7766DF8D 5 Bytes JMP 001202B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!SetCursor 77673075 5 Bytes JMP 00120530
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!MonitorFromWindow 77673622 7 Bytes JMP 00120630
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!PostMessageW 7767447B 5 Bytes JMP 001205F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!IsWindowVisible 77674D69 7 Bytes JMP 001206B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetClientRect 776754DD 7 Bytes JMP 001205B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!MapWindowPoints 77675CAA 5 Bytes JMP 00120570
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetParent 77676029 7 Bytes JMP 001206F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!EmptyClipboard 7768290C 5 Bytes JMP 00120130
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!SetClipboardData 77682962 5 Bytes JMP 00120170
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetClipboardData 77682BA7 5 Bytes JMP 00120030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetClipboardFormatNameW 77685FD2 5 Bytes JMP 00120230
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!SetClipboardViewer 77686FF6 5 Bytes JMP 001204B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetClipboardFormatNameA 7768700A 5 Bytes JMP 00120270
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!ChangeClipboardChain 7769147C 5 Bytes JMP 00120430
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetTopWindow 776924D9 7 Bytes JMP 00120730
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!CloseClipboard 7769446C 5 Bytes JMP 001200B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!OpenClipboard 7769447E 5 Bytes JMP 00120070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!IsClipboardFormatAvailable 776944FF 5 Bytes JMP 001200F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetClipboardSequenceNumber 77694513 5 Bytes JMP 00120330
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetClipboardOwner 77694525 5 Bytes JMP 00120370
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!CountClipboardFormats 7769470A 5 Bytes JMP 001201F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!EnumClipboardFormats 776947EC 5 Bytes JMP 001201B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetOpenClipboardWindow 7769480B 5 Bytes JMP 001203F0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!SetCursorPos 776AC1B0 5 Bytes JMP 00120770
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetClipboardViewer 776C4AF7 5 Bytes JMP 00120470
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] USER32.dll!GetPriorityClipboardFormat 776C4BF9 5 Bytes JMP 001203B0
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ole32.dll!OleSetClipboard 76520045 5 Bytes JMP 00230030
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ole32.dll!OleIsCurrentClipboard 765236B2 5 Bytes JMP 00230070
.text C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_180.exe[1320] ole32.dll!OleGetClipboard 7654FDCD 5 Bytes JMP 002300B0
.text C:\Program Files\Mozilla Firefox\firefox.exe[2844] ntdll.dll!LdrGetProcedureAddress + 26 77A32239 7 Bytes JMP 65AED180 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2844] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 77B5941E 7 Bytes JMP 65E36B79 C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2844] kernel32.dll!QueryPerformanceCounter + 13 77B5C435 7 Bytes JMP 65E36B9C C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2844] kernel32.dll!LoadAppInitDlls + 355 77B5F4F6 7 Bytes JMP 65AFF84B C:\Program Files\Mozilla Firefox\xul.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2844] GDI32.dll!GetViewportOrgEx + 26C 7761884B 7 Bytes JMP 65E36AFA C:\Program Files\Mozilla Firefox\xul.dll

---- Devices - GMER 2.1 ----

Device \Driver\atapi \Device\Dev_ffffffff85c08908 85AA58CC
Device \Driver\USBSTOR -> DriverStartIo \Device\Dev_ffffffff87f1f420 85A6FDEE
Device \Driver\USBSTOR \Device\Dev_ffffffff87f1f420 85A7ADF6

---- Modules - GMER 2.1 ----

Module (noname) (*** hidden *** ) 85A6B000-85A82000 (94208 bytes)
Module (noname) (*** hidden *** ) 85A8B000-85AAE000 (143360 bytes)
Module (noname) (*** hidden *** ) 85A82000-85A8B000 (36864 bytes)

---- EOF - GMER 2.1 ----


Edited by Todotho, 25 March 2013 - 10:02 PM.


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:22 PM

Posted 25 March 2013 - 10:06 PM

Download to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 Todotho

Todotho
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 25 March 2013 - 10:58 PM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-03-25 20:50:06
-----------------------------
20:50:06.851    OS Version: Windows 6.1.7601 Service Pack 1
20:50:06.851    Number of processors: 2 586 0x170A
20:50:06.851    ComputerName: DBOX  UserName:
20:50:08.207    Initialize success
20:54:11.457    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:54:11.462    Disk 0 Vendor: ST9250320AS DE06 Size: 238475MB BusType: 11
20:54:11.657    Disk 0 MBR read successfully
20:54:11.657    Disk 0 MBR scan
20:54:11.662    Disk 0 Windows 7 default MBR code
20:54:11.677    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
20:54:11.702    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       199900 MB offset 206848
20:54:11.722    Disk 0 scanning sectors +409602048
20:54:12.002    Disk 0 scanning C:\Windows\system32\drivers
20:54:24.594    Service scanning
20:54:33.345    Service MpKsl0b59d89f c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{460A31FA-8555-4A71-8770-8770ECEA139F}\MpKsl0b59d89f.sys **LOCKED** 32
20:54:44.866    Modules scanning
20:54:55.953    Disk 0 trace - called modules:
20:54:55.973    
20:54:56.313    Scan finished successfully
20:55:03.360    Disk 0 MBR has been saved successfully to "C:\Users\Damon\Desktop\MBR.dat"
20:55:03.452    The log file has been saved successfully to "C:\Users\Damon\Desktop\aswMBR.txt"



#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:22 PM

Posted 25 March 2013 - 11:08 PM

p22002970.gif Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

p22002970.gif Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


=============================================================================

p22002970.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


=======================================

p22002970.gif Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 Todotho

Todotho
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 26 March 2013 - 03:17 AM

Despite the crystal clear instructions I managed to mess up the order. I ran TFC, adwcleaner, then did the ESET scan before running JRT. Should I redo it? Here's the logs (ESET was clean) -

# AdwCleaner v2.115 - Logfile created 03/25/2013 at 23:42:35 # Updated 17/03/2013 by Xplode # Operating system : Windows 7 Home Premium Service Pack 1 (32 bits) # User : Damon - DBOX # Boot Mode : Normal # Running from : C:\Users\Damon\Desktop\adwcleaner.exe # Option [Delete] ***** [Services] ***** ***** [Files / Folders] ***** Folder Deleted : C:\Users\Damon\AppData\Roaming\Mozilla\Firefox\Profiles\tr3tny0p.default\jetpack ***** [Registry] ***** Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966 ***** [Internet Browsers] ***** -\\ Internet Explorer v8.0.7601.17514 [OK] Registry is clean. -\\ Mozilla Firefox v19.0.2 (en-US) File : C:\Users\Damon\AppData\Roaming\Mozilla\Firefox\Profiles\4xein8gk.Blank\prefs.js [OK] File is clean. File : C:\Users\Damon\AppData\Roaming\Mozilla\Firefox\Profiles\tr3tny0p.default\prefs.js [OK] File is clean. -\\ Google Chrome v25.0.1364.172 File : C:\Users\Damon\AppData\Local\Google\Chrome\User Data\Default\Preferences [OK] File is clean. -\\ Opera v11.64.1403.0 File : C:\Users\Damon\AppData\Roaming\Opera\Opera\operaprefs.ini [OK] File is clean. ************************* AdwCleaner[S1].txt - [1271 octets] - [25/03/2013 23:42:35] ########## EOF - C:\AdwCleaner[S1].txt - [1331 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 4.7.3 (03.23.2013:1) OS: Windows 7 Home Premium x86 Ran by Damon on Tue 03/26/2013 at 1:09:57.51 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys ~~~ Files ~~~ Folders ~~~ FireFox Successfully deleted: [File] "C:\Users\Damon\AppData\Roaming\mozilla\firefox\profiles\tr3tny0p.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi" Emptied folder: C:\Users\Damon\AppData\Roaming\mozilla\firefox\profiles\tr3tny0p.default\minidumps [28 files] Emptied folder: C:\Users\Damon\AppData\Roaming\mozilla\firefox\profiles\4xein8gk.Blank\minidumps [1 files] ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Tue 03/26/2013 at 1:12:39.53 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:22 PM

Posted 26 March 2013 - 04:50 PM

You did fine.

 

How is computer doing?

 

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download to your desktop and unzip it.

  • Run JavaRa.exe (Vista and 7 users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Do NOT post JavaRa log.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 Todotho

Todotho
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:22 AM

Posted 26 March 2013 - 05:52 PM

I actually just completely removed Java. If I ever want to play Minecraft again I'll install and keep it updated but at this point it was just taking up space. I had it disabled in FF anyway. My computer's running alright. I think clearing out that massive cache of temp files helped a lot. It must do something fancier than CCleaner. The one downside is I seem to have lost Reddit Enhancement Suite in the cleanup somehow. It uninstalled itself. If the data is gone too that will be "QQ" but.. I can live with that. :) Coincidentally, I doubled my internet speed this morning so browsing is super fast. Not sure how much is due to the speed increase and how much to the cleanup. Thanks for the help!

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:22 PM

Posted 26 March 2013 - 06:28 PM

You're very welcome p22002759.gif

 

I got 50Mbps from Comcast yesterday. Actually I clocked it at 55Mbps :)


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users