Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple(3) COM Surrogate(dllhost?) in Task Manager Pocesses


  • This topic is locked This topic is locked
20 replies to this topic

#1 falrecon

falrecon

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 26 December 2013 - 04:40 AM

Using window 8. I'm just an average user with average knowledge w/ computers. There were 2, now 3, COM Surrogate Processes running in my Task Manager, they disappear after around 3 secs. I tried to delete them at this time, but restarting Task Manager will spawn them again and then disappear. When I right click any of them, they lead to Windows System32 Folder, file is dllhost.

START>>>3 months ago, I may have accidentally clicked an ad. Then my wallpaper changed to black. I fixed my background. But after some weeks, my internet traffic seemed to slow down even though I don't have slow internet. Then when I open the laptop, it automatically connects to the net even though I uncheck the "connect automatically" setting in Wi-Fi.
And my windows sometimes deselects, you know, when you need to click the window to acquire control again.

 

Now, I got the VERY FIRST spam in one of my email accounts, and that account HAVEN'T GOTTEN ANY spam for years until THAT time.
 

And my other email account too started acting weird, Yahoo said they got weird activity and I should change my password.
The exact same thing happened with my Sony account too, they asked me to change my password for my safety cuz of some weird activity.
Youtube videos stop buffering midway, need to refresh...
ALL OF THESE THINGS doesn't occur before the 'infection'.
In the last 2.5 months, I've been researching 'bout this virus, and downloaded many types of antiviruses one after another(not simultaneous), nothing found, no avail.

But then I found BLEEPINGCOMPUTERS, I saw one of the posts... he has the exact same problem I have, I think.

(http://www.bleepingcomputer.com/forums/t/514186/30-dllhostexe32-com-surrogate-processes-are-running/?hl=+com +surrogate)

 

Please help. I'm suspecting backdoor, that's the worst, a nightmare for any computer user. I'm paranoid bleepless. Please help me.
Please.

 

 

Oh, this is the DSS, bare w/ me for I am not a computer expert :)
 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537
Run by Leyla at 17:48:00 on 2013-12-26
Microsoft Windows 8 Single Language  6.2.9200.0.1252.63.1033.18.8088.4836 [GMT 8:00]
.
AV: ESET NOD32 Antivirus 7.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET NOD32 Antivirus 7.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\ProgramData\DatacardService\HWDeviceService64.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\valWBFPolicyService.exe
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonSvc.exe
C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler64.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Common Files\AuthenTec\TrueService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\dwm.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\dwm.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskhostex.exe
C:\Program Files (x86)\Garena Plus\ggdllhost.exe
C:\Program Files (x86)\HP SimplePass\TouchControl.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\HP SimplePass\IEWebSiteLogon.exe
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exe
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\hkcmd.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\AuthenTec\TrueService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://twitter.com/WarframeAlerts
mWinlogon: Userinit = userinit.exe
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft

Office\Office14\URLREDIR.DLL
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP

Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
uRun: [Power2GoExpress8] NA
uRun: [AdobeBridge] <no file>
uRunOnce: [Uninstall C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64] C:\Windows

\System32\cmd.exe /q /c rmdir /s /q "C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64"
uRunOnce: [Uninstall C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\17.0.2010.0530\amd64] C:\Windows

\System32\cmd.exe /q /c rmdir /s /q "C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\17.0.2010.0530\amd64"
uRunOnce: [Uninstall C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64] C:\Windows

\System32\cmd.exe /q /c rmdir /s /q "C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [BtTray] "C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe"
mRun: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [HP CoolSense] C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe -byrunkey
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager

\CS6ServiceManager.exe" -launchedbylogin
StartupFolder: C:\Users\Pocholo\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\_UNINS~1.LNK - C:

\Users\Pocholo\AppData\Local\Temp\_uninst_39940731.bat
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\CONTEN~1.LNK - C:\Program Files

(x86)\Sony\Content Manager Assistant\CMA.exe
IE: Download all links with IDM - C:\&&&&&&\Mainteneer\Internet Download Manager\CRACK\IEGetAll.htm
IE: Download with IDM - C:\&&&&&&\Mainteneer\Internet Download Manager\CRACK\IEExt.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework

\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files

(x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files

(x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} -

hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect1262.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} - hxxp://www.link-systems.com/sdkhtml/SDK/paste/lsiw9x.cab
TCP: NameServer = 192.168.254.254 192.168.254.254
TCP: Interfaces\{045A513F-FF96-4EFE-BB9B-5C19B3A999BC} : DHCPNameServer = 192.168.254.254 192.168.254.254
TCP: Interfaces\{045A513F-FF96-4EFE-BB9B-5C19B3A999BC}\256435A463138375946494 : DHCPNameServer =

192.168.1.1 192.168.1.1
TCP: Interfaces\{045A513F-FF96-4EFE-BB9B-5C19B3A999BC}\769626F6A627 : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{045A513F-FF96-4EFE-BB9B-5C19B3A999BC}\D4140555140264275656027596D26496 :

DHCPNameServer = 103.29.251.10 103.29.251.11
TCP: Interfaces\{045A513F-FF96-4EFE-BB9B-5C19B3A999BC}\E6562727963716 : DHCPNameServer = 192.168.10.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared

\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Windows\SysWOW64\skype4com.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery

\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application

\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft

Office\Office14\URLREDIR.DLL
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA

\UpdaterStartupUtility.exe"
x64-Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files

\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program

Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared

\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amdkmpfd;AMD PCI Root Bus Lower Filter;C:\Windows\System32\Drivers\amdkmpfd.sys [2012-7-10 35496]
R0 iaStorA;iaStorA;C:\Windows\System32\Drivers\iaStorA.sys [2012-9-29 650808]
R1 CLVirtualDrive;CLVirtualDrive;C:\Windows\System32\Drivers\CLVirtualDrive.sys [2013-6-27 92536]
R1 eamonm;eamonm;C:\Windows\System32\Drivers\eamonm.sys [2013-9-17 239320]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-9-18 239616]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2013-9-12 1337752]
R2 epfwwfpr;epfwwfpr;C:\Windows\System32\Drivers\epfwwfpr.sys [2013-9-17 157432]
R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe [2013-2-7 1641768]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework

\HPSA_Service.exe [2012-9-28 86528]
R2 HPConnectedRemote;HP Connected Remote Service;C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote

\HPConnectedRemoteService.exe [2012-10-13 35744]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2012-9-24 31040]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-9-8 35232]
R2 HWDeviceService64.exe;HWDeviceService64.exe;C:\ProgramData\DatacardService\HWDeviceService64.exe [2011-3-

14 346976]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology

\IAStorDataMgrSvc.exe [2013-4-4 14904]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS

Client\HeciServer.exe [2012-4-21 635104]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management

Engine Components\DAL\Jhi_service.exe [2013-4-4 165760]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel®

Management Engine Components\UNS\UNS.exe [2013-4-4 364416]
R2 valWBFPolicyService;Validity WBF Policy Service;C:\Windows\System32\valWBFPolicyService.exe [2012-9-6 28160]
R2 XMouseButton Launcher;XMouseButton Launcher;C:\Program Files\Highresolution Enterprises\X-Mouse Button Control

\XMouseButtonSvc.exe [2012-6-23 87040]
R3 BtAudioBusSrv;Ralink Bluetooth Audio Bus Service;C:\Windows\System32\Drivers\BtAudioBus.sys [2012-6-16 23136]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\Drivers\ew_jubusenum.sys [2013-11-18 90112]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\Drivers\IntcDAud.sys [2012-6-19 342528]
R3 intelkmd;intelkmd;C:\Windows\System32\Drivers\igdpmd64.sys [2012-9-5 9004384]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\Drivers\netr28x.sys [2013-4-15 2482960]
R3 RSBASTOR;Realtek PCIE CardReader Driver - BA;C:\Windows\System32\Drivers\RtsBaStor.sys [2013-4-4 294544]
R3 rtbth;RTBTH Bluetooth Device Driver;C:\Windows\System32\Drivers\rtbth.sys [2012-10-3 692832]
R3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2013-4-4 690832]
R3 SmbDrvI;SmbDrvI;C:\Windows\System32\Drivers\Smb_driver_Intel.sys [2012-8-25 43832]
R3 TrueService;TrueAPI Service component;C:\Program Files\Common Files\AuthenTec\TrueService.exe [2013-1-7 401856]
R3 WirelessButtonDriver;HP Wireless Button Driver Service;C:\Windows\System32\Drivers\WirelessButtonDriver64.sys [2012-

9-1 20800]
R3 WUDFWpdMtp;WUDFWpdMtp;C:\Windows\System32\Drivers\WUDFRd.sys [2012-7-26 198656]
S0 edevmon;edevmon;C:\Windows\System32\Drivers\edevmon.sys [2013-9-17 239296]
S2 Globe Tattoo Broadband. RunOuc;Globe Tattoo Broadband. OUC;C:\Program Files (x86)\Globe Tattoo Broadband

\UpdateDog\ouc.exe [2013-11-18 657504]
S2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe

[2013-12-18 9216]
S3 BthL2caScoIfSrv;Bluetooth Profile Interface Driver Service;C:\Windows\System32\Drivers\BtL2caScoIf.sys [2012-7-20

56904]
S3 BthLEEnum;Bluetooth Low Energy Driver;C:\Windows\System32\Drivers\BthLEEnum.sys [2012-7-26 202752]
S3 btUrbFilterDrv;IVT URB Bluetooth Filter Driver Service;C:\Windows\System32\Drivers\IvtUrbBtFlt.sys [2012-10-3 48608]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\Drivers\ew_hwusbdev.sys [2013-11-18

117248]
S3 ew_usbenumfilter;huawei_CompositeFilter;C:\Windows\System32\Drivers\ew_usbenumfilter.sys [2013-11-18 14976]
S3 huawei_cdcacm;huawei_cdcacm;C:\Windows\System32\Drivers\ew_jucdcacm.sys [2013-11-18 104960]
S3 huawei_ext_ctrl;huawei_ext_ctrl;C:\Windows\System32\Drivers\ew_juextctrl.sys [2013-11-18 30720]
S3 huawei_wwanecm;huawei_wwanecm;C:\Windows\System32\Drivers\ew_juwwanecm.sys [2013-11-18 242688]
S3 NETwNe64;@netwne64.inf,___ %NIC_Service_DispName_WIN7_64%;___ Intel® Wireless WiFi Link 5000 Series Adapter

Driver for Windows 7 - 64 Bit;C:\Windows\System32\Drivers\NETwNe64.sys [2012-6-2 11400192]
S3 PORTMON;PORTMON;C:\Users\Pocholo\Desktop\SysinternalsSuite\PORTMSYS.SYS [2013-11-5 28656]
S3 SmbDrv;SmbDrv;C:\Windows\System32\Drivers\Smb_driver_AMDASF.sys [2012-8-25 41272]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-12-23 08:23:44 -------- d-----w- C:\Program Files (x86)\ESET
2013-12-23 07:53:15 -------- d-----w- C:\Users\Pocholo\AppData\Local\ESET
2013-12-23 04:26:22 -------- d-----w- C:\Program Files\ESET
2013-12-23 04:24:19 10315576 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates

\{A4161E8C-340C-4886-A46F-60F6309FE9B9}\mpengine.dll
2013-12-22 04:46:11 10315576 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates

\Backup\mpengine.dll
2013-12-18 09:43:55 -------- d-----w- C:\Program Files (x86)\Hi-Rez Studios
2013-12-15 00:04:15 -------- d-----w- C:\Program Files (x86)\BF3
2013-12-14 21:35:42 -------- d-----w- C:\Users\Pocholo\AppData\Local\HonLauncher
2013-12-14 21:34:49 -------- d-----w- C:\Users\Pocholo\AppData\Local\Garena
2013-12-14 21:34:25 -------- d-----w- C:\GarenaDownload
2013-12-14 21:33:17 -------- d-----w- C:\Users\Pocholo\AppData\Roaming\Garena
2013-12-14 21:33:17 -------- d-----w- C:\ProgramData\Garena
2013-12-14 21:32:34 -------- d-----w- C:\Users\Pocholo\AppData\Roaming\GarenaPlus
2013-12-14 21:32:34 -------- d-----w- C:\ProgramData\GarenaMessenger
2013-12-14 21:27:50 -------- d-----w- C:\Program Files (x86)\Garena Plus
2013-12-14 21:10:19 -------- d-----w- C:\Program Files (x86)\HoN
2013-12-13 00:47:17 -------- d-----w- C:\TDSSKiller_Quarantine
2013-12-13 00:38:01 208216 ----a-w- C:\Windows\System32\drivers\99803269.sys
2013-12-11 23:58:11 62976 ----a-w- C:\Windows\System32\imagehlp.dll
2013-12-11 23:58:11 59392 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-12-11 23:55:57 222720 ----a-w- C:\Windows\System32\scrobj.dll
2013-12-11 23:55:57 194048 ----a-w- C:\Windows\System32\scrrun.dll
2013-12-11 23:55:57 156160 ----a-w- C:\Windows\SysWow64\scrrun.dll
2013-12-11 23:55:57 143872 ----a-w- C:\Windows\System32\wshom.ocx
2013-12-11 23:55:56 162304 ----a-w- C:\Windows\SysWow64\scrobj.dll
2013-12-11 23:55:56 146944 ----a-w- C:\Windows\System32\cscript.exe
2013-12-11 23:55:56 115712 ----a-w- C:\Windows\SysWow64\cscript.exe
2013-12-11 23:55:15 4036608 ----a-w- C:\Windows\System32\win32k.sys
2013-12-11 23:54:32 288768 ----a-w- C:\Windows\System32\drivers\portcls.sys
2013-12-03 15:51:14 -------- d-----w- C:\Users\Pocholo\AppData\Roaming\Dev-Cpp
2013-12-03 14:51:33 -------- d-----w- C:\Program Files (x86)\Dev-Cpp
2013-12-03 14:31:50 -------- d-----w- C:\Dev-Cpp
2013-12-01 15:51:13 -------- d-----w- C:\Program Files (x86)\Sony
2013-12-01 02:46:35 -------- d-----w- C:\Users\Pocholo\AppData\Roaming\Malwarebytes
2013-12-01 02:46:24 -------- d-----w- C:\ProgramData\Malwarebytes
.
==================== Find3M  ====================
.
2013-12-20 23:24:09 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-04 00:53:54 694240 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-23 06:43:58 420864 ----a-w- C:\Windows\System32\WMPhoto.dll
2013-11-23 05:05:01 368640 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2013-11-21 06:56:25 283032 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2013-11-21 06:56:25 283032 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2013-11-19 14:30:08 283032 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe
2013-11-11 14:20:06 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2013-11-11 03:18:20 3130440 ----a-w- C:\Windows\SysWow64\pbsvc_blr.exe
2013-11-01 05:38:21 312320 ----a-w- C:\Windows\System32\msieftp.dll
2013-11-01 03:49:24 273408 ----a-w- C:\Windows\SysWow64\msieftp.dll
2013-10-31 05:56:24 915968 ----a-w- C:\Windows\System32\MPSSVC.dll
2013-10-31 05:56:02 758784 ----a-w- C:\Windows\System32\FirewallAPI.dll
2013-10-31 04:01:46 550400 ----a-w- C:\Windows\SysWow64\FirewallAPI.dll
2013-10-31 03:42:19 74752 ----a-w- C:\Windows\System32\drivers\mpsdrv.sys
2013-10-28 05:50:42 588288 ----a-w- C:\Windows\System32\SHCore.dll
2013-10-28 04:05:52 452608 ----a-w- C:\Windows\SysWow64\SHCore.dll
2013-10-25 06:19:22 2241536 ----a-w- C:\Windows\System32\wininet.dll
2013-10-25 06:19:12 915968 ----a-w- C:\Windows\System32\uxtheme.dll
2013-10-25 06:17:57 3959808 ----a-w- C:\Windows\System32\jscript9.dll
2013-10-25 04:45:11 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-10-25 04:43:42 2877952 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-10-13 20:49:43 100696 ----a-w- C:\Windows\System32\drivers\disk.sys
2013-10-10 11:53:35 96600 ----a-w- C:\Windows\System32\drivers\wfplwfs.sys
2013-10-10 09:21:20 1160192 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-10 09:20:43 723968 ----a-w- C:\Windows\System32\BFE.DLL
2013-10-08 22:30:32 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2013-10-08 22:30:17 84992 ----a-w- C:\Windows\SysWow64\wudriver.dll
2013-10-08 22:30:17 126976 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2013-10-08 22:28:11 40448 ----a-w- C:\Windows\System32\wuapp.exe
2013-10-08 22:27:56 99328 ----a-w- C:\Windows\System32\wudriver.dll
2013-10-08 22:27:56 252928 ----a-w- C:\Windows\System32\WUSettingsProvider.dll
2013-10-08 22:27:56 1622016 ----a-w- C:\Windows\System32\wucltux.dll
2013-10-08 22:27:56 142848 ----a-w- C:\Windows\System32\wuwebv.dll
2013-10-08 22:27:45 175104 ----a-w- C:\Windows\System32\storewuauth.dll
2013-10-05 06:10:20 285016 ----a-w- C:\Windows\System32\drivers\spaceport.sys
2013-10-02 23:25:41 1300992 ----a-w- C:\Windows\System32\gdi32.dll
2013-10-02 02:50:07 447320 ----a-w- C:\Windows\System32\drivers\USBHUB3.SYS
2013-10-01 23:37:57 1569280 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-10-01 23:37:53 2035712 ----a-w- C:\Windows\SysWow64\authui.dll
2013-10-01 23:26:49 1890816 ----a-w- C:\Windows\System32\crypt32.dll
2013-10-01 23:26:45 2304512 ----a-w- C:\Windows\System32\authui.dll
2013-10-01 22:22:19 1022976 ----a-w- C:\Windows\SysWow64\gdi32.dll
2013-09-28 05:48:00 778752 ----a-w- C:\Windows\System32\oleaut32.dll
2013-09-28 03:58:44 551424 ----a-w- C:\Windows\SysWow64\oleaut32.dll
.
============= FINISH: 17:48:21.73 ===============


 


Edited by falrecon, 26 December 2013 - 04:58 AM.


BC AdBot (Login to Remove)

 


m

#2 falrecon

falrecon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 27 December 2013 - 11:07 PM

uhm, anyone?



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,550 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:40 PM

Posted 31 December 2013 - 04:45 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/518630 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,623 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:40 AM

Posted 03 January 2014 - 07:52 AM

Hello, if you still need assistance, please post the requested logs.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 falrecon

falrecon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 03 January 2014 - 10:23 PM

Hi, uhm, this is the new DDS log;

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16537
Run by Leyla at 11:19:21 on 2014-01-04
Microsoft Windows 8 Single Language  6.2.9200.0.1252.63.1033.18.8088.6409 [GMT 8:00]
.
AV: ESET NOD32 Antivirus 7.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
AV: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET NOD32 Antivirus 7.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
C:\ProgramData\DatacardService\HWDeviceService64.exe
C:\Program Files\Intel\iCLS Client\HeciServer.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\valWBFPolicyService.exe
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonSvc.exe
C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BsHelpCS.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler64.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Common Files\AuthenTec\TrueService.exe
C:\Windows\System32\LogonUI.exe
C:\Windows\System32\dwm.exe
C:\Windows\system32\dwm.exe
C:\Windows\system32\atieclxx.exe
C:\Program Files (x86)\Garena Plus\ggdllhost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\taskhostex.exe
C:\Program Files (x86)\HP SimplePass\TouchControl.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\HP SimplePass\IEWebSiteLogon.exe
C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exe
C:\Windows\System32\RuntimeBroker.exe
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
C:\Program Files\Common Files\AuthenTec\TrueService.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://twitter.com/WarframeAlerts
mWinlogon: Userinit = userinit.exe
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll
uRun: [Power2GoExpress8] NA
uRun: [AdobeBridge] <no file>
uRunOnce: [Uninstall C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64"
uRunOnce: [Uninstall C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\17.0.2010.0530\amd64] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\17.0.2010.0530\amd64"
uRunOnce: [Uninstall C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64] C:\Windows\System32\cmd.exe /q /c rmdir /s /q "C:\Users\Pocholo\AppData\Local\Microsoft\SkyDrive\17.0.2011.0627\amd64"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [BtTray] "C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe"
mRun: [RemoteControl10] "C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe"
mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
mRun: [HP CoolSense] C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe -byrunkey
mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
StartupFolder: C:\Users\Pocholo\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\_UNINS~1.LNK - C:\Users\Pocholo\AppData\Local\Temp\_uninst_39940731.bat
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\CONTEN~1.LNK - C:\Program Files (x86)\Sony\Content Manager Assistant\CMA.exe
IE: Download all links with IDM - C:\&&&&&&\Mainteneer\Internet Download Manager\CRACK\IEGetAll.htm
IE: Download with IDM - C:\&&&&&&\Mainteneer\Internet Download Manager\CRACK\IEExt.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect1262.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {C228AEDD-FC47-11D3-AF87-D128A9381404} - hxxp://www.link-systems.com/sdkhtml/SDK/paste/lsiw9x.cab
TCP: NameServer = 192.168.254.254 192.168.254.254
TCP: Interfaces\{045A513F-FF96-4EFE-BB9B-5C19B3A999BC} : DHCPNameServer = 192.168.254.254 192.168.254.254
TCP: Interfaces\{045A513F-FF96-4EFE-BB9B-5C19B3A999BC}\256435A463138375946494 : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{045A513F-FF96-4EFE-BB9B-5C19B3A999BC}\769626F6A627 : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{045A513F-FF96-4EFE-BB9B-5C19B3A999BC}\D4140555140264275656027596D26496 : DHCPNameServer = 103.29.251.10 103.29.251.11
TCP: Interfaces\{045A513F-FF96-4EFE-BB9B-5C19B3A999BC}\E6562727963716 : DHCPNameServer = 192.168.10.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Windows\SysWOW64\skype4com.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\31.0.1650.63\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe
x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
x64-Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amdkmpfd;AMD PCI Root Bus Lower Filter;C:\Windows\System32\Drivers\amdkmpfd.sys [2012-7-10 35496]
R0 edevmon;edevmon;C:\Windows\System32\Drivers\edevmon.sys [2013-9-17 239296]
R0 iaStorA;iaStorA;C:\Windows\System32\Drivers\iaStorA.sys [2012-9-29 650808]
R1 CLVirtualDrive;CLVirtualDrive;C:\Windows\System32\Drivers\CLVirtualDrive.sys [2013-6-27 92536]
R1 eamonm;eamonm;C:\Windows\System32\Drivers\eamonm.sys [2013-9-17 239320]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-9-18 239616]
R2 ekrn;ESET Service;C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2013-9-12 1337752]
R2 epfwwfpr;epfwwfpr;C:\Windows\System32\Drivers\epfwwfpr.sys [2013-9-17 157432]
R2 FPLService;TrueSuiteService;C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe [2013-2-7 1641768]
R2 HiPatchService;Hi-Rez Studios Authenticate and Update Service;C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [2013-12-18 9216]
R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2012-9-28 86528]
R2 HPConnectedRemote;HP Connected Remote Service;C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [2012-10-13 35744]
R2 hpsrv;HP Service;C:\Windows\System32\hpservice.exe [2012-9-24 31040]
R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-9-8 35232]
R2 HWDeviceService64.exe;HWDeviceService64.exe;C:\ProgramData\DatacardService\HWDeviceService64.exe [2011-3-14 346976]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2013-4-4 14904]
R2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;C:\Program Files\Intel\iCLS Client\HeciServer.exe [2012-4-21 635104]
R2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe [2013-4-4 165760]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2013-4-4 364416]
R2 valWBFPolicyService;Validity WBF Policy Service;C:\Windows\System32\valWBFPolicyService.exe [2012-9-6 28160]
R2 XMouseButton Launcher;XMouseButton Launcher;C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonSvc.exe [2012-6-23 87040]
R3 BtAudioBusSrv;Ralink Bluetooth Audio Bus Service;C:\Windows\System32\Drivers\BtAudioBus.sys [2012-6-16 23136]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\Drivers\ew_jubusenum.sys [2013-11-18 90112]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\Drivers\IntcDAud.sys [2012-6-19 342528]
R3 intelkmd;intelkmd;C:\Windows\System32\Drivers\igdpmd64.sys [2012-9-5 9004384]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\Drivers\netr28x.sys [2013-4-15 2482960]
R3 RSBASTOR;Realtek PCIE CardReader Driver - BA;C:\Windows\System32\Drivers\RtsBaStor.sys [2013-4-4 294544]
R3 rtbth;RTBTH Bluetooth Device Driver;C:\Windows\System32\Drivers\rtbth.sys [2012-10-3 692832]
R3 RTL8168;Realtek 8168 NT Driver;C:\Windows\System32\Drivers\Rt630x64.sys [2013-4-4 690832]
R3 SmbDrvI;SmbDrvI;C:\Windows\System32\Drivers\Smb_driver_Intel.sys [2012-8-25 43832]
R3 TrueService;TrueAPI Service component;C:\Program Files\Common Files\AuthenTec\TrueService.exe [2013-1-7 401856]
R3 WirelessButtonDriver;HP Wireless Button Driver Service;C:\Windows\System32\Drivers\WirelessButtonDriver64.sys [2012-9-1 20800]
R3 WUDFWpdMtp;WUDFWpdMtp;C:\Windows\System32\Drivers\WUDFRd.sys [2012-7-26 198656]
S2 Globe Tattoo Broadband. RunOuc;Globe Tattoo Broadband. OUC;C:\Program Files (x86)\Globe Tattoo Broadband\UpdateDog\ouc.exe [2013-11-18 657504]
S3 BthL2caScoIfSrv;Bluetooth Profile Interface Driver Service;C:\Windows\System32\Drivers\BtL2caScoIf.sys [2012-7-20 56904]
S3 BthLEEnum;Bluetooth Low Energy Driver;C:\Windows\System32\Drivers\BthLEEnum.sys [2012-7-26 202752]
S3 btUrbFilterDrv;IVT URB Bluetooth Filter Driver Service;C:\Windows\System32\Drivers\IvtUrbBtFlt.sys [2012-10-3 48608]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\Drivers\ew_hwusbdev.sys [2013-11-18 117248]
S3 ew_usbenumfilter;huawei_CompositeFilter;C:\Windows\System32\Drivers\ew_usbenumfilter.sys [2013-11-18 14976]
S3 huawei_cdcacm;huawei_cdcacm;C:\Windows\System32\Drivers\ew_jucdcacm.sys [2013-11-18 104960]
S3 huawei_ext_ctrl;huawei_ext_ctrl;C:\Windows\System32\Drivers\ew_juextctrl.sys [2013-11-18 30720]
S3 huawei_wwanecm;huawei_wwanecm;C:\Windows\System32\Drivers\ew_juwwanecm.sys [2013-11-18 242688]
S3 NETwNe64;@netwne64.inf,___ %NIC_Service_DispName_WIN7_64%;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\System32\Drivers\NETwNe64.sys [2012-6-2 11400192]
S3 PORTMON;PORTMON;C:\Users\Pocholo\Desktop\SysinternalsSuite\PORTMSYS.SYS [2013-11-5 28656]
S3 SmbDrv;SmbDrv;C:\Windows\System32\Drivers\Smb_driver_AMDASF.sys [2012-8-25 41272]
S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
.
=============== File Associations ===============
.
FileExt: .txt: txtfile=C:\Windows\System32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2013-12-27 08:20:25 -------- d-----w- C:\Down
2013-12-23 07:53:15 -------- d-----w- C:\Users\Pocholo\AppData\Local\ESET
2013-12-23 04:26:22 -------- d-----w- C:\Program Files\ESET
2013-12-23 04:24:19 10315576 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A4161E8C-340C-4886-A46F-60F6309FE9B9}\mpengine.dll
2013-12-22 04:46:11 10315576 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2013-12-18 09:43:55 -------- d-----w- C:\Program Files (x86)\Hi-Rez Studios
2013-12-15 00:04:15 -------- d-----w- C:\Program Files (x86)\BF3
2013-12-14 21:35:42 -------- d-----w- C:\Users\Pocholo\AppData\Local\HonLauncher
2013-12-14 21:34:49 -------- d-----w- C:\Users\Pocholo\AppData\Local\Garena
2013-12-14 21:34:25 -------- d-----w- C:\GarenaDownload
2013-12-14 21:33:17 -------- d-----w- C:\Users\Pocholo\AppData\Roaming\Garena
2013-12-14 21:33:17 -------- d-----w- C:\ProgramData\Garena
2013-12-14 21:32:34 -------- d-----w- C:\Users\Pocholo\AppData\Roaming\GarenaPlus
2013-12-14 21:32:34 -------- d-----w- C:\ProgramData\GarenaMessenger
2013-12-14 21:27:50 -------- d-----w- C:\Program Files (x86)\Garena Plus
2013-12-14 21:10:19 -------- d-----w- C:\Program Files (x86)\HoN
2013-12-13 00:47:17 -------- d-----w- C:\TDSSKiller_Quarantine
2013-12-13 00:38:01 208216 ----a-w- C:\Windows\System32\drivers\99803269.sys
2013-12-11 23:58:11 62976 ----a-w- C:\Windows\System32\imagehlp.dll
2013-12-11 23:58:11 59392 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2013-12-11 23:55:57 222720 ----a-w- C:\Windows\System32\scrobj.dll
2013-12-11 23:55:57 194048 ----a-w- C:\Windows\System32\scrrun.dll
2013-12-11 23:55:57 156160 ----a-w- C:\Windows\SysWow64\scrrun.dll
2013-12-11 23:55:57 143872 ----a-w- C:\Windows\System32\wshom.ocx
2013-12-11 23:55:56 162304 ----a-w- C:\Windows\SysWow64\scrobj.dll
2013-12-11 23:55:56 146944 ----a-w- C:\Windows\System32\cscript.exe
2013-12-11 23:55:56 115712 ----a-w- C:\Windows\SysWow64\cscript.exe
2013-12-11 23:55:15 4036608 ----a-w- C:\Windows\System32\win32k.sys
2013-12-11 23:54:32 288768 ----a-w- C:\Windows\System32\drivers\portcls.sys
.
==================== Find3M  ====================
.
2013-12-20 23:24:09 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-04 00:53:54 694240 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-11-23 06:43:58 420864 ----a-w- C:\Windows\System32\WMPhoto.dll
2013-11-23 05:05:01 368640 ----a-w- C:\Windows\SysWow64\WMPhoto.dll
2013-11-21 06:56:25 283032 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2013-11-21 06:56:25 283032 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2013-11-19 14:30:08 283032 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2013-11-19 10:21:41 267936 ------w- C:\Windows\System32\MpSigStub.exe
2013-11-11 14:20:06 76888 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2013-11-11 03:18:20 3130440 ----a-w- C:\Windows\SysWow64\pbsvc_blr.exe
2013-11-01 05:38:21 312320 ----a-w- C:\Windows\System32\msieftp.dll
2013-11-01 03:49:24 273408 ----a-w- C:\Windows\SysWow64\msieftp.dll
2013-10-31 05:56:24 915968 ----a-w- C:\Windows\System32\MPSSVC.dll
2013-10-31 05:56:02 758784 ----a-w- C:\Windows\System32\FirewallAPI.dll
2013-10-31 04:01:46 550400 ----a-w- C:\Windows\SysWow64\FirewallAPI.dll
2013-10-31 03:42:19 74752 ----a-w- C:\Windows\System32\drivers\mpsdrv.sys
2013-10-28 05:50:42 588288 ----a-w- C:\Windows\System32\SHCore.dll
2013-10-28 04:05:52 452608 ----a-w- C:\Windows\SysWow64\SHCore.dll
2013-10-25 06:19:22 2241536 ----a-w- C:\Windows\System32\wininet.dll
2013-10-25 06:19:12 915968 ----a-w- C:\Windows\System32\uxtheme.dll
2013-10-25 06:17:57 3959808 ----a-w- C:\Windows\System32\jscript9.dll
2013-10-25 04:45:11 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-10-25 04:43:42 2877952 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-10-13 20:49:43 100696 ----a-w- C:\Windows\System32\drivers\disk.sys
2013-10-10 11:53:35 96600 ----a-w- C:\Windows\System32\drivers\wfplwfs.sys
2013-10-10 09:21:20 1160192 ----a-w- C:\Windows\System32\IKEEXT.DLL
2013-10-10 09:20:43 723968 ----a-w- C:\Windows\System32\BFE.DLL
2013-10-08 22:30:32 35328 ----a-w- C:\Windows\SysWow64\wuapp.exe
2013-10-08 22:30:17 84992 ----a-w- C:\Windows\SysWow64\wudriver.dll
2013-10-08 22:30:17 126976 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2013-10-08 22:28:11 40448 ----a-w- C:\Windows\System32\wuapp.exe
2013-10-08 22:27:56 99328 ----a-w- C:\Windows\System32\wudriver.dll
2013-10-08 22:27:56 252928 ----a-w- C:\Windows\System32\WUSettingsProvider.dll
2013-10-08 22:27:56 1622016 ----a-w- C:\Windows\System32\wucltux.dll
2013-10-08 22:27:56 142848 ----a-w- C:\Windows\System32\wuwebv.dll
2013-10-08 22:27:45 175104 ----a-w- C:\Windows\System32\storewuauth.dll
.
============= FINISH: 11:20:51.57 ===============

 

 

 

uh, just tell me if I missed somethin
 



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,623 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:40 AM

Posted 04 January 2014 - 02:44 AM

What you see in the task manager is normal. Dllhost is used as host process when you load .dll files (or rather, windows does that). So if 3 different dlls are loaded, you'll see three different processes. 

However just to be sure nothing is amiss lets also do a rootkit scan.


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 falrecon

falrecon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 04 January 2014 - 03:58 AM

>>>I got this just after it opened;

C:\Windows\system32\config\system: The process cannot access the file because it is being used by another process.

*there were only 2 lines...

 

>>>THEN I clicked scan... it scanned, but after awhile, I got this 2;

C:\Windows\system32\config\system: The process cannot access the file because it is being used by another process.
C:\User\Pocholo\ntuser.dat: The process cannot access the file because it is being used by another process.

 

 

 

>>>After closing those 2 messages, these are the logs

 

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2014-01-04 16:53:18
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\00000037 Hitachi_HTS541010A9E680 rev.JA0OA4D0 931.51GB
Running: nr73doi8.exe; Driver: C:\Users\Pocholo\AppData\Local\Temp\uwdoquod.sys

---- Kernel code sections - GMER 2.1 ----

.text   C:\Windows\System32\win32k.sys!W32pServiceTable                                                                                                                fffff960000de100 7 bytes [40, 4F, 82, 01, 00, 51, F2]
.text   C:\Windows\System32\win32k.sys!W32pServiceTable + 8                                                                                                            fffff960000de108 7 bytes [01, 15, C0, FF, 00, 12, DB]

---- User code sections - GMER 2.1 ----

.text   C:\Windows\system32\atiesrxx.exe[940] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                                                             000007f8f11b177a 4 bytes [1B, F1, F8, 07]
.text   C:\Windows\system32\atiesrxx.exe[940] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                                                             000007f8f11b1782 4 bytes [1B, F1, F8, 07]
.text   C:\Windows\system32\atieclxx.exe[1032] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                                                            000007f8f11b177a 4 bytes [1B, F1, F8, 07]
.text   C:\Windows\system32\atieclxx.exe[1032] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                                                            000007f8f11b1782 4 bytes [1B, F1, F8, 07]
.text   C:\Windows\system32\atieclxx.exe[1032] C:\Windows\system32\WSOCK32.dll!recvfrom + 742                                                                          000007f8eb761b32 4 bytes [76, EB, F8, 07]
.text   C:\Windows\system32\atieclxx.exe[1032] C:\Windows\system32\WSOCK32.dll!recvfrom + 750                                                                          000007f8eb761b3a 4 bytes [76, EB, F8, 07]
?       C:\Windows\SYSTEM32\BsHelpCSps.dll [1948] entry point in ".data" section                                                                                       0000000010005055
.text   C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[1764] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306                                    000007f8f11b177a 4 bytes [1B, F1, F8, 07]
.text   C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe[1764] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314                                    000007f8f11b1782 4 bytes [1B, F1, F8, 07]
.text   C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe[2008] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306  000007f8f11b177a 4 bytes [1B, F1, F8, 07]
.text   C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe[2008] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314  000007f8f11b1782 4 bytes [1B, F1, F8, 07]
.text   C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe[2008] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690            000007f8e3ea1532 4 bytes [EA, E3, F8, 07]
.text   C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe[2008] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698            000007f8e3ea153a 4 bytes [EA, E3, F8, 07]
.text   C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe[2008] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246          000007f8e3ea165a 4 bytes [EA, E3, F8, 07]
.text   C:\Windows\System32\igfxpers.exe[2992] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306                                                            000007f8f11b177a 4 bytes [1B, F1, F8, 07]
.text   C:\Windows\System32\igfxpers.exe[2992] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314                                                            000007f8f11b1782 4 bytes [1B, F1, F8, 07]
.text   C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2412] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 690                                                   000007f8e3ea1532 4 bytes [EA, E3, F8, 07]
.text   C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2412] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 698                                                   000007f8e3ea153a 4 bytes [EA, E3, F8, 07]
.text   C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2412] C:\Windows\SYSTEM32\msimg32.dll!TransparentBlt + 246                                                 000007f8e3ea165a 4 bytes [EA, E3, F8, 07]
.text   C:\Program Files\Internet Explorer\iexplore.exe[3476] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690                                                       000007f8e3ea1532 4 bytes [EA, E3, F8, 07]
.text   C:\Program Files\Internet Explorer\iexplore.exe[3476] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698                                                       000007f8e3ea153a 4 bytes [EA, E3, F8, 07]
.text   C:\Program Files\Internet Explorer\iexplore.exe[3476] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246                                                     000007f8e3ea165a 4 bytes [EA, E3, F8, 07]
.text   C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[2420] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 306                                    000007f8f11b177a 4 bytes [1B, F1, F8, 07]
.text   C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe[2420] C:\Windows\system32\psapi.dll!GetProcessImageFileNameA + 314                                    000007f8f11b1782 4 bytes [1B, F1, F8, 07]

---- User IAT/EAT - GMER 2.1 ----

IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!memcmp]                                                                      [10018f15ff000f05]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!realloc]                                                                     [f05703d894800]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_errno]                                                                      [81e8000f057a1d89]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!??1type_info@@UEAA@XZ]                                                       [50245c8b48000001]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_onexit]                                                                     [ccccc35f30c48348]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!__dllonexit]                                                                 [41c48b48cccccccc]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!??3@YAXPEAX@Z]                                                               [40c74830ec834856]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_lock]                                                                       [588948fffffffee8]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_difftime64]                                                                 [7889481070894808]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_mktime64]                                                                   [8bf28b44f88b4118]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!?terminate@@YAXXZ]                                                           [f05681d8b48f1]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!__RTDynamicCast]                                                             [a7850fdb8548]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_initterm]                                                                   [f054c0d8b4400]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_amsg_exit]                                                                  [875c98545c98b41]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_XcptFilter]                                                                 [16ebffc88349c933]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!wcscpy_s]                                                                    [8b49ffc88349d233]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_resetstkoflw]                                                               [20f88348f1f748c0]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!calloc]                                                                      [2b4c05e1c1484072]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_unlock]                                                                     [48337208f88349c1]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!memset]                                                                      [10001715ff08c183]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_purecall]                                                                   [74c08548d88b4c00]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!wcsrchr]                                                                     [f05080d8b4829]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!free]                                                                        [4fe058948088948]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!malloc]                                                                      [f04ff1d8b48000f]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_vsnwprintf]                                                                 [f04ec0d8b4400]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_vscprintf]                                                                  [db854ddb334503eb]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_gmtime64_s]                                                                 [e88007000eb90b75]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_mbsstr]                                                                     [498d41ccffff3e58]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!wcsftime]                                                                    [438d4905e1c148ff]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_time64]                                                                     [78c9ff41c1034808]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_mbsrchr]                                                                    [d88b481058894817]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!time]                                                                        [48000f04c1058948]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!difftime]                                                                    [e979c9ff4120e883]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_localtime64_s]                                                              [c0950fdb8548c033]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_mbsupr_s]                                                                   [4005b90b75c085]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_mbscmp]                                                                     [48ccffff3e16e880]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_mbslwr_s]                                                                   [10438b4858245c89]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!printf]                                                                      [89000f0491058948]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_mbsicmp]                                                                    [4d05ff48187b8933]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_mbsinc]                                                                     [43e058b48000f04]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_ismbcspace]                                                                 [8948f00c8b4a000f]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_mkgmtime]                                                                   [f042f0d8b48104b]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!??0exception@@QEAA@AEBQEBDH@Z]                                               [d8b48f11c894a00]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!??0exception@@QEAA@AEBV0@@Z]                                                 [3d0d3b48000f042c]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!??1exception@@UEAA@XZ]                                                       [443d831576000f04]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!?what@exception@@UEBAPEBDXZ]                                                 [a9e80c7500000f04]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_callnewh]                                                                   [fd86e8c88bfffffa]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!_CxxThrowException]                                                          [5c8b48c38b48ffff]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!__CxxFrameHandler3]                                                          [484824748b484024]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!memmove_s]                                                                   [30c4834850247c8b]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!memcpy_s]                                                                    [ccccccccccc35e41]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!??_V@YAXPEAX@Z]                                                              [3ee058bcccccccc]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[msvcrt.dll!memcpy]                                                                      [48c933c0570ffffd]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptContextAddRef]                                                         [8b44d88bf775471c]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptReleaseContext]                                                        [ff460fe8d78b48c3]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptAcquireContextA]                                                       [8488d4823eb90ff]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptCreateHash]                                                            [c883480f74ff8548]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptHashData]                                                              [471c3966c0ff48ff]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptGenRandom]                                                             [48c38b44d88bf775]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptAcquireContextW]                                                       [48ffff45e9e8d78b]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptDecrypt]                                                               [4860245c8b48c68b]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptDuplicateKey]                                                          [c35e5f5e4140c483]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptEncrypt]                                                               [cccccccccccccccc]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptGenKey]                                                                [74894808245c8948]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptSetHashParam]                                                          [4118247c89481024]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptExportKey]                                                             [3041ff20ec834856]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptImportKey]                                                             [74f98b4800398348]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptGetProvParam]                                                          [2b76107139f63332]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptGetKeyParam]                                                           [8b49078b48f63345]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptVerifySignatureW]                                                      [48d38b480feb061c]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptDeriveKey]                                                             [ede8cf8b48105b8b]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptSignHashW]                                                             [ec75db8548000001]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptDestroyHash]                                                           [773b08c68349c6ff]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptDestroyKey]                                                            [15ff0f8b48d87210]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptGetUserKey]                                                            [27834800100984]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptGetHashParam]                                                          [307f830008678348]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPTSP.dll!CryptSetProvParam]                                                          [cf8b48d233177500]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!NdrServerCall2]                                                              [56fee8d08bcf8b48]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!NdrServerCallAll]                                                            [8348384f8b480002]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!UuidToStringW]                                                               [1574c98548004067]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!RpcServerInterfaceGroupDeactivate]                                           [10085f15ff198b48]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!RpcServerInterfaceGroupCreateW]                                              [75db8548cb8b4800]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!RpcServerInterfaceGroupActivate]                                             [304fff385f2148ef]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!RpcServerInterfaceGroupClose]                                                [748b4830245c8b48]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!RpcStringFreeA]                                                              [4840247c8b483824]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!UuidToStringA]                                                               [ccccc35e4120c483]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!NdrMesTypeEncode3]                                                           [57c48b48cccccccc]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!NdrMesTypeFree3]                                                             [e840c74830ec8348]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!NdrMesTypeAlignSize3]                                                        [8588948fffffffe]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!NdrMesTypeDecode3]                                                           [488d4cf98bda8b48]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!I_RpcBindingInqLocalClientPID]                                               [508d4818408d4cf0]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!UuidCreate]                                                                  [8b4c0000049ee820]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!RpcRevertToSelf]                                                             [39484675c08548d8]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!MesDecodeBufferHandleCreate]                                                 [b21c75000f0ccb05]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!MesHandleFree]                                                               [e8000f0cd10d8b01]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!MesBufferHandleReset]                                                        [b75c084000002a4]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!RpcStringFreeW]                                                              [4662e88007000eb9]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!RpcImpersonateClient]                                                        [5024448b44ccffff]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[RPCRT4.dll!MesEncodeFixedBufferHandleCreate]                                            [49e8cf8b5824548b]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertGetNameStringW]                                                         [7422f883157416f8]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertCreateCertificateContext]                                               [5b9217450f88310]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertVerifySubjectCertificateContext]                                        [ffff48a4e8800040]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertCloseStore]                                                             [99e880070057b9cc]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertFreeCertificateContext]                                                 [7000eb9ccffff48]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertDuplicateCertificateContext]                                            [85ccffff488ee880]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CryptProtectData]                                                           [593b0f8b481778db]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertGetIssuerCertificateFromStore]                                          [8b48f059890f7ff4]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertOpenStore]                                                              [e2c8966c68b410f]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertEnumCertificatesInStore]                                                [e880070057b90deb]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertGetCertificateContextProperty]                                          [48c033ccffff4868]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CryptUnprotectData]                                                         [246c8b4830245c8b]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertAddCertificateContextToStore]                                           [4120c4834848247c]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertFreeCertificateChain]                                                   [ccccccccccccc35e]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertGetCertificateChain]                                                    [4856415756dc8b4c]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertSetCertificateContextProperty]                                          [fed843c74940ec83]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertVerifyCertificateChainPolicy]                                           [438d49f18b44fa8b]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CryptVerifyMessageSignature]                                                [4b8d4dc8438949e0]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertGetNameStringA]                                                         [48d18b20438d4d18]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CryptImportPublicKeyInfo]                                                   [69e8000f0e0a0d8d]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertDeleteCertificateFromStore]                                             [db33f08b48000003]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertCompareCertificate]                                                     [4c8b444775c08548]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CryptAcquireCertificatePrivateKey]                                          [417824448b447024]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CryptSignAndEncodeCertificate]                                              [f0de70d8d48d68b]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CryptExportPublicKeyInfo]                                                   [8b48000003aee800]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CryptEncodeObjectEx]                                                        [8d487024448948f0]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[CRYPT32.dll!CertFindCertificateInStore]                                                 [480f74ff85480848]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!RtlPublishWnfStateData]                                                       [280fc02a0f48f380]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!_vsnprintf]                                                                   [f03d30d590ff3c8]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!wcsncmp]                                                                      [ff30c76ca2f0f00]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!toupper]                                                                      [480373ca2f0fca5c]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!_wcsupr_s]                                                                    [3b605590ff3ca8b]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!_i64tow_s]                                                                    [48c12c0f48f3000f]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!_wtol]                                                                        [48c22f0fc933c103]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!strstr]                                                                       [c76000f03aa0589]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!_ltow_s]                                                                      [73c22f0fc25c0ff3]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!_atoi64]                                                                      [2c0f48f3ca8b4803]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!wcsnlen]                                                                      [8348c933c10348c0]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!wcsncpy_s]                                                                    [8948c1420f4811f8]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!_wtoi]                                                                        [ccccc3000f038b05]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!swprintf_s]                                                                   [83485340cccccccc]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!RtlAcquireResourceShared]                                                     [f35bf7058d4820ec]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!RtlReleaseResource]                                                           [f6018948d98b48ff]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!RtlAcquireResourceExclusive]                                                  [fdee15ff067401c2]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!WinSqmSetDWORD]                                                               [c48348c38b48000f]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!RtlInitializeResource]                                                        [ccccccccccc35b20]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!RtlDeleteResource]                                                            [83485340cccccccc]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!towupper]                                                                     [fe202444c74830ec]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!wcscspn]                                                                      [8d48d98b48ffffff]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!wcsspn]                                                                       [18948fff35b4b05]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!iswspace]                                                                     [18ea834820518b48]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!_wcslwr_s]                                                                    [1042c10ff0ffc883]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!wcstoul]                                                                      [8b48097fc085c8ff]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!_wcsicmp]                                                                     [480850ff018b480a]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!wcschr]                                                                       [40245c894818c383]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!vsprintf_s]                                                                   [ffffdfe0e8cb8b48]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!vswprintf_s]                                                                  [18ea8348138b4890]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!_vscwprintf]                                                                  [1042c10ff0ffc883]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!wcsstr]                                                                       [8b48097fc085c8ff]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!WinSqmAddToStreamEx]                                                          [480850ff018b480a]
IAT     C:\Windows\system32\svchost.exe[268] @ c:\windows\system32\wlidsvc.dll[ntdll.dll!WinSqmIsOptedIn]                                                              [ccccccc35b30c483]

---- Threads - GMER 2.1 ----

Thread  C:\Windows\system32\csrss.exe [564:10144]                                                                                                                      fffff960008845e8

---- Disk sectors - GMER 2.1 ----

Disk    \Device\Harddisk0\DR0                                                                                                                                          unknown MBR code

 

 

 

 

just tell me if I'm doing something wrong.

---- EOF - GMER 2.1 ----



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,623 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:40 AM

Posted 04 January 2014 - 04:24 AM

No worries, that is okay. :)

Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click No.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 falrecon

falrecon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 04 January 2014 - 04:49 AM

okay, here it is;

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-01-04 17:46:31
-----------------------------
17:46:31.836    OS Version: Windows x64 6.2.9200
17:46:31.836    Number of processors: 8 586 0x3A09
17:46:31.837    ComputerName: M6-EISEN-REGEN  UserName: Leyla
17:46:31.911    Initialze error 1
17:46:56.190    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000037
17:46:56.193    Disk 0 Vendor: Hitachi_HTS541010A9E680 JA0OA4D0 Size: 953869MB BusType: 8
17:46:56.217    Disk 0 MBR read successfully
17:46:56.219    Disk 0 MBR scan
17:46:56.221    Disk 0 unknown MBR code
17:46:56.223    Disk 0 Partition 1 00     EE          GPT            122104 MB offset 1
17:46:56.225    Disk 0 scanning C:\Windows\system32\drivers
17:46:56.228    Service scanning
17:46:57.066    Modules scanning
17:46:57.071    Disk 0 trace - called modules:
17:46:57.095    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys storport.sys hal.dll iaStorA.sys
17:46:57.099    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800b413060]
17:46:57.104    3 CLASSPNP.SYS[fffff88001256e0a] -> nt!IofCallDriver -> [0xfffffa800a5fd5f0]
17:46:57.110    5 hpdskflt.sys[fffff88001f52379] -> nt!IofCallDriver -> \Device\00000037[0xfffffa80095e8060]
17:46:57.449    Scan finished successfully
17:47:13.960    Disk 0 MBR has been saved successfully to "C:\Users\Pocholo\Desktop\MBR.dat"
17:47:13.964    The log file has been saved successfully to "C:\Users\Pocholo\Desktop\aswMBR.txt"

 

 

I don't have backdoor or keylogs,... right?? :(


Edited by falrecon, 04 January 2014 - 04:49 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,623 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:40 AM

Posted 04 January 2014 - 04:56 AM

A file named mbr.dat has been created in the same location as aswmbr, can you please zip that up and attach it to your next reply? To zip a file, right click it, select Send to > Compressed (zipped) folder.

The log looks good, but I want to check out the MBR code. Likely it is legit, but lets just make sure. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 falrecon

falrecon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 04 January 2014 - 05:00 AM

I got it;
 

 

uh, but why are they hiding from me? the Com Surrogate's that is. why do they disappear after some seconds when I open Task Manager??

 

Attached Files

  • Attached File  mbr.zip   145bytes   1 downloads


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,623 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:40 AM

Posted 04 January 2014 - 06:08 AM

Did you run Aswmbr of a flashdrive by any chance? That file is empty. Or do you have set another disk as boot device?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 falrecon

falrecon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 04 January 2014 - 08:12 AM

uhm, I don't think so, I just ran it straight from the desktop. Didn't boot it or anything, I will do it again now and attach it to this post.


*I have restarted my laptop just some time ago, and I will rescan and resave the aswmbr log and rezip and reattach it again, now.

 

 

*reposted, tada~

 

 

 


 

Attached Files

  • Attached File  mbr2.zip   145bytes   1 downloads


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,623 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:40 AM

Posted 04 January 2014 - 08:51 AM

I suspect the tool hasn't access to the mbr or can't read it correctly for some reason. To explain the file I get is empty except for a few bytes (which are consistent with what I'd expect to see). Either aswmbr is looking in the wrong place or it doesn't have sufficient permissions. None of this is an indication for trouble though. To be sure, please run this.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 falrecon

falrecon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:40 AM

Posted 05 January 2014 - 10:08 AM

uhm, I'm gonna do it this coming weekend, school just started, is that okay??






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users