Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected??


  • This topic is locked This topic is locked
29 replies to this topic

#1 Aurifex

Aurifex

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 02 March 2014 - 09:55 PM

Hi all,

 

We recieved an email from we assumed Australia Post to notify us that a parcel could not be left and a form with details was required to collect the parcel.

 

I followed the prompts and ZIP folder was downloaded containing a PDF which did not open.

 

So, am I infected??

 

Thanks



BC AdBot (Login to Remove)

 


#2 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:32 PM

Posted 02 March 2014 - 10:05 PM

Do not open and especially download the content of emails you don`t know and expect! Which is your antivirus program?



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:32 AM

Posted 02 March 2014 - 10:11 PM

Hello -

We recieved an email from we assumed Australia Post to notify us that a parcel could not be left and a form with details was required to collect the parcel.

Is there any reason that Australia Post would have your email to begin with ??

This is always the first part of the question you must ask yourself -

The next one is are you having any problems with your computer ??

 

 

First we need to gather some basic information.

Download Screen317 Security Check and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If any security program requests permission to access the Internet, allow it to do so.

 

 

Next -

Please download MiniToolBox to desktop to run it.
Checkmark following boxes:

* List content of Hosts
* List last 10 Event Viewer log
* List Installed Programs
* List Devices (do NOT change any settings here)
* List Users, Partitions and Memory size
Click Go and Copy / Paste the result. (result.txt)

 

 

Next -

Download Malwarebytes' Anti-Malware Free (aka MBAM): to your desktop.
- NOTE - Do not accept the Free Trial Version at this time -
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* NOTE :Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer if requested.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt



#4 Aurifex

Aurifex
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 02 March 2014 - 11:22 PM

Hey Alex&Vanko just running standard windows anti virus. We usually dont open to these but got sucked in this one.

 

Hi noknojon, thanks for your help, below are all the notes,

 

Results of screen317's Security Check version 0.99.79  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 25  
 Java version out of Date!
 Adobe Flash Player     12.0.0.70  
 Adobe Reader 10.1.8 Adobe Reader out of Date!  
 Mozilla Firefox (27.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

 

MiniToolBox by Farbar  Version: 23-01-2014
Ran by unknown (administrator) on 03-03-2014 at 14:42:06
Running from "C:\Users\unknown\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************
========================= Hosts content: =================================

127.0.0.1       localhost


========================= Event log errors: ===============================

Application errors:
==================
Error: (03/03/2014 02:42:05 PM) (Source: Brother BrLog) (User: )
Description: WDLMW BrtWDLMW: [2014/03/03 14:42:05.895]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:04 PM) (Source: Brother BrLog) (User: )
Description: WDLMW BrtWDLMW: [2014/03/03 14:42:04.395]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:02 PM) (Source: Brother BrLog) (User: )
Description: WDLMW BrtWDLMW: [2014/03/03 14:42:02.895]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:01 PM) (Source: Brother BrLog) (User: )
Description: WDLMW BrtWDLMW: [2014/03/03 14:42:01.395]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:41:59 PM) (Source: Brother BrLog) (User: )
Description: WDLMW BrtWDLMW: [2014/03/03 14:41:59.894]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:41:58 PM) (Source: Brother BrLog) (User: )
Description: WDLMW BrtWDLMW: [2014/03/03 14:41:58.394]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:41:56 PM) (Source: Brother BrLog) (User: )
Description: WDLMW BrtWDLMW: [2014/03/03 14:41:56.894]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:41:55 PM) (Source: Brother BrLog) (User: )
Description: WDLMW BrtWDLMW: [2014/03/03 14:41:55.394]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:41:53 PM) (Source: Brother BrLog) (User: )
Description: WDLMW BrtWDLMW: [2014/03/03 14:41:53.894]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:41:52 PM) (Source: Brother BrLog) (User: )
Description: WDLMW BrtWDLMW: [2014/03/03 14:41:52.394]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2


System errors:
=============
Error: (03/03/2014 02:32:41 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 20. The internal error state is 960.

Error: (03/03/2014 02:32:37 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 20. The internal error state is 960.

Error: (03/03/2014 02:28:40 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 20. The internal error state is 960.

Error: (02/25/2014 06:24:56 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (02/25/2014 09:40:19 AM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.

Error: (02/21/2014 11:45:51 AM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (02/20/2014 10:09:20 PM) (Source: DCOM) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (02/20/2014 03:27:55 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.

Error: (02/15/2014 10:34:56 AM) (Source: DCOM) (User: )
Description: {ED1D0FDF-4414-470A-A56D-CFB68623FC58}

Error: (02/14/2014 05:30:10 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.


Microsoft Office Sessions:
=========================
Error: (03/03/2014 02:42:16 PM) (Source: Brother BrLog)(User: )
Description: WDLMWBrtWDLMW: [2014/03/03 14:42:16.397]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:14 PM) (Source: Brother BrLog)(User: )
Description: WDLMWBrtWDLMW: [2014/03/03 14:42:14.897]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:13 PM) (Source: Brother BrLog)(User: )
Description: WDLMWBrtWDLMW: [2014/03/03 14:42:13.397]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:11 PM) (Source: Brother BrLog)(User: )
Description: WDLMWBrtWDLMW: [2014/03/03 14:42:11.897]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:10 PM) (Source: Brother BrLog)(User: )
Description: WDLMWBrtWDLMW: [2014/03/03 14:42:10.395]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:08 PM) (Source: Brother BrLog)(User: )
Description: WDLMWBrtWDLMW: [2014/03/03 14:42:08.895]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:07 PM) (Source: Brother BrLog)(User: )
Description: WDLMWBrtWDLMW: [2014/03/03 14:42:07.395]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:05 PM) (Source: Brother BrLog)(User: )
Description: WDLMWBrtWDLMW: [2014/03/03 14:42:05.895]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:04 PM) (Source: Brother BrLog)(User: )
Description: WDLMWBrtWDLMW: [2014/03/03 14:42:04.395]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2

Error: (03/03/2014 02:42:02 PM) (Source: Brother BrLog)(User: )
Description: WDLMWBrtWDLMW: [2014/03/03 14:42:02.895]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2


CodeIntegrity Errors:
===================================
  Date: 2011-10-08 12:53:35.786
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spyware Doctor\klg.dat because the set of per-page image hashes could not be found on the system.

  Date: 2011-10-08 12:53:35.724
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spyware Doctor\smumhook.dll because the set of per-page image hashes could not be found on the system.

  Date: 2011-10-08 12:40:51.564
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spyware Doctor\klg.dat because the set of per-page image hashes could not be found on the system.

  Date: 2011-10-08 12:40:51.517
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spyware Doctor\smumhook.dll because the set of per-page image hashes could not be found on the system.

  Date: 2011-10-08 12:34:32.308
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spyware Doctor\klg.dat because the set of per-page image hashes could not be found on the system.

  Date: 2011-10-08 12:34:32.261
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spyware Doctor\smumhook.dll because the set of per-page image hashes could not be found on the system.

  Date: 2011-10-08 12:28:13.216
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spyware Doctor\klg.dat because the set of per-page image hashes could not be found on the system.

  Date: 2011-10-08 12:28:13.185
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spyware Doctor\smumhook.dll because the set of per-page image hashes could not be found on the system.

  Date: 2011-10-08 12:13:29.044
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spyware Doctor\klg.dat because the set of per-page image hashes could not be found on the system.

  Date: 2011-10-08 12:13:28.993
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Spyware Doctor\smumhook.dll because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

µTorrent (Version: 3.3.0.29625)
µTorrent (Version: 3.3.2.30180)
Adobe AIR (Version: 2.5.1.17730)
Adobe Community Help (Version: 3.0.0)
Adobe Community Help (Version: 3.0.0.400)
Adobe Flash Player 12 ActiveX (Version: 12.0.0.70)
Adobe Flash Player 12 Plugin (Version: 12.0.0.70)
Adobe Media Player (Version: 1.8)
Adobe Reader X (10.1.8) (Version: 10.1.8)
AliSetup 0.1.0.52 (Version: 0.1.0.52)
Apple Application Support (Version: 2.2.2)
Apple Mobile Device Support (Version: 6.0.0.59)
Apple Software Update (Version: 2.1.3.127)
ArcSoft TotalMedia Extreme (Version: 2.0.36.1)
Audio Signal Generator
Bonjour (Version: 3.0.0.10)
Brother MFL-Pro Suite MFC-665CW (Version: 1.0.3.0)
Caplio Software
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
ConvertHelper 2.2
D3DX10 (Version: 15.4.2368.0902)
Free DWG Viewer 7.0 (Version: 7.0.1)
Google Earth Plug-in (Version: 7.1.2.2041)
Google Update Helper (Version: 1.3.22.5)
High-Definition Video Playback 10 (Version: 7.0.11400.29.0)
Internet TV for Windows Media Center (Version: 4.2.2.0)
iTunes (Version: 10.7.0.21)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Junk Mail filter update (Version: 15.4.3502.0922)
K-Lite Mega Codec Pack 8.4.0 (Version: 8.4.0)
LightScribe System Software (Version: 1.18.6.1)
McAfee Security Scan Plus (Version: 3.8.141.11)
Mesh Runtime (Version: 15.4.5722.2)
Messenger Companion (Version: 15.4.3502.0922)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office XP Professional (Version: 10.0.6626.0)
Microsoft Primary Interoperability Assemblies 2005 (Version: 8.0.50727.42)
Microsoft Security Client (Version: 4.4.0304.0)
Microsoft Security Essentials (Version: 4.4.304.0)
Microsoft Silverlight (Version: 5.1.20913.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (Version: 9.0.30729.5570)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
Mozilla Firefox 27.0.1 (x86 en-US) (Version: 27.0.1)
Mozilla Maintenance Service (Version: 27.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT Redists (Version: 1.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MyFreeCodec
Nero 10 Menu TemplatePack Basic (Version: 10.0.10600.6.0)
Nero 10 Movie ThemePack Basic (Version: 10.0.10600.6.0)
Nero BackItUp 10 (Version: 5.4.11600.19.100)
Nero BackItUp 10 Help (CHM) (Version: 1.0.10700)
Nero Burning ROM 10 (Version: 10.0.11100.10.100)
Nero BurningROM 10 Help (CHM) (Version: 1.0.10700)
Nero BurnRights 10 (Version: 4.0.11000.12.100)
Nero BurnRights 10 Help (CHM) (Version: 1.0.10600)
Nero Control Center 10 (Version: 10.0.12000.1.4)
Nero ControlCenter 10 Help (CHM) (Version: 1.0.10700)
Nero Core Components 10 (Version: 2.0.13700.0.1)
Nero CoverDesigner 10 (Version: 5.0.10900.11.100)
Nero CoverDesigner 10 Help (CHM) (Version: 1.0.10600)
Nero DiscCopy Gadget 10 (Version: 3.0.10700.9.100)
Nero DiscCopyGadget 10 Help (CHM) (Version: 1.0.10600)
Nero DiscSpeed 10 (Version: 6.0.10800.7.100)
Nero DiscSpeed 10 Help (CHM) (Version: 1.0.10600)
Nero Dolby Files 10 (Version: 2.0.11000.0.10)
Nero Express 10 (Version: 10.0.11000.10.100)
Nero Express 10 Help (CHM) (Version: 1.0.10700)
Nero InfoTool 10 (Version: 7.0.10800.8.100)
Nero InfoTool 10 Help (CHM) (Version: 1.0.10600)
Nero MediaHub 10 (Version: 1.0.13400.11.100)
Nero MediaHub 10 Help (CHM) (Version: 1.0.10700)
Nero Multimedia Suite 10 (Version: 10.0.13100)
Nero Recode 10 (Version: 4.6.10900.4.100)
Nero Recode 10 Help (CHM) (Version: 1.0.10600)
Nero RescueAgent 10 (Version: 3.0.10900.9.100)
Nero RescueAgent 10 Help (CHM) (Version: 1.0.10700)
Nero SoundTrax 10 (Version: 4.6.10600.2.100)
Nero SoundTrax 10 Help (CHM) (Version: 1.0.10600)
Nero StartSmart 10 (Version: 10.0.11200.12.100)
Nero StartSmart 10 Help (CHM) (Version: 1.0.10700)
Nero Update (Version: 1.0.0017)
Nero Vision 10 (Version: 7.0.11100.8.100)
Nero Vision 10 Help (CHM) (Version: 1.0.10600)
Nero WaveEditor 10 (Version: 5.6.10600.2.100)
Nero WaveEditor 10 Help (CHM) (Version: 1.0.10600)
NetComm 900n Series Wireless LAN (Version: 1.0.2.0)
Orb Runtime libraries (Version: 1.0.0)
PIXresizer 2.0.4
Samsung Kies (Version: 2.1.1.11124_17)
SAMSUNG USB Driver for Mobile Phones (Version: 1.5.6.0)
TradeManager 2011 SP2
Unity Web Player (Version: )
VLC media player 1.1.11 (Version: 1.1.11)
WBFS Manager 3.0 (Version: 3.0)
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net  (09/10/2009 02.03.05.012) (Version: 09/10/2009 02.03.05.012)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3555.0308)
Windows Live Family Safety (Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live Messenger Companion Core (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
Windows Movie Maker 2.6 (Version: 2.6.4037.0)
WinRAR 4.00 (32-bit) (Version: 4.00.0)
Xiph.Org Open Codecs 0.85.17777 (Version: 0.85.17777)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 67%
Total physical RAM: 1790.49 MB
Available physical RAM: 587.32 MB
Total Pagefile: 3580.98 MB
Available Pagefile: 1109.63 MB
Total Virtual: 2047.88 MB
Available Virtual: 1942.87 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:298.09 GB) (Free:209.59 GB) NTFS
3 Drive e: () (Fixed) (Total:465.76 GB) (Free:209.6 GB) NTFS
4 Drive f: (SIL'S USB) (Removable) (Total:3.73 GB) (Free:0.75 GB) FAT32

========================= Users: ========================================

User accounts for \\UNKNOWN-PC

Administrator            Guest                    Mcx1-UNKNOWN-PC          
unknown                  


**** End of log ****
 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.03.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16518
unknown :: UNKNOWN-PC [administrator]

03-Mar-14 2:52:02 PM
mbam-log-2014-03-03 (14-52-02).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 260388
Time elapsed: 15 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 21
C:\ProgramData\ywibizszahas.exe (Trojan.Inject.ED) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-2134969444-2299796119-3524533687-1000\$RA6VB25\Information.exe (Trojan.Inject.ED) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-2134969444-2299796119-3524533687-1000\$RA6VB25\pdf_2ea2f76328a7836c214a55c9caa6a89c.zip (Trojan.Inject.ED) -> Quarantined and deleted successfully.
C:\$RECYCLE.BIN\S-1-5-21-2134969444-2299796119-3524533687-1000\$RA6VB25\pdf_718681eb5d79cbe0bf8b9d7c049252c4.zip (Trojan.Inject.ED) -> Quarantined and deleted successfully.
C:\Users\unknown\AppData\Local\temp\installer.7z (PUP.Optional.Desk365.A) -> Quarantined and deleted successfully.
C:\Users\unknown\AppData\Local\temp\utt27DF.tmp.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\unknown\AppData\Local\temp\nse1D1A.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\unknown\AppData\Local\temp\nse779A.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\unknown\AppData\Local\temp\tsbIkwv3.exe.part (PUP.Optional.OneClickDownloader.A) -> Quarantined and deleted successfully.
C:\Users\unknown\AppData\Local\temp\SPSetup.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\unknown\AppData\Local\temp\nsp1A9A.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\unknown\AppData\Local\temp\nsu7539.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\unknown\AppData\Local\temp\pdf_00d631913ecd12b97d6eec54771280f5.zip (Trojan.Inject.ED) -> Quarantined and deleted successfully.
C:\Users\unknown\AppData\Local\temp\Rar$EX91.704\Information.exe (Trojan.Inject.ED) -> Quarantined and deleted successfully.
C:\Windows\temp\nscA567.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Windows\temp\nsmA41.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Windows\temp\nsmD5D8.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Windows\temp\nss9C5.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Windows\temp\nssD5F8.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Windows\temp\nsx3797.exe (PUP.Optional.SearchProtect.A) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\browser\searchplugins\qvo6.xml (PUP.Optional.qvo6.A) -> Quarantined and deleted successfully.

(end)
 

 

Cheers.



#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:32 AM

Posted 03 March 2014 - 05:18 AM

I would uninstall both of these Torrent versions as they will infect you one day.
µTorrent (Version: 3.3.0.29625)
µTorrent (Version: 3.3.2.30180)

 

AliSetup 0.1.0.52 (did you install this ?) Uninstall from Programs and Features if it is unknown.

 

Java 7 Update 25  Java version out of Date!

Current is Java7 Updade51
 

 

Malwarebytes scan results show Files Detected: 21

The bad part of these scans is that often it will not tell you when the areas were infected.

Several versions of this Trojan are detected =>
C:\ProgramData\ywibizszahas.exe C:\ProgramData\ywibizszahas.exe (Trojan.Inject.ED)
It is a genuine Trojan infection, but simple to remove -

I must ask if you know of a file or program called  ywibizszahas.exe

 

These are also minor infections that are now removed ........
(PUP.Optional.Desk365.A)
(PUP.Optional.Conduit.A)
(PUP.Optional.OneClickDownloader.A)
(PUP.Optional.SearchProtect.A)
 (PUP.Optional.qvo6.A)

 

Please re-run the MBAM scan, but this time after you update it, and please select Full Scan

 

 

ESET Online Scanner
Run ESETOnlineScanner Please use Internet Explorer as the scanner uses ActiveX

Read and follow How To Temporarily Disable Your Anti-virus during this scan
If you will not use Internet Explorer, please see 3 - 1 & 3 - 2
1 .Hold down Control (Ctrl) key, and click on This link to open ESET OnlineScan in a new window.
2 .Click the Eset online button.
3 .For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
3 - 1 .Click on Esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
3 - 2 .Double click on esetsmartinstaller_enu on your desktop.
4 .Check "YES, I accept the Terms of Use."
5 .Click the Start button.
6 .Accept any security warnings from your browser.
7 .Under scan settings, check "Scan Archives" and "Remove found threats"
8 .Click Advanced settings and select the following:
* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology

9 .ESET will then download updates for itself, install itself, and begin scanning your computer.
Please be patient as this will take quite some time as it is a deep scan.(2 hours is not unusual)
10 .When the scan completes, click List Threats
11 .Click Export, and save the file to your desktop using a unique name, such as ESETScan. - Include the contents of this report in your next reply.
12 .Click the Back button.
13 .Click the Finish button.
* NOTE:Sometimes if ESET finds no infections it will not create a log.

 

In  your reply, please include a New MBAM Scan Log

A New Eset Scan Log

If you have any recent computer problems -



#6 Aurifex

Aurifex
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 03 March 2014 - 09:12 PM

Thanks noknojon,

 

Ive uninstalled utorrent. Can you recommend an alternative?

 

Ive also uninstalled AliSetup 0.1.0.52, must have something to do with Aliexpress or Alibaba.com.

 

Ive updated Java.

 

I dont know anything about ywibizszahas.exe

 

Here are the new results;

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.03.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16518
unknown :: UNKNOWN-PC [administrator]

04-Mar-14 7:43:21 AM
mbam-log-2014-03-04 (07-43-21).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 400254
Time elapsed: 1 hour(s), 17 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 19
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\Main\bin\CltMngSvc.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\Main\bin\SPTool.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\Main\bin\SPtool.dll_1380232322561.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\Main\bin\SPtool.dll_1381104261856.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\Main\bin\SPtool.dll_1381104261871.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\Main\bin\uninstall.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\cltmng.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\SPTool64.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\SPVC32.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\SPVC32Loader.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\SPVC64.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\SearchProtect\bin\SPVC64Loader.dll.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Program Files\Searchprotect\UI\bin\cltmngui.exe.vir (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Users\unknown\AppData\Local\Temp\Desk365\eInstall\eInstall.exe.vir (PUP.Optional.Desk365.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Users\unknown\AppData\Local\Temp\eIntaller\49DA0DFEBA4F496dB56AF32A32888D40\Desk365.exe.vir (PUP.Optional.Desk365.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Users\unknown\AppData\Local\Temp\eIntaller\49DA0DFEBA4F496dB56AF32A32888D40\eXQ.exe.vir (PUP.Optional.Wilsys.A) -> Quarantined and deleted successfully.
C:\AdwCleaner\Quarantine\C\Users\unknown\AppData\Roaming\Desk 365\components\component_libcef_1.1364.1123.exe.vir (PUP.Optional.Desk365.A) -> Quarantined and deleted successfully.
C:\Users\unknown\Desktop\microsoft office\Microsoft Office Enterprise 2010 Corporate\Microsoft Office Enterprise 2010 Corporate\Office 2010 Toolkit\Office 2010 Toolkit.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
E:\Utorrent\Downloadng finished\Sony.Vegas.Pro.10.x86-x64.Cracked-Torrentleech\Sony.Vegas.Pro.10.x86-x64.Cracked-Torrentleech.r12 (Trojan.Agent.CK) -> Quarantined and deleted successfully.

(end)
 

 

C:\ProgramData\inyv\yxalixyl.exe    Win32/Spy.Hesperbot.J trojan    
C:\Users\All Users\inyv\yxalixyl.exe    Win32/Spy.Hesperbot.J trojan    
C:\AdwCleaner\Backup\C\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\58o0499p.default\prefs_14_10_2013_11_35_47.js    JS/SecurityDisabler.A.Gen potentially unwanted application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Desk 365\deskSvc.exe.vir    a variant of Win32/ELEX.Y potentially unwanted application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\unknown\AppData\Local\Temp\Desk365\Desk_365\DeskSvc.exe.vir    a variant of Win32/ELEX.Y potentially unwanted application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\58o0499p.default\user.js.vir    JS/SecurityDisabler.A.Gen potentially unwanted application    deleted - quarantined
C:\Users\unknown\AppData\Roaming\Mozilla\Firefox\Profiles\58o0499p.default\prefs.js    JS/SecurityDisabler.A.Gen potentially unwanted application    deleted - quarantined
C:\Users\unknown\Desktop\microsoft office\Microsoft Office Enterprise 2010 Corporate.zip    a variant of MSIL/HackKMS.A potentially unsafe application    deleted - quarantined
E:\Utorrent\Downloadng finished\New folder\Microsoft Office Enterprise 2010 Corporate.zip    a variant of MSIL/HackKMS.A potentially unsafe application    deleted - quarantined
Operating memory    multiple threats    
 

 

Cheers



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:32 AM

Posted 04 March 2014 - 05:38 AM

Hi Mate -

It is a bit confusing unless you have some rough idea of the email opening time (I have given 2 options) ........

 

Remember that the email may have just been useless ...........

 

Event log errors: -
Application errors:
==================

Your 10 Errors are Description: WDLMW BrtWDLMW: [2014/03/03 14:42:05.895]: [00003216]: lperrcode->api = 1 , lperrcode->code = 2
Note the Time and Date - 03/03/2014 02:41:53 PM - Is this related to the email ??

 

Your System errors:
=============
Description: The following fatal alert was generated: 20. The internal error state is 960.
Note the Time and Date - 03/03/2014 - 02:32:41 PM
There are 3 of these and they are very similar to the Application errors in time

 

 

Ive uninstalled utorrent. Can you recommend an alternative?

The reason that I ask you to uninstall the Torrent programs is listed here =>
http://www.cybertechhelp.com/forums/showthread.php?t=189705

All forums (including here) have a link like this and it is not unusual to ask for you to uninstall it.
If you wish to reinstall later, that is your choice, but I have never used a Torrent site -

 

This line from Malwarebytes Scan shows that you downloaded illegal software =>
E:\Utorrent\Downloadng finished\Sony.Vegas.Pro.10.x86-x64.Cracked-Torrentleech\Sony.Vegas.Pro.10.x86-x64.Cracked -Torrentleech.r12 (Trojan.Agent.CK)
Note that it also carried an infection .

 

Now click Here and download the installer for Gmer to your desktop, then click that file to run Gmer.

(before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

Once the opening scan finishes, click on Scan

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

*** If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. ***



#8 Aurifex

Aurifex
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 04 March 2014 - 06:46 PM

Hi, those times of the Australia Post emails were pretty spot on.

 

Here is the GMER log;

 

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-03-05 09:28:47
Windows 6.1.7601 Service Pack 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3320620A rev.3.AAC 298.09GB
Running: jh0vxwq9.exe; Driver: C:\Users\unknown\AppData\Local\Temp\uwdiafog.sys


---- Kernel code sections - GMER 2.1 ----

.text                                                                                                                                 ntkrnlpa.exe!ZwRollbackEnlistment + 142D                                                                                                                                                              82E7DA15 1 Byte  [06]
.text                                                                                                                                 ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                                                                                                                82EB7212 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
?                                                                                                                                     System32\drivers\tyjenyj.sys                                                                                                                                                                          The system cannot find the path specified. !
.text                                                                                                                                 C:\Windows\system32\drivers\atikmdag.sys                                                                                                                                                              section is writeable [0x8F830000, 0x227A14, 0xE8000020]
.text                                                                                                                                 C:\Windows\system32\drivers\hardlock.sys                                                                                                                                                              section is writeable [0x9EA2D400, 0x7960C, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9EACF420]  C:\Windows\system32\drivers\hardlock.sys                                                                                                                                                              entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x9EACF420]
.protectÿÿÿÿhardlockunknown last code section [0x9EACF200, 0x5049, 0xE0000020]                                                        C:\Windows\system32\drivers\hardlock.sys                                                                                                                                                              unknown last code section [0x9EACF200, 0x5049, 0xE0000020]

---- User code sections - GMER 2.1 ----

.text                                                                                                                                 C:\Windows\Explorer.EXE[456] USER32.dll!GetMessageA                                                                                                                                                   76C81899 5 Bytes  JMP 03C818C0
.text                                                                                                                                 C:\Windows\Explorer.EXE[456] USER32.dll!TranslateMessage                                                                                                                                              76C864C7 5 Bytes  JMP 03C81800
.text                                                                                                                                 C:\Windows\Explorer.EXE[456] USER32.dll!GetMessageW                                                                                                                                                   76C8CDE8 5 Bytes  JMP 03C81990
.text                                                                                                                                 C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[868] USER32.dll!GetMessageA                                                                                                             76C81899 5 Bytes  JMP 006C18C0
.text                                                                                                                                 C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[868] USER32.dll!TranslateMessage                                                                                                        76C864C7 5 Bytes  JMP 006C1800
.text                                                                                                                                 C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[868] USER32.dll!GetMessageW                                                                                                             76C8CDE8 5 Bytes  JMP 006C1990
.text                                                                                                                                 C:\Windows\system32\taskhost.exe[1868] USER32.dll!GetMessageA                                                                                                                                         76C81899 5 Bytes  JMP 022818C0
.text                                                                                                                                 C:\Windows\system32\taskhost.exe[1868] USER32.dll!TranslateMessage                                                                                                                                    76C864C7 5 Bytes  JMP 02281800
.text                                                                                                                                 C:\Windows\system32\taskhost.exe[1868] USER32.dll!GetMessageW                                                                                                                                         76C8CDE8 5 Bytes  JMP 02281990
.text                                                                                                                                 C:\Windows\system32\Dwm.exe[2008] USER32.dll!GetMessageA                                                                                                                                              76C81899 5 Bytes  JMP 01C318C0
.text                                                                                                                                 C:\Windows\system32\Dwm.exe[2008] USER32.dll!TranslateMessage                                                                                                                                         76C864C7 5 Bytes  JMP 01C31800
.text                                                                                                                                 C:\Windows\system32\Dwm.exe[2008] USER32.dll!GetMessageW                                                                                                                                              76C8CDE8 5 Bytes  JMP 01C31990
.text                                                                                                                                 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2028] USER32.dll!GetMessageA                                                                                                                  76C81899 5 Bytes  JMP 00D618C0
.text                                                                                                                                 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2028] USER32.dll!TranslateMessage                                                                                                             76C864C7 5 Bytes  JMP 00D61800
.text                                                                                                                                 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2028] USER32.dll!GetMessageW                                                                                                                  76C8CDE8 5 Bytes  JMP 00D61990
.text                                                                                                                                 C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[3100] USER32.dll!GetMessageA                                                                                                                           76C81899 5 Bytes  JMP 005E18C0
.text                                                                                                                                 C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[3100] USER32.dll!TranslateMessage                                                                                                                      76C864C7 5 Bytes  JMP 005E1800
.text                                                                                                                                 C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe[3100] USER32.dll!GetMessageW                                                                                                                           76C8CDE8 5 Bytes  JMP 005E1990
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\firefox.exe[3132] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D                                                                                                      76FA941E 7 Bytes  JMP 532B049D C:\Program Files\Mozilla Firefox\xul.dll
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\firefox.exe[3132] kernel32.dll!QueryPerformanceCounter + 13                                                                                                          76FAC425 7 Bytes  JMP 532B0455 C:\Program Files\Mozilla Firefox\xul.dll
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\firefox.exe[3132] kernel32.dll!LoadAppInitDlls + 355                                                                                                                 76FAF4E6 7 Bytes  JMP 52EC5A06 C:\Program Files\Mozilla Firefox\xul.dll
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\firefox.exe[3132] USER32.dll!GetMessageA                                                                                                                             76C81899 5 Bytes  JMP 014D18C0
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\firefox.exe[3132] USER32.dll!TranslateMessage                                                                                                                        76C864C7 5 Bytes  JMP 014D1800
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\firefox.exe[3132] USER32.dll!GetMessageW                                                                                                                             76C8CDE8 5 Bytes  JMP 014D1990
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\firefox.exe[3132] GDI32.dll!GetViewportOrgEx + 26C                                                                                                                   7679884B 7 Bytes  JMP 532B04C4 C:\Program Files\Mozilla Firefox\xul.dll
.text                                                                                                                                 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[3288] USER32.dll!GetMessageA                                                                                                                           76C81899 5 Bytes  JMP 022518C0
.text                                                                                                                                 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[3288] USER32.dll!TranslateMessage                                                                                                                      76C864C7 5 Bytes  JMP 02251800
.text                                                                                                                                 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe[3288] USER32.dll!GetMessageW                                                                                                                           76C8CDE8 5 Bytes  JMP 02251990
.text                                                                                                                                 C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3296] USER32.dll!GetMessageA                                                                                                                  76C81899 5 Bytes  JMP 021218C0
.text                                                                                                                                 C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3296] USER32.dll!TranslateMessage                                                                                                             76C864C7 5 Bytes  JMP 02121800
.text                                                                                                                                 C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe[3296] USER32.dll!GetMessageW                                                                                                                  76C8CDE8 5 Bytes  JMP 02121990
.text                                                                                                                                 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3316] USER32.dll!GetMessageA                                                                                                76C81899 5 Bytes  JMP 003B18C0
.text                                                                                                                                 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3316] USER32.dll!TranslateMessage                                                                                           76C864C7 5 Bytes  JMP 003B1800
.text                                                                                                                                 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[3316] USER32.dll!GetMessageW                                                                                                76C8CDE8 5 Bytes  JMP 003B1990
.text                                                                                                                                 C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3360] USER32.dll!GetMessageA                                                                                                                          76C81899 5 Bytes  JMP 019418C0
.text                                                                                                                                 C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3360] USER32.dll!TranslateMessage                                                                                                                     76C864C7 5 Bytes  JMP 01941800
.text                                                                                                                                 C:\Program Files\Samsung\Kies\KiesTrayAgent.exe[3360] USER32.dll!GetMessageW                                                                                                                          76C8CDE8 5 Bytes  JMP 01941990
.text                                                                                                                                 C:\Program Files\Microsoft Security Client\msseces.exe[3380] USER32.dll!GetMessageA                                                                                                                   76C81899 5 Bytes  JMP 009518C0
.text                                                                                                                                 C:\Program Files\Microsoft Security Client\msseces.exe[3380] USER32.dll!TranslateMessage                                                                                                              76C864C7 5 Bytes  JMP 00951800
.text                                                                                                                                 C:\Program Files\Microsoft Security Client\msseces.exe[3380] USER32.dll!GetMessageW                                                                                                                   76C8CDE8 5 Bytes  JMP 00951990
.text                                                                                                                                 C:\Program Files\iTunes\iTunesHelper.exe[3400] USER32.dll!GetMessageA                                                                                                                                 76C81899 5 Bytes  JMP 012118C0
.text                                                                                                                                 C:\Program Files\iTunes\iTunesHelper.exe[3400] USER32.dll!TranslateMessage                                                                                                                            76C864C7 5 Bytes  JMP 01211800
.text                                                                                                                                 C:\Program Files\iTunes\iTunesHelper.exe[3400] USER32.dll!GetMessageW                                                                                                                                 76C8CDE8 5 Bytes  JMP 01211990
.text                                                                                                                                 C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[3460] USER32.dll!GetMessageA                                                                                                                     76C81899 5 Bytes  JMP 014518C0
.text                                                                                                                                 C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[3460] USER32.dll!TranslateMessage                                                                                                                76C864C7 5 Bytes  JMP 01451800
.text                                                                                                                                 C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[3460] USER32.dll!GetMessageW                                                                                                                     76C8CDE8 5 Bytes  JMP 01451990
.text                                                                                                                                 C:\Program Files\Common Files\Java\Java Update\jusched.exe[3492] USER32.dll!GetMessageA                                                                                                               76C81899 5 Bytes  JMP 003C18C0
.text                                                                                                                                 C:\Program Files\Common Files\Java\Java Update\jusched.exe[3492] USER32.dll!TranslateMessage                                                                                                          76C864C7 5 Bytes  JMP 003C1800
.text                                                                                                                                 C:\Program Files\Common Files\Java\Java Update\jusched.exe[3492] USER32.dll!GetMessageW                                                                                                               76C8CDE8 5 Bytes  JMP 003C1990
.text                                                                                                                                 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3584] USER32.dll!GetMessageA                                                                                                    76C81899 5 Bytes  JMP 003918C0
.text                                                                                                                                 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3584] USER32.dll!TranslateMessage                                                                                               76C864C7 5 Bytes  JMP 00391800
.text                                                                                                                                 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[3584] USER32.dll!GetMessageW                                                                                                    76C8CDE8 5 Bytes  JMP 00391990
.text                                                                                                                                 C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3620] ntdll.dll!DbgUiRemoteBreakin                                                                                                 7737F1D3 1 Byte  [C3]
.text                                                                                                                                 C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3620] USER32.dll!GetMessageA                                                                                                       76C81899 5 Bytes  JMP 004718C0
.text                                                                                                                                 C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3620] USER32.dll!TranslateMessage                                                                                                  76C864C7 5 Bytes  JMP 00471800
.text                                                                                                                                 C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3620] USER32.dll!GetMessageW                                                                                                       76C8CDE8 5 Bytes  JMP 00471990
.text                                                                                                                                 C:\Program Files\Samsung\Kies\Kies.exe[3704] USER32.dll!GetMessageA                                                                                                                                   76C81899 5 Bytes  JMP 006918C0
.text                                                                                                                                 C:\Program Files\Samsung\Kies\Kies.exe[3704] USER32.dll!TranslateMessage                                                                                                                              76C864C7 5 Bytes  JMP 00691800
.text                                                                                                                                 C:\Program Files\Samsung\Kies\Kies.exe[3704] USER32.dll!GetMessageW                                                                                                                                   76C8CDE8 5 Bytes  JMP 00691990
.text                                                                                                                                 C:\Program Files\Caplio Software\RGateLXP.exe[3728] USER32.dll!GetMessageA                                                                                                                            76C81899 5 Bytes  JMP 007D18C0
.text                                                                                                                                 C:\Program Files\Caplio Software\RGateLXP.exe[3728] USER32.dll!TranslateMessage                                                                                                                       76C864C7 5 Bytes  JMP 007D1800
.text                                                                                                                                 C:\Program Files\Caplio Software\RGateLXP.exe[3728] USER32.dll!GetMessageW                                                                                                                            76C8CDE8 5 Bytes  JMP 007D1990
.text                                                                                                                                 C:\Program Files\NetComm\Common\RaUI.exe[3732] USER32.dll!GetMessageA                                                                                                                                 76C81899 5 Bytes  JMP 01A218C0
.text                                                                                                                                 C:\Program Files\NetComm\Common\RaUI.exe[3732] USER32.dll!TranslateMessage                                                                                                                            76C864C7 5 Bytes  JMP 01A21800
.text                                                                                                                                 C:\Program Files\NetComm\Common\RaUI.exe[3732] USER32.dll!GetMessageW                                                                                                                                 76C8CDE8 5 Bytes  JMP 01A21990
.text                                                                                                                                 C:\Windows\explorer.exe[3740] USER32.dll!GetMessageA                                                                                                                                                  76C81899 5 Bytes  JMP 002118C0
.text                                                                                                                                 C:\Windows\explorer.exe[3740] USER32.dll!TranslateMessage                                                                                                                                             76C864C7 5 Bytes  JMP 00211800
.text                                                                                                                                 C:\Windows\explorer.exe[3740] USER32.dll!GetMessageW                                                                                                                                                  76C8CDE8 5 Bytes  JMP 00211990
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[6632] user32.DLL!GetMessageA                                                                                                       76C81899 5 Bytes  JMP 004118C0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[6632] user32.DLL!TranslateMessage                                                                                                  76C864C7 5 Bytes  JMP 00411800
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[6632] user32.DLL!GetMessageW                                                                                                       76C8CDE8 5 Bytes  JMP 00411990
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\plugin-container.exe[6920] USER32.dll!RegisterMessagePumpHook + 2F1                                                                                                  76C78B9E 7 Bytes  JMP 532076A0 C:\Program Files\Mozilla Firefox\xul.dll
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\plugin-container.exe[6920] USER32.dll!GetMessageA                                                                                                                    76C81899 5 Bytes  JMP 006118C0
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\plugin-container.exe[6920] USER32.dll!IsDialogMessageW + 340                                                                                                         76C84444 7 Bytes  JMP 53207711 C:\Program Files\Mozilla Firefox\xul.dll
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\plugin-container.exe[6920] USER32.dll!GetWindowInfo                                                                                                                  76C84B5E 5 Bytes  JMP 5320B2EA C:\Program Files\Mozilla Firefox\xul.dll
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\plugin-container.exe[6920] USER32.dll!TranslateMessage                                                                                                               76C864C7 5 Bytes  JMP 00611800
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\plugin-container.exe[6920] USER32.dll!GetMessageW                                                                                                                    76C8CDE8 5 Bytes  JMP 00611990
.text                                                                                                                                 C:\Program Files\Mozilla Firefox\plugin-container.exe[6920] USER32.dll!ToUnicodeEx + 71                                                                                                               76C92223 7 Bytes  JMP 53204E6D C:\Program Files\Mozilla Firefox\xul.dll
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtCreateFile + 6                                                                                                   7732560E 4 Bytes  CALL 5A31562A
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtCreateFile + B                                                                                                   77325613 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtCreateKey + 6                                                                                                    7732564E 4 Bytes  JMP 5A31566A
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtCreateKey + B                                                                                                    77325653 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtCreateMutant + 6                                                                                                 7732568E 4 Bytes  JMP E2FF0017
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtCreateMutant + B                                                                                                 77325693 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtCreateSection + 6                                                                                                7732572E 4 Bytes  JMP E2FF0017
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtCreateSection + B                                                                                                77325733 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtMapViewOfSection + 6                                                                                             77325C6E 4 Bytes  CALL 7632745F C:\Windows\system32\SHELL32.dll
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtMapViewOfSection + B                                                                                             77325C73 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenFile + 6                                                                                                     77325D1E 4 Bytes  CALL 5A315D3A
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenFile + B                                                                                                     77325D23 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenKey + 6                                                                                                      77325D4E 4 Bytes  JMP 5A315D6A
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenKey + B                                                                                                      77325D53 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenKeyEx + 6                                                                                                    77325D5E 4 Bytes  CALL 7632754C C:\Windows\system32\SHELL32.dll
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenKeyEx + B                                                                                                    77325D63 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenMutant + 6                                                                                                   77325D9E 4 Bytes  JMP E2FF0017
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenMutant + B                                                                                                   77325DA3 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenProcess + 6                                                                                                  77325DCE 4 Bytes  [68, EB, 17, 00]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenProcess + B                                                                                                  77325DD3 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenProcessToken + 6                                                                                             77325DDE 4 Bytes  [A8, EB, 17, 00]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenProcessToken + B                                                                                             77325DE3 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenProcessTokenEx + 6                                                                                           77325DEE 4 Bytes  [68, EC, 17, 00]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenProcessTokenEx + B                                                                                           77325DF3 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenSection + 6                                                                                                  77325E0E 4 Bytes  CALL 763275FD C:\Windows\system32\SHELL32.dll
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenSection + B                                                                                                  77325E13 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenThread + 6                                                                                                   77325E4E 4 Bytes  [28, EB, 17, 00]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenThread + B                                                                                                   77325E53 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenThreadToken + 6                                                                                              77325E5E 4 Bytes  [28, EC, 17, 00]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenThreadToken + B                                                                                              77325E63 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenThreadTokenEx + 6                                                                                            77325E6E 4 Bytes  [A8, EC, 17, 00]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtOpenThreadTokenEx + B                                                                                            77325E73 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtQueryAttributesFile + 6                                                                                          77325F7E 4 Bytes  CALL 5A315F9A
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtQueryAttributesFile + B                                                                                          77325F83 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtQueryFullAttributesFile + 6                                                                                      7732602E 4 Bytes  CALL 7632781B C:\Windows\system32\SHELL32.dll
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtQueryFullAttributesFile + B                                                                                      77326033 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtSetInformationFile + 6                                                                                           7732667E 4 Bytes  JMP 5A31669A
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtSetInformationFile + B                                                                                           77326683 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtSetInformationThread + 6                                                                                         773266DE 4 Bytes  CALL 76327ECE C:\Windows\system32\SHELL32.dll
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtSetInformationThread + B                                                                                         773266E3 1 Byte  [E2]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtUnmapViewOfSection + 6                                                                                           773269FE 4 Bytes  [28, ED, 17, 00]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ntdll.dll!NtUnmapViewOfSection + B                                                                                           77326A03 1 Byte  [E2]
.text                                                                                                                               
 



#9 Aurifex

Aurifex
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 04 March 2014 - 06:47 PM

GMER continued. Would not all fit on the one post;

 

 

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] kernel32.dll!CreateProcessW                                                                                                  76F6204D 5 Bytes  JMP 00180030
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] kernel32.dll!CreateProcessA                                                                                                  76F62082 5 Bytes  JMP 00180070
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!ActivateKeyboardLayout                                                                                            76C78203 5 Bytes  JMP 002304F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!ScreenToClient                                                                                                    76C7A506 7 Bytes  JMP 00230670
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!RegisterClipboardFormatA                                                                                          76C7C091 5 Bytes  JMP 002302F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!RegisterClipboardFormatW                                                                                          76C7DF8D 5 Bytes  JMP 002302B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetMessageA                                                                                                       76C81899 5 Bytes  JMP 01EB18C0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!SetCursor                                                                                                         76C83075 5 Bytes  JMP 00230530
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!MonitorFromWindow                                                                                                 76C83622 7 Bytes  JMP 00230630
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!PostMessageW                                                                                                      76C8447B 5 Bytes  JMP 002305F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!IsWindowVisible                                                                                                   76C84D69 7 Bytes  JMP 002306B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetClientRect                                                                                                     76C854DD 7 Bytes  JMP 002305B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!MapWindowPoints                                                                                                   76C85CAA 5 Bytes  JMP 00230570
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetParent                                                                                                         76C86029 7 Bytes  JMP 002306F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!TranslateMessage                                                                                                  76C864C7 5 Bytes  JMP 01EB1800
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetMessageW                                                                                                       76C8CDE8 5 Bytes  JMP 01EB1990
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!EmptyClipboard                                                                                                    76C9290C 5 Bytes  JMP 00230130
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!SetClipboardData                                                                                                  76C92962 5 Bytes  JMP 00230170
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetClipboardData                                                                                                  76C92BA7 5 Bytes  JMP 00230030
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetClipboardFormatNameW                                                                                           76C95FD2 5 Bytes  JMP 00230230
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!SetClipboardViewer                                                                                                76C96FF6 5 Bytes  JMP 002304B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetClipboardFormatNameA                                                                                           76C9700A 5 Bytes  JMP 00230270
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!ChangeClipboardChain                                                                                              76CA147C 5 Bytes  JMP 00230430
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetTopWindow                                                                                                      76CA24D9 7 Bytes  JMP 00230730
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!CloseClipboard                                                                                                    76CA446C 5 Bytes  JMP 002300B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!OpenClipboard                                                                                                     76CA447E 5 Bytes  JMP 00230070
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!IsClipboardFormatAvailable                                                                                        76CA44FF 5 Bytes  JMP 002300F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetClipboardSequenceNumber                                                                                        76CA4513 5 Bytes  JMP 00230330
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetClipboardOwner                                                                                                 76CA4525 5 Bytes  JMP 00230370
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!CountClipboardFormats                                                                                             76CA470A 5 Bytes  JMP 002301F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!EnumClipboardFormats                                                                                              76CA47EC 5 Bytes  JMP 002301B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetOpenClipboardWindow                                                                                            76CA480B 5 Bytes  JMP 002303F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!SetCursorPos                                                                                                      76CBC1B0 5 Bytes  JMP 00230770
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetClipboardViewer                                                                                                76CD4AF7 5 Bytes  JMP 00230470
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] user32.DLL!GetPriorityClipboardFormat                                                                                        76CD4BF9 5 Bytes  JMP 002303B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!DeleteObject                                                                                                       76795F14 5 Bytes  JMP 002401B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SelectObject                                                                                                       76796640 5 Bytes  JMP 002405F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SetTextColor                                                                                                       76796906 5 Bytes  JMP 00240A30
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SetBkMode                                                                                                          767969B1 5 Bytes  JMP 002408F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!DeleteDC                                                                                                           76796EAA 5 Bytes  JMP 00240170
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetDeviceCaps                                                                                                      76796F7F 5 Bytes  JMP 002403B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!ExtSelectClipRgn                                                                                                   76797114 5 Bytes  JMP 002402F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SelectClipRgn                                                                                                      76797242 5 Bytes  JMP 002405B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SetStretchBltMode                                                                                                  76797705 5 Bytes  JMP 002406B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetCurrentObject                                                                                                   76797917 5 Bytes  JMP 00240370
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetTextMetricsW                                                                                                    76797B8F 5 Bytes  JMP 00240E30
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetTextAlign                                                                                                       76797DAF 5 Bytes  JMP 00240D70
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!IntersectClipRect                                                                                                  76797DFE 5 Bytes  JMP 002403F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!ExtTextOutW                                                                                                        76798192 5 Bytes  JMP 00240970
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SetTextAlign                                                                                                       7679828E 5 Bytes  JMP 002409F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetClipBox                                                                                                         76798525 5 Bytes  JMP 00240330
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!MoveToEx                                                                                                           76798C21 5 Bytes  JMP 00240470
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!StretchDIBits                                                                                                      7679A53E 5 Bytes  JMP 00240770
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!RestoreDC                                                                                                          7679A67B 5 Bytes  JMP 00240530
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SaveDC                                                                                                             7679A74B 5 Bytes  JMP 00240570
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetTextExtentPoint32W                                                                                              7679B4B5 5 Bytes  JMP 00240670
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetTextFaceW                                                                                                       7679B73A 2 Bytes  JMP 00240D30
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetTextFaceW + 3                                                                                                   7679B73D 2 Bytes  [AA, 89]
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetFontData                                                                                                        7679BCC4 5 Bytes  JMP 00240C70
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SetWorldTransform                                                                                                  7679C90A 5 Bytes  JMP 002406F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!CreateDCA                                                                                                          7679CCA9 5 Bytes  JMP 002400B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!CreateDCW                                                                                                          7679CF79 5 Bytes  JMP 002400F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!CreateICW                                                                                                          7679CFD0 5 Bytes  JMP 00240130
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetTextMetricsA                                                                                                    7679D0F2 5 Bytes  JMP 00240DF0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!Rectangle                                                                                                          7679F1FF 5 Bytes  JMP 002409B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!LineTo                                                                                                             7679F59B 5 Bytes  JMP 00240430
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SetICMMode                                                                                                         7679FAA4 5 Bytes  JMP 00240DB0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!ExtTextOutA                                                                                                        767A0D20 5 Bytes  JMP 00240930
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetTextExtentPoint32A                                                                                              767A117F 5 Bytes  JMP 00240630
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!ExtEscape                                                                                                          767A2D49 5 Bytes  JMP 002402B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!Escape                                                                                                             767A3400 5 Bytes  JMP 00240270
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!ResetDCW                                                                                                           767A3A9B 5 Bytes  JMP 00240AB0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!EndPage                                                                                                            767A40DA 5 Bytes  JMP 00240230
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SetPolyFillMode                                                                                                    767A67E1 5 Bytes  JMP 00240B30
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SetMiterLimit                                                                                                      767A699D 5 Bytes  JMP 00240B70
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetTextFaceA                                                                                                       767B0D22 5 Bytes  JMP 00240CF0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!GetGlyphOutlineW                                                                                                   767BC2DA 5 Bytes  JMP 00240CB0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!CreateScalableFontResourceW                                                                                        767BE937 5 Bytes  JMP 00240BB0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!AddFontResourceW                                                                                                   767BED33 5 Bytes  JMP 00240BF0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!RemoveFontResourceW                                                                                                767BF229 5 Bytes  JMP 00240C30
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!AbortDoc                                                                                                           767C4E29 5 Bytes  JMP 00240030
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!EndDoc                                                                                                             767C5270 5 Bytes  JMP 002401F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!StartPage                                                                                                          767C535B 5 Bytes  JMP 00240730
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!StartDocW                                                                                                          767C5D76 5 Bytes  JMP 002407F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!BeginPath                                                                                                          767C651D 5 Bytes  JMP 00240830
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!SelectClipPath                                                                                                     767C6574 5 Bytes  JMP 00240AF0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!CloseFigure                                                                                                        767C65CF 5 Bytes  JMP 00240070
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!EndPath                                                                                                            767C6626 5 Bytes  JMP 00240A70
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!StrokePath                                                                                                         767C6859 5 Bytes  JMP 002407B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!FillPath                                                                                                           767C68E6 5 Bytes  JMP 00240870
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!PolylineTo                                                                                                         767C6D54 5 Bytes  JMP 002404F0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!PolyBezierTo                                                                                                       767C6DE5 5 Bytes  JMP 002404B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] GDI32.dll!PolyDraw                                                                                                           767C6E97 5 Bytes  JMP 002408B0
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ole32.dll!OleSetClipboard                                                                                                    76410045 5 Bytes  JMP 00260030
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ole32.dll!OleIsCurrentClipboard                                                                                              764136B2 5 Bytes  JMP 00260070
.text                                                                                                                                 C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe[7156] ole32.dll!OleGetClipboard                                                                                                    7643FDCD 5 Bytes  JMP 002600B0
.text                                                                                                                                 C:\Program Files\Apple Software Update\SoftwareUpdate.exe[8164] user32.DLL!GetMessageA                                                                                                                76C81899 5 Bytes  JMP 018818C0
.text                                                                                                                                 C:\Program Files\Apple Software Update\SoftwareUpdate.exe[8164] user32.DLL!TranslateMessage                                                                                                           76C864C7 5 Bytes  JMP 01881800
.text                                                                                                                                 C:\Program Files\Apple Software Update\SoftwareUpdate.exe[8164] user32.DLL!GetMessageW                                                                                                                76C8CDE8 5 Bytes  JMP 01881990

---- User IAT/EAT - GMER 2.1 ----

IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                                                                                                                        [73E624CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                                                                                                                   [73E4562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                                                                                                                  [73E456EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                                                                                                                         [73E62546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                                                                                                               [73E585AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                                                                                                                 [73E54D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                                                                                                                [73E55105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                                                                                                               [73E551DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP]                                                                                                      [73E56707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                                                                                                                [73E58301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]                                                                                                           [73E58850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]                                                                                                         [73E590B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                                                                                                               [73E5E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\Explorer.EXE[456] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                                                                                                                   [73E54C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc]                                                                                                                       [73E624CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup]                                                                                                                  [73E4562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown]                                                                                                                 [73E456EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree]                                                                                                                        [73E62546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics]                                                                                                              [73E585AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage]                                                                                                                [73E54D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth]                                                                                                               [73E55105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight]                                                                                                              [73E551DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP]                                                                                                     [73E56707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC]                                                                                                               [73E58301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode]                                                                                                          [73E58850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode]                                                                                                        [73E590B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI]                                                                                                              [73E5E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
IAT                                                                                                                                   C:\Windows\explorer.exe[3740] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage]                                                                                                                  [73E54C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll

---- Devices - GMER 2.1 ----

AttachedDevice                                                                                                                        \FileSystem\fastfat \Fat                                                                                                                                                                              fltmgr.sys

---- Registry - GMER 2.1 ----

Reg                                                                                                                                   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdLow                                                                                                                 -483646460
Reg                                                                                                                                   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@NextDetectionTime                                                                                                            2014-03-04 17:03:03
Reg                                                                                                                                   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect@LastSuccessTime                                                                                               2014-03-03 19:54:11
Reg                                                                                                                                   HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@E:\Utorrent\Downloadng finished\\x2623 Sony Vegas\x2122 Pro 11 (32bit & 64 bit) incl Patch By Exµ  1

---- EOF - GMER 2.1 ----



#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:32 AM

Posted 05 March 2014 - 04:46 AM

Just one last scan, as I think we have most of your problems.

(This is much shorter)

Please remove any usb or external drives from the computer before you run this scan !

Please download RogueKiller to your desktop to run it.

For Windows XP, double-click to start.
For Vista or Windows 7, right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything !
Just post back the report which should be located on your desktop.

 

Also please tell me (since the email) if you have noticed any problems yet -



#11 Aurifex

Aurifex
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 05 March 2014 - 05:35 PM

Hi, I havent noticed any problems.

 

Here is the report;

 

RogueKiller V8.8.10 [Feb 28 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : unknown [Admin rights]
Mode : Scan -- Date : 03/06/2014 09:06:47
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][SUSP PATH] HKLM\[...]\Run : jkebumps ("C:\ProgramData\ilin\ivaragyj.exe" [-]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] IAT @explorer.exe (TranslateMessage) : USER32.dll -> HOOKED (Unknown @ 0x03C81800)
[Inline] IAT @explorer.exe (GetMessageW) : USER32.dll -> HOOKED (Unknown @ 0x03C81990)
[Inline] EAT @explorer.exe (GetMessageA) : USER32.dll -> HOOKED (Unknown @ 0x03C818C0)
[Inline] EAT @explorer.exe (GetMessageW) : USER32.dll -> HOOKED (Unknown @ 0x03C81990)
[Inline] EAT @explorer.exe (TranslateMessage) : USER32.dll -> HOOKED (Unknown @ 0x03C81800)
[Inline] EAT @explorer.exe (RegCreateKeyExW) : pkmws.dll -> HOOKED (C:\Windows\system32\ADVAPI32.dll @ 0x767F407E)
[Inline] EAT @explorer.exe (RegEnumKeyW) : pkmws.dll -> HOOKED (C:\Windows\system32\ADVAPI32.dll @ 0x767F43DB)
[Inline] EAT @explorer.exe (RegOpenKeyExW) : pkmws.dll -> HOOKED (C:\Windows\system32\ADVAPI32.dll @ 0x767F460D)
[Inline] EAT @explorer.exe (RegQueryValueExW) : pkmws.dll -> HOOKED (C:\Windows\system32\ADVAPI32.dll @ 0x767F462D)
[Inline] EAT @explorer.exe (RegisterClipboardFormatW) : pkmws.dll -> HOOKED (C:\Windows\system32\USER32.dll @ 0x76C7DF8D)
[Inline] IAT @explorer.exe (TranslateMessage) : USER32.dll -> HOOKED (Unknown @ 0x00211800)
[Inline] IAT @explorer.exe (GetMessageW) : USER32.dll -> HOOKED (Unknown @ 0x00211990)
[Inline] EAT @explorer.exe (GetMessageA) : USER32.dll -> HOOKED (Unknown @ 0x002118C0)
[Inline] EAT @explorer.exe (GetMessageW) : USER32.dll -> HOOKED (Unknown @ 0x00211990)
[Inline] EAT @explorer.exe (TranslateMessage) : USER32.dll -> HOOKED (Unknown @ 0x00211800)
[Inline] EAT @firefox.exe (CERT_VerifyCert) : nss3.dll -> HOOKED (Unknown @ 0x020E25C1)
[Inline] EAT @firefox.exe (CERT_VerifyCertName) : nss3.dll -> HOOKED (Unknown @ 0x020E25C1)
[Inline] EAT @firefox.exe (CERT_VerifyCertNow) : nss3.dll -> HOOKED (Unknown @ 0x020E25C1)
[Inline] EAT @firefox.exe (CERT_VerifyCertificate) : nss3.dll -> HOOKED (Unknown @ 0x020E25C1)
[Inline] EAT @firefox.exe (CERT_VerifyCertificateNow) : nss3.dll -> HOOKED (Unknown @ 0x020E25C1)
[Inline] EAT @firefox.exe (GetMessageA) : USER32.dll -> HOOKED (Unknown @ 0x021218C0)
[Inline] EAT @firefox.exe (GetMessageW) : USER32.dll -> HOOKED (Unknown @ 0x02121990)
[Inline] EAT @firefox.exe (TranslateMessage) : USER32.dll -> HOOKED (Unknown @ 0x02121800)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG HD502HI ATA Device +++++
--- User ---
[MBR] 533a2be982a5e5d02b5cf40d7ff1366c
[BSP] 39b116660e7d1712c8f0052f1db14eb4 : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476936 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST3320620A ATA Device +++++
--- User ---
[MBR] 457c2d0281d8bc354b42cf7462638c69
[BSP] 3b599f7c1ad899e447a02ed0774615eb : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_03062014_090647.txt >>



 



#12 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:32 AM

Posted 05 March 2014 - 06:06 PM

Hi -

Thanks for taking the time to run and post those. It looks good for now.

Hi, I havent noticed any problems.

Your view is most likely the better place to see if there are any problems or changes .....

 

If you do notice any problems in the next week or so, please post back with an Updated Malwarebytes scan.

I will watch this topic for a while, so post back if there are any problems.

 

Remember to read what you are opening in emails now, as there are many serious infections being sent randomly -



#13 Aurifex

Aurifex
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 05 March 2014 - 06:30 PM

Thanks heaps, and I will post back if I notice any probs.

 

Cheers.



#14 Aurifex

Aurifex
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 10 March 2014 - 10:49 PM

Hi, I hope your still watching this thread.
This morning I noticed something really strange. I switched on my computer and was going through my emails when about a dozen warning windows popped up. I shut all the windows as I wanted to finish my work and as I progressed to wanting to browse the internet I noticed both Firefox and Internet explorer would not work. A window pops up saying Firefox has stopped working and when I press view problem details the first problem event name reads APPCRASH. Not sure if this helps.

I have also run mbam, security check, mini toolbox and eset.

Here is the mbam log,

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.10.09

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 11.0.9600.16518
unknown :: UNKNOWN-PC [administrator]

11-Mar-14 8:29:20 AM
mbam-log-2014-03-11 (08-29-20).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 401657
Time elapsed: 2 hour(s), 27 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#15 Aurifex

Aurifex
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:05:32 AM

Posted 10 March 2014 - 10:51 PM

Here is security check result,

Results of screen317's Security Check version 0.99.79
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Java 7 Update 51
Adobe Flash Player 12.0.0.70
Adobe Reader XI
Mozilla Firefox (27.0.1)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users