faq Posted October 28, 2015 ID:998377 Share Posted October 28, 2015 Good morning/eveningI've read many posts here and elsewhere, installed the required/suggested programs and finally thought it would be wise to add my problem to the pile :sIt's been a while since the computer is kind of slow, I installed all the updates, windows, java, flash, the malware byte rootkit remover and malware remover, super anti spyware, changed comodo for zone alaram, and now I'm having spyware cease/Avg /adva canced system care, GMER (so far the only one that actually recognizes something and allows me to kill process but they pop randomly) and I know what false positives are, etc,registry cleaners......the thing is, all of a sudden Korean and Mandarin characters are popping in GMEr and I've never seen them before. It's brutally annoying, I work for a japanese-owned company and wonder if it's not industrial spying. I'm in North America, with lots of co workers from Asia and this could also be a possibility. It's very frustrating as I did all the search for the corrupt csrss.exe file and obviously won't find it. I'd join screen shots so you can see, some repeating threads but mostly program jacking. I also used panda cloud scanner/rogue killer/ kapersky/eset all to no avail/real result it seems they only look for english characters and they did remove a few PUP and adware but nothing serious. I Tried moving everything to another user (that I just created) and before I report this to my employer as a serious issue I'd like to have some Idea ( are there apps I can use to track the origin of the sender so I can show those smart asses a lesson? This has been burning lots of time I'M working as you all are I suppose and a part time student as well.*update:I've been working with computers for a while so don'T worry and suggest me a straight up solution. The regedit won'T detect the csrss.exe file but the virus keeps emulating it along with .32 processes. I also noticed that gmer mentions a windows without capital w but the other times it has it.Ask for the logs if you'd like but they show nothing. 0, zilch, nada. I guess I could try to ''search for the chinese character meaning'' if it can bebackdoor stuff.txtproblemz.txtRkill.txtshiiiiiiiiit.txt tracked from the photo. I've only seen those kinds of post a few times and I don't mean to be racist but I studied in cyber criminology and was told asian script kiddies&seasonal criminals are fond of unweary american cyber surfer's funds. Thanks in advance! Link to post Share on other sites More sharing options...
faq Posted October 28, 2015 Author ID:998378 Share Posted October 28, 2015 This could be a serious issue, I'm not a super rich person but I'm making more than my coworkers who could be jealous/thinking of seeding my computer I tried deleting my actual user in windows 8 but it didn'T work, the other new user only had guest features even if I gave it full administrator. I also have a partitioned hard drive I was planning on installing linux but never did. Could malicious programs use this (dead) memory space, my processor, and my RAM to infect with bot nets? I have a clean ''task manager'' and other interfaces are ok too. I am in America now but travelled in Asia once with that computer in the past and I brought another one too. But I'm back and there are no reasons that this should happen unless someone is actively trying to jack in my files. I never noticed any stolen information but those added spices are making my computer time unliveable. Thank you. Link to post Share on other sites More sharing options...
faq Posted October 28, 2015 Author ID:998380 Share Posted October 28, 2015 and just for the record, I'm not going on adult websites and the only time Io do financial transactions is with paypal. Definintely not the type of person who will enter his credit card information on a site that will make me a sitting duck after. I don't even go and watch free content from overseas and I'm not some elder age citizen with a loaded wallet visiting places of ill repute. So I'm definitely thinking this has to do with spying because the surrounding businesses are obviously competing with this one, the connection is almost public, the password probably hasn't been changed and many people from throughout the world use it for their personal needs. Thought I'd tell. Now please and thank you, have a nice day and I appreciate any suggestions. 10-4 Link to post Share on other sites More sharing options...
faq Posted October 29, 2015 Author ID:998521 Share Posted October 29, 2015 I need help with my files, please. For some reason Gmer is the only one that detects intrusion, everything else (including detection program) is passing by unharmed unless it is linked to a ''pup''.Running a copy legit of windows 8, I download a bit here and there but I'm not a heavy surfer.I don't want to reformat, are there any solutions? I tried even Trojan remover and unhack me nothing works to remove the problems (which I guess are rootkits, worms and trojans) Thanks in advanceGMER 2.1.19357 - http://www.gmer.netRootkit scan 2015-10-28 10:54:38Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000039 WDC_WD7500BPVX-22JC3T0 rev.01.01A01 698.64GBRunning: gmer.exe; Driver: C:\Temp\uxtiqpog.sys---- Disk sectors - GMER 2.1 ----Disk \Device\Harddisk0\DR0 unknown MBR code---- Threads - GMER 2.1 ----Thread C:\Windows\system32\csrss.exe [596:624] fffff960008ad5e8Thread C:\Windows\system32\svchost.exe [900:3860] 000007fde01410f0Thread C:\Windows\system32\svchost.exe [900:5388] 000007fde4555c38Thread C:\Windows\System32\spoolsv.exe [1536:4736] 000007fde66e54c0Thread C:\Windows\System32\spoolsv.exe [1536:4740] 000007fde66c30ecThread C:\Windows\System32\spoolsv.exe [1536:4768] 000007fdde2b5798Thread C:\Windows\System32\spoolsv.exe [1536:4776] 000007fdde2fd29cThread C:\Windows\system32\svchost.exe [2728:2832] 000007fde66e54c0Thread C:\Windows\system32\svchost.exe [2728:472] 000007fde66c30ec---- EOF - GMER 2.1 ----GMER 2.1.19357 - http://www.gmer.netRootkit scan 2015-10-29 08:29:39Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 WDC_WD7500BPVX-22JC3T0 rev.01.01A01 698.64GBRunning: healer.exe; Driver: C:\Temp\uxtiqpog.sys---- Kernel code sections - GMER 2.1 ----.text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000132b00 1 byte [00].text C:\Windows\System32\win32k.sys!W32pServiceTable + 2 fffff96000132b02 5 bytes [7E, 01, 00, 58, F2]---- User code sections - GMER 2.1 ----.text C:\Windows\system32\atiesrxx.exe[496] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8c20e177a 4 bytes [0E, C2, F8, 07].text C:\Windows\system32\atiesrxx.exe[496] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8c20e1782 4 bytes [0E, C2, F8, 07].text C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\atieclxx.exe[1164] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8c20e177a 4 bytes [0E, C2, F8, 07].text C:\Windows\system32\atieclxx.exe[1164] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8c20e1782 4 bytes [0E, C2, F8, 07]GMER 2.1.19357 - http://www.gmer.netRootkit scan 2015-10-29 08:44:28Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000038 WDC_WD7500BPVX-22JC3T0 rev.01.01A01 698,64GBRunning: healer.exe; Driver: C:\Temp\uxtiqpog.sys---- Kernel code sections - GMER 2.1 ----.text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000132b00 1 byte [00].text C:\Windows\System32\win32k.sys!W32pServiceTable + 2 fffff96000132b02 5 bytes [7E, 01, 00, 58, F2]---- User code sections - GMER 2.1 ----.text C:\Windows\system32\atiesrxx.exe[496] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8c20e177a 4 bytes [0E, C2, F8, 07].text C:\Windows\system32\atiesrxx.exe[496] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8c20e1782 4 bytes [0E, C2, F8, 07].text C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\dwm.exe[844] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\atieclxx.exe[1164] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8c20e177a 4 bytes [0E, C2, F8, 07].text C:\Windows\system32\atieclxx.exe[1164] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8c20e1782 4 bytes [0E, C2, F8, 07].text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1076] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8c20e177a 4 bytes [0E, C2, F8, 07].text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1076] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8c20e1782 4 bytes [0E, C2, F8, 07].text C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\system32\wbem\wmiprvse.exe[4012] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\System32\svchost.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\System32\svchost.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\System32\svchost.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\System32\svchost.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\System32\svchost.exe[4260] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\System32\svchost.exe[4260] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\System32\svchost.exe[4260] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\system32\svchost.exe[4448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\system32\svchost.exe[4448] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\system32\svchost.exe[4448] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\system32\wbem\unsecapp.exe[4612] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\system32\SearchIndexer.exe[5832] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\system32\taskhostex.exe[4172] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\system32\taskhostex.exe[4172] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\taskhostex.exe[4172] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Program Files\Elantech\ETDCtrl.exe[4344] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Program Files\Elantech\ETDTouch.exe[5932] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\Explorer.EXE[5944] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\Explorer.EXE[5944] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Windows\Explorer.EXE[5944] C:\Windows\SYSTEM32\msimg32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Program Files\Elantech\ETDCtrlHelper.exe[5144] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8c20e177a 4 bytes [0E, C2, F8, 07].text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8c20e1782 4 bytes [0E, C2, F8, 07].text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Windows\SysWOW64\trmhost.exe[4904] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Program Files (x86)\IObit\Start Menu 8\InstallServices.exe[3724] C:\Windows\SYSTEM32\msimg32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1376] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8c20e177a 4 bytes [0E, C2, F8, 07].text C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE[2332] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8c20e1782 4 bytes [0E, C2, F8, 07].text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007f8c20e177a 4 bytes [0E, C2, F8, 07].text C:\Program Files\Acer\Acer Power Management\ePowerSvc.exe[6336] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007f8c20e1782 4 bytes [0E, C2, F8, 07].text C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\wbem\unsecapp.exe[6456] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Program Files\Acer\Acer Power Management\ePowerEvent.exe[6516] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\System32\RuntimeBroker.exe[1616] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\system32\taskhost.exe[11996] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\system32\taskhost.exe[11996] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\taskhost.exe[11996] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 000007f8c42f2de0 5 bytes JMP 000007f9b69c1d00.text C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000007f8c42f2f00 5 bytes JMP 000007f9b69c1810.text C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000007f8c42f2fe0 5 bytes JMP 000007f9b69c2090.text C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000007f8c42f35c1 5 bytes JMP 000007f9b69c20f0.text C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000007f8c42f3651 5 bytes JMP 000007f9b69c2150.text C:\Windows\system32\taskeng.exe[13728] C:\Windows\system32\KERNELBASE.dll!ResumeThread 000007f8c1566560 5 bytes JMP 000007f9b69c1f50.text C:\Windows\system32\taskeng.exe[13728] C:\Windows\system32\KERNELBASE.dll!CreateProcessInternalW 000007f8c156b970 5 bytes JMP 000007f9b69c19c0.text C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007f8bcff1532 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007f8bcff153a 4 bytes [FF, BC, F8, 07].text C:\Windows\system32\taskeng.exe[13728] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007f8bcff165a 4 bytes [FF, BC, F8, 07]---- Threads - GMER 2.1 ----Thread C:\Windows\system32\csrss.exe [648:672] fffff9600099e5e8---- Disk sectors - GMER 2.1 ----Disk \Device\Harddisk0\DR0 unknown MBR code---- EOF - GMER 2.1 ---- Link to post Share on other sites More sharing options...
kevinf80 Posted October 30, 2015 ID:998640 Share Posted October 30, 2015 Hello and welcome,P2P/Piracy Warning:If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. Those GMER logs are clean, what exactly do you think is wrong? Next, Please open Malwarebytes Anti-Malware. On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button. A Threat Scan will begin. With some infections, you may or may not see this message box. 'Could not load DDA driver' Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions. When the scan is complete, click Apply Actions. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more.To get the log from Malwarebytes do the following: Click on the History tab > Application Logs. Double click on the scan log which shows the Date and time of the scan just performed. Click Export > From export you have three options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…If Malwarebytes is not installed follow these instructions first:Download Malwarebytes Anti-Malware to your desktop.Double-click mbam-setup and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following: Launch Malwarebytes Anti-Malware A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program. Click Finish. Follow the instructions above....Next, Download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Let me see those logs, Kevin.. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2015 Root Admin ID:999986 Share Posted November 5, 2015 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts