Jump to content

Recommended Posts

Computer stocked on start. tried safe mode and was able to run roguekiller and malwarebyte. after their scan, they delete some stuff but the computer is still very slow and bizarre.I can't save the logs of DDS on the computer so I'll directly post them in the thread. GMER can't start because of this error :Loaddriver("C:\DOCUME~1\OWNER\LOCALS~1\Temp\agedqpow.sys")error 0xC0000061: The handle is invalid

DDS log

DDS log

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Run by Owner at 7:12:35 on 2011-06-06

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

MBAM log

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6804

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/7/2011 10:08:29 PM

mbam-log-2011-06-07 (22-08-29).txt

Scan type: Quick scan

Objects scanned: 165735

Time elapsed: 29 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

combofix.txt

ComboFix 11-06-06.07 - Owner 06/07/2011 22:40:37.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.430 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((( Files Created from 2011-05-08 to 2011-06-08 )))))))))))))))))))))))))))))))

.

.

2011-06-06 04:52 . 2011-06-06 04:52 -------- d-sh--w- c:\documents and settings\Movie Watching\IETldCache

2011-06-02 16:30 . 2011-06-02 16:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-05-20 23:20 . 2011-05-20 23:23 -------- dc-h--w- c:\windows\ie8

2011-05-13 01:11 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-05-13 01:11 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-05-13 01:11 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-05-13 01:11 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-05-13 01:11 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-05-13 01:11 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-05-13 01:11 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-05-13 01:11 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-05-13 01:11 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr

2011-05-13 01:11 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-05-13 01:10 . 2011-05-13 01:10 -------- d-----w- c:\program files\AVAST Software

2011-05-13 01:10 . 2011-05-13 01:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software

2011-05-12 23:11 . 2011-05-13 01:13 -------- d-----w- c:\program files\SpywareGuard

2011-05-12 23:09 . 2011-05-12 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2011-05-12 23:08 . 2011-05-12 23:11 -------- d-----w- c:\program files\SpywareBlaster

2011-05-12 20:29 . 2011-05-12 20:29 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PCHealth

2011-05-10 01:05 . 2011-05-28 20:42 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-05-10 01:05 . 2011-05-13 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 13:11 . 2011-04-05 04:59 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11 . 2011-04-05 04:59 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-14 09:07 . 2010-09-07 21:21 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-14 06:40 . 2010-09-02 18:55 73728 ----a-w- c:\windows\system32\javacpl.cpl

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-05-13 . 8FCF3A8C83D93FA7BD01574DBD861786 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 344064]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-08 128512]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/12/2011 9:11 PM 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/12/2011 9:11 PM 307928]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/12/2011 9:11 PM 19544]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 2:06 PM 231424]

S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [9/22/2010 2:26 PM 30576]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3d9ghmci.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-07 22:53

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

C:\## aswSnx private storage

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]

@DACL=(02 0000)

@SACL=

"WinSock_Registry_Version"="2.0"

"Current_NameSpace_Catalog"="NameSpace_Catalog5"

"Current_Protocol_Catalog"="Protocol_Catalog9"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1068)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(2980)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-06-07 23:01:32

ComboFix-quarantined-files.txt 2011-06-08 03:01

.

Pre-Run: 24,934,178,816 bytes free

Post-Run: 24,965,275,648 bytes free

.

- - End Of File - - 6E569BCA0E756E172587600FA84571CD

DDS log

.

DDS (Ver_2011-06-03.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Run by Owner at 22:10:48 on 2011-06-07

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

TCP: Interfaces\{4B0E35A4-7C13-4DD1-A3ED-C32AEC4C37FA} : DhcpNameServer = 192.168.2.1 192.168.2.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\3d9ghmci.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF

.

============= SERVICES / DRIVERS ===============

.

R? fsssvc;Windows Live Family Safety Service

R? MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver

S? aswFsBlk;aswFsBlk

S? aswSnx;aswSnx

S? aswSP;aswSP

S? avast! Antivirus;avast! Antivirus

S? fssfltr;fssfltr

S? HSFHWATI;HSFHWATI

.

=============== Created Last 30 ================

.

2011-05-20 23:20:43 -------- dc-h--w- c:\windows\ie8

2011-05-13 01:11:30 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-05-13 01:11:04 40112 ----a-w- c:\windows\avastSS.scr

2011-05-13 01:10:30 -------- d-----w- c:\program files\AVAST Software

2011-05-13 01:10:30 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software

2011-05-12 23:11:49 -------- d-----w- c:\program files\SpywareGuard

2011-05-12 23:08:40 -------- d-----w- c:\program files\SpywareBlaster

2011-05-12 20:29:00 -------- d-----w- c:\documents and settings\owner\local settings\application data\PCHealth

2011-05-12 08:57:24 -------- d-sha-r- C:\cmdcons

2011-05-10 01:05:40 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-05-10 01:05:40 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

.

==================== Find3M ====================

.

2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-14 09:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-14 06:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

.

============= FINISH: 22:18:57.68 ===============

Link to post
Share on other sites

I manage myself to run GMEr the log is in attachment. I am not being helped anywhere else. If nobody can help me please let me know. The confusion on spybot forum came from the fact that two of my 4 machines got infected almost at the same time. I took drastic measures in the household to avoid such situation but the thing is posting another thread gave the impression that I am over "using" the precious time of volunteers. Rest assure guys, I am not using anybody and I'll not blame anybody if you don't want to help me.

please can somebody help me?

GMER 1.0.15.15640 - http://www.gmer.net

Rootkit scan 2011-06-13 01:43:36

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK8025GAS rev.KA023H

Running: y2movpbj.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\agedqpow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xB9FC2202]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xBA028CB2]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xB9FE66C1]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xB9FC481C]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xB9FC4874]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xB9FC498A]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xB9FE6075]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xB9FC4772]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xB9FC48C4]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xB9FC47C6]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xB9FC4938]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xB9FC2226]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xB9FE6D87]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xB9FE703D]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xB9FC4C0E]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB9FE6BF2]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB9FE6A5D]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xBA028D62]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xB9FC1FF0]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xB9FC224A]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xB9FC4D82]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xB9FC2CDA]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xB9FC484C]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xB9FC489C]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xB9FC49B4]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xB9FE63D1]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xB9FC479E]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xB9FC4A46]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xB9FC4904]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xB9FC47F4]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xB9FC4B2A]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xB9FC4962]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xBA028DFA]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xB9FE68D8]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xB9FC2BA0]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xB9FE672A]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xBA031E48]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xB9FE56E8]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xB9FC226E]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xB9FC2292]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xB9FC204A]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xB9FC2186]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xB9FE6E8E]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xB9FC2162]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xB9FC21AA]

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xB9FC22B6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xBA03E902]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 26B4 80501EEC 4 Bytes [E8, 56, FE, B9]

PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059B8EC 4 Bytes CALL B9FC3335 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1DB4 5 Bytes JMP BA03A2BE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ObInsertObject 805B8C2C 5 Bytes JMP BA03BD5C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C74CC 7 Bytes JMP BA03E906 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)

.text win32k.sys!EngFreeUserMem + 674 BF809922 5 Bytes JMP B9FC5CCE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngDeleteSurface + 45 BF813911 5 Bytes JMP B9FC5BDA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngSetLastError + 783B BF824157 5 Bytes JMP B9FC4F60 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateBitmap + F9C BF828CE9 5 Bytes JMP B9FC5E38 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngUnmapFontFileFD + 2C50 BF8316DA 5 Bytes JMP B9FC6040 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngUnmapFontFileFD + B8F2 BF83A37C 5 Bytes JMP B9FC5B4A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCopyBits + 5F35 BF857E69 5 Bytes JMP B9FC4FD0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!XLATEOBJ_iXlate + 348C BF866FF4 5 Bytes JMP B9FC51AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!XLATEOBJ_iXlate + 3517 BF86707F 5 Bytes JMP B9FC5352 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!XLATEOBJ_iXlate + 3F47 BF867AAF 5 Bytes JMP B9FC4E84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!XLATEOBJ_iXlate + AAFC BF86E664 5 Bytes JMP B9FC5C04 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngUnicodeToMultiByteN + 2ED7 BF871F85 5 Bytes JMP B9FC5F9E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngGetCurrentCodePage + 411E BF88C9D8 5 Bytes JMP B9FC532A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngTextOut + 4149 BF8B0CBE 5 Bytes JMP B9FC4E9C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreatePalette + 2DBF BF8C26A3 5 Bytes JMP B9FC5D80 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngStretchBltROP + 450 BF8C3048 5 Bytes JMP B9FC506A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngFillPath + 1517 BF8CB4AA 5 Bytes JMP B9FC50DA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngFillPath + 1797 BF8CB72A 5 Bytes JMP B9FC5114 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngDeleteSemaphore + 3B3E BF8ED1B7 5 Bytes JMP B9FC4DB8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateClip + 19B2 BF913F1F 5 Bytes JMP B9FC4F1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateClip + 2586 BF914AF3 5 Bytes JMP B9FC5034 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngCreateClip + 4EE5 BF917452 5 Bytes JMP B9FC546C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

.text win32k.sys!EngPlgBlt + 1924 BF945FB0 5 Bytes JMP B9FC5EF6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[240] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[240] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }

.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[240] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\spoolsv.exe[804] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\spoolsv.exe[804] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\spoolsv.exe[804] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\spoolsv.exe[804] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\spoolsv.exe[804] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\spoolsv.exe[804] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\spoolsv.exe[804] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\spoolsv.exe[804] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\spoolsv.exe[804] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\spoolsv.exe[804] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\spoolsv.exe[804] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\spoolsv.exe[804] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\spoolsv.exe[804] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\spoolsv.exe[804] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\spoolsv.exe[804] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\spoolsv.exe[804] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\spoolsv.exe[804] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC

.text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[872] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003A1014

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003A0804

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003A0A08

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003A0C0C

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003A0E10

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003A01F8

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003A03FC

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003A0600

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003B0804

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003B0A08

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003B0600

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003B01F8

.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[896] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003B03FC

.text C:\Program Files\AVAST Software\Avast\avastUI.exe[904] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\AVAST Software\Avast\avastUI.exe[904] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\System32\smss.exe[952] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC

.text C:\Program Files\SpywareGuard\sgmain.exe[976] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\SpywareGuard\sgmain.exe[976] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804

.text C:\Program Files\SpywareGuard\sgmain.exe[976] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08

.text C:\Program Files\SpywareGuard\sgmain.exe[976] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600

.text C:\Program Files\SpywareGuard\sgmain.exe[976] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8

.text C:\Program Files\SpywareGuard\sgmain.exe[976] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC

.text C:\Program Files\SpywareGuard\sgmain.exe[976] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600

.text C:\WINDOWS\system32\csrss.exe[1052] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\csrss.exe[1052] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\winlogon.exe[1096] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000701F8

.text C:\WINDOWS\system32\winlogon.exe[1096] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\winlogon.exe[1096] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000703FC

.text C:\WINDOWS\system32\winlogon.exe[1096] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\winlogon.exe[1096] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\winlogon.exe[1096] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\winlogon.exe[1096] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\winlogon.exe[1096] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\winlogon.exe[1096] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\winlogon.exe[1096] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\winlogon.exe[1096] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\winlogon.exe[1096] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\winlogon.exe[1096] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\winlogon.exe[1096] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\winlogon.exe[1096] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\winlogon.exe[1096] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\winlogon.exe[1096] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\services.exe[1140] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\services.exe[1140] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\services.exe[1140] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\services.exe[1140] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\services.exe[1140] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\services.exe[1140] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\services.exe[1140] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\services.exe[1140] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\services.exe[1140] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\services.exe[1140] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\lsass.exe[1152] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\lsass.exe[1152] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\lsass.exe[1152] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\lsass.exe[1152] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\lsass.exe[1152] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\lsass.exe[1152] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\lsass.exe[1152] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\lsass.exe[1152] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC

.text C:\WINDOWS\system32\Ati2evxx.exe[1304] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600

.text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\svchost.exe[1340] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\svchost.exe[1340] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\svchost.exe[1340] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\svchost.exe[1340] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\svchost.exe[1340] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\svchost.exe[1340] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\svchost.exe[1440] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\svchost.exe[1440] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\System32\svchost.exe[1480] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\System32\svchost.exe[1480] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\System32\svchost.exe[1480] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\System32\svchost.exe[1480] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\System32\svchost.exe[1480] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 006B1014

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 006B0804

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 006B0A08

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 006B0C0C

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 006B0E10

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 006B01F8

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 006B03FC

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 006B0600

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 006C0804

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 006C0A08

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 006C0600

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 006C01F8

.text C:\Program Files\Mozilla Firefox\firefox.exe[1516] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 006C03FC

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC

.text C:\Program Files\SpywareGuard\sgbhp.exe[1528] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600

.text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1536] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\svchost.exe[1536] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\svchost.exe[1536] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\svchost.exe[1536] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\svchost.exe[1536] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\svchost.exe[1536] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\svchost.exe[1536] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\svchost.exe[1536] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\svchost.exe[1612] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\svchost.exe[1612] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\svchost.exe[1612] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\svchost.exe[1612] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\svchost.exe[1612] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\svchost.exe[1612] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\svchost.exe[1720] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\svchost.exe[1720] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\svchost.exe[1720] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\svchost.exe[1720] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\svchost.exe[1720] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00380804

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380A08

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00380600

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003801F8

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003803FC

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC

.text C:\WINDOWS\system32\Ati2evxx.exe[1812] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8

.text C:\Program Files\Bonjour\mDNSResponder.exe[1836] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001501F8

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001503FC

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00391014

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00390804

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390A08

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00390C0C

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390E10

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003901F8

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003903FC

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00390600

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A0804

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0A08

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A0600

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A01F8

.text C:\Program Files\Java\jre6\bin\jqs.exe[1892] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A03FC

.text C:\WINDOWS\Explorer.EXE[2040] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\Explorer.EXE[2040] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\Explorer.EXE[2040] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\Explorer.EXE[2040] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014

.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804

.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08

.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C

.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10

.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8

.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC

.text C:\WINDOWS\Explorer.EXE[2040] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600

.text C:\WINDOWS\Explorer.EXE[2040] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804

.text C:\WINDOWS\Explorer.EXE[2040] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08

.text C:\WINDOWS\Explorer.EXE[2040] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600

.text C:\WINDOWS\Explorer.EXE[2040] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8

.text C:\WINDOWS\Explorer.EXE[2040] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001401F8

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001403FC

.text C:\WINDOWS\system32\HPZipm12.exe[2184] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 00381014

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 00380804

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00380A08

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 00380C0C

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00380E10

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003801F8

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003803FC

.text C:\WINDOWS\system32\HPZipm12.exe[2184] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 00380600

.text C:\WINDOWS\system32\HPZipm12.exe[2184] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00390804

.text C:\WINDOWS\system32\HPZipm12.exe[2184] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00390A08

.text C:\WINDOWS\system32\HPZipm12.exe[2184] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00390600

.text C:\WINDOWS\system32\HPZipm12.exe[2184] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003901F8

.text C:\WINDOWS\system32\HPZipm12.exe[2184] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003903FC

.text C:\WINDOWS\system32\svchost.exe[2272] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\system32\svchost.exe[2272] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[2272] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\system32\svchost.exe[2272] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\svchost.exe[2272] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B1014

.text C:\WINDOWS\system32\svchost.exe[2272] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B0804

.text C:\WINDOWS\system32\svchost.exe[2272] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0A08

.text C:\WINDOWS\system32\svchost.exe[2272] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B0C0C

.text C:\WINDOWS\system32\svchost.exe[2272] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0E10

.text C:\WINDOWS\system32\svchost.exe[2272] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B01F8

.text C:\WINDOWS\system32\svchost.exe[2272] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B03FC

.text C:\WINDOWS\system32\svchost.exe[2272] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B0600

.text C:\WINDOWS\system32\svchost.exe[2272] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\svchost.exe[2272] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\svchost.exe[2272] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\svchost.exe[2272] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\svchost.exe[2272] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC

.text C:\WINDOWS\System32\alg.exe[3092] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000901F8

.text C:\WINDOWS\System32\alg.exe[3092] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\System32\alg.exe[3092] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000903FC

.text C:\WINDOWS\System32\alg.exe[3092] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\System32\alg.exe[3092] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B0804

.text C:\WINDOWS\System32\alg.exe[3092] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0A08

.text C:\WINDOWS\System32\alg.exe[3092] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B0600

.text C:\WINDOWS\System32\alg.exe[3092] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B01F8

.text C:\WINDOWS\System32\alg.exe[3092] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B03FC

.text C:\WINDOWS\System32\alg.exe[3092] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014

.text C:\WINDOWS\System32\alg.exe[3092] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804

.text C:\WINDOWS\System32\alg.exe[3092] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08

.text C:\WINDOWS\System32\alg.exe[3092] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C

.text C:\WINDOWS\System32\alg.exe[3092] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10

.text C:\WINDOWS\System32\alg.exe[3092] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8

.text C:\WINDOWS\System32\alg.exe[3092] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC

.text C:\WINDOWS\System32\alg.exe[3092] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 001601F8

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 001603FC

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003F1014

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003F0804

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003F0A08

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003F0C0C

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003F0E10

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003F01F8

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003F03FC

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003F0600

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 00AA0804

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00AA0A08

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 00AA0600

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00AA01F8

.text C:\Documents and Settings\Owner\Desktop\y2movpbj.exe[3464] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 00AA03FC

.text C:\WINDOWS\system32\sol.exe[3532] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 000A01F8

.text C:\WINDOWS\system32\sol.exe[3532] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]

.text C:\WINDOWS\system32\sol.exe[3532] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 000A03FC

.text C:\WINDOWS\system32\sol.exe[3532] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

.text C:\WINDOWS\system32\sol.exe[3532] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C1014

.text C:\WINDOWS\system32\sol.exe[3532] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C0804

.text C:\WINDOWS\system32\sol.exe[3532] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0A08

.text C:\WINDOWS\system32\sol.exe[3532] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C0C0C

.text C:\WINDOWS\system32\sol.exe[3532] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0E10

.text C:\WINDOWS\system32\sol.exe[3532] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C01F8

.text C:\WINDOWS\system32\sol.exe[3532] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C03FC

.text C:\WINDOWS\system32\sol.exe[3532] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C0600

.text C:\WINDOWS\system32\sol.exe[3532] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D0804

.text C:\WINDOWS\system32\sol.exe[3532] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0A08

.text C:\WINDOWS\system32\sol.exe[3532] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D0600

.text C:\WINDOWS\system32\sol.exe[3532] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D01F8

.text C:\WINDOWS\system32\sol.exe[3532] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D03FC

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

1.log

Link to post
Share on other sites

  • Staff

Hi,

Every time you reply, you get pushed to the bottom of my reply list. Please stop doing that.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Sorry for the bumps...

MBAM log

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6859

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/14/2011 8:05:16 PM

mbam-log-2011-06-14 (20-05-16).txt

Scan type: Quick scan

Objects scanned: 166647

Time elapsed: 29 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS log

.

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Run by Owner at 20:11:02 on 2011-06-14

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

TCP: Interfaces\{4B0E35A4-7C13-4DD1-A3ED-C32AEC4C37FA} : DhcpNameServer = 192.168.2.1 192.168.2.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\3d9ghmci.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF

.

============= SERVICES / DRIVERS ===============

.

R? fsssvc;Windows Live Family Safety Service

R? MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver

S? aswFsBlk;aswFsBlk

S? aswSnx;aswSnx

S? aswSP;aswSP

S? avast! Antivirus;avast! Antivirus

S? fssfltr;fssfltr

S? HSFHWATI;HSFHWATI

.

=============== Created Last 30 ================

.

2011-06-08 02:34:20 98816 ----a-w- c:\windows\sed.exe

2011-06-08 02:34:20 518144 ----a-w- c:\windows\SWREG.exe

2011-06-08 02:34:20 256512 ----a-w- c:\windows\PEV.exe

2011-06-08 02:34:20 208896 ----a-w- c:\windows\MBR.exe

2011-05-20 23:20:43 -------- dc-h--w- c:\windows\ie8

.

==================== Find3M ====================

.

2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr

2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-04-14 09:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-14 06:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

.

============= FINISH: 20:19:22.03 ===============

Link to post
Share on other sites

Combofix log

ComboFix 11-06-17.04 - Owner 06/18/2011 0:29.3.1 - x86

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

.

((((((((((((((((((((((((( Files Created from 2011-05-18 to 2011-06-18 )))))))))))))))))))))))))))))))

.

.

2011-06-18 03:59 . 2011-06-18 03:59 -------- d-----w- c:\windows\LastGood

2011-06-06 04:52 . 2011-06-06 04:52 -------- d-sh--w- c:\documents and settings\Movie Watching\IETldCache

2011-06-02 16:30 . 2011-06-02 16:30 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-05-20 23:20 . 2011-05-20 23:23 -------- dc-h--w- c:\windows\ie8

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 13:11 . 2011-04-05 04:59 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11 . 2011-04-05 04:59 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-10 12:10 . 2011-05-13 01:11 40112 ----a-w- c:\windows\avastSS.scr

2011-05-10 12:10 . 2011-05-13 01:11 199304 ----a-w- c:\windows\system32\aswBoot.exe

2011-05-10 12:03 . 2011-05-13 01:11 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-05-10 12:03 . 2011-05-13 01:11 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys

2011-05-10 12:02 . 2011-05-13 01:11 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2011-05-10 12:02 . 2011-05-13 01:11 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2011-05-10 12:02 . 2011-05-13 01:11 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys

2011-05-10 11:59 . 2011-05-13 01:11 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2011-05-10 11:59 . 2011-05-13 01:11 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2011-05-10 11:59 . 2011-05-13 01:11 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2011-04-14 09:07 . 2010-09-07 21:21 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-14 06:40 . 2010-09-02 18:55 73728 ----a-w- c:\windows\system32\javacpl.cpl

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2008-05-13 . 8FCF3A8C83D93FA7BD01574DBD861786 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((( SnapShot@2011-06-08_02.54.26 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-06-14 23:16 . 2011-06-14 23:16 16384 c:\windows\Temp\Perflib_Perfdata_3dc.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]

@="{472083B0-C522-11CF-8763-00608CC02F24}"

[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]

2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 344064]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]

"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide_3"="advpack.dll" [2009-03-08 128512]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

.

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/12/2011 9:11 PM 441176]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/12/2011 9:11 PM 307928]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/12/2011 9:11 PM 19544]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 2:06 PM 231424]

S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [9/22/2010 2:26 PM 30576]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3d9ghmci.default\

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-18 00:43

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

.

C:\## aswSnx private storage

.

scan completed successfully

hidden files: 1

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]

@DACL=(02 0000)

@SACL=

"WinSock_Registry_Version"="2.0"

"Current_NameSpace_Catalog"="NameSpace_Catalog5"

"Current_Protocol_Catalog"="Protocol_Catalog9"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1076)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3504)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-06-18 00:50:34

ComboFix-quarantined-files.txt 2011-06-18 04:50

ComboFix2.txt 2011-06-08 03:01

.

Pre-Run: 27,022,544,896 bytes free

Post-Run: 27,010,875,392 bytes free

.

- - End Of File - - 0F8222C80932DF3BCC980FAAFD78164B

DDS log

.

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_25

Run by Owner at 0:54:34 on 2011-06-18

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui

dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1 192.168.2.1

TCP: Interfaces\{4B0E35A4-7C13-4DD1-A3ED-C32AEC4C37FA} : DhcpNameServer = 192.168.2.1 192.168.2.1

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\3d9ghmci.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}

FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF

.

============= SERVICES / DRIVERS ===============

.

R? fsssvc;Windows Live Family Safety Service

R? MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver

S? aswFsBlk;aswFsBlk

S? aswSnx;aswSnx

S? aswSP;aswSP

S? avast! Antivirus;avast! Antivirus

S? fssfltr;fssfltr

S? HSFHWATI;HSFHWATI

.

=============== Created Last 30 ================

.

2011-06-08 02:34:20 98816 ----a-w- c:\windows\sed.exe

2011-06-08 02:34:20 518144 ----a-w- c:\windows\SWREG.exe

2011-06-08 02:34:20 256512 ----a-w- c:\windows\PEV.exe

2011-06-08 02:34:20 208896 ----a-w- c:\windows\MBR.exe

2011-05-20 23:20:43 -------- dc-h--w- c:\windows\ie8

.

==================== Find3M ====================

.

2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr

2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys

2011-04-14 09:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-14 06:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

.

============= FINISH: 1:01:46.34 ===============

Link to post
Share on other sites

  • Staff

Hi,

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Next, please run the PCPitstop Full Tests here (NOT the PCMatic scan or any other scan; simply register with the box on the left and you will be taken to the Full Tests/Overdrive Test). When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

-screen317

Link to post
Share on other sites

First the website result of PCtest: http://pcpitstop.com/betapit/sec.asp?conid=24423015

it was a bit complicated to get it done...

ESETscan log

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=c750e3add568ac478e8cb3df06a778c3

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-20 08:48:32

# local_time=2011-06-20 04:48:32 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=79471

# found=0

# cleaned=0

# scan_time=13130

Your securitycheck program log

Results of screen317's Security Check version 0.99.14

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

avast! Free Antivirus

ESET Online Scanner v3

Adobe After Effects CS3 Presets

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 25

Java 6 Update 6

Out of date Java installed!

Adobe Flash Player 9 (Out of date Flash Player installed!)

Flash Player Out of Date!

Adobe Flash Player 10.2.153.1

Mozilla Firefox (3.6.17) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVAST Software Avast AvastSvc.exe

AVAST Software Avast avastUI.exe

``````````End of Log````````````

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Run, and type Combofix /uninstall in the box that appears. Click OK afterward. Notice the space between the X and the /uninstall

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Java™ 6 Update 25

Java™ 6 Update 6

Adobe Flash Player 9

Adobe Flash Player 10.2.153.1

Restart your computer.

Get the latest version of Java, Adobe Reader, and Adobe Flash Player.

PCPitStop noted several things that you can do to improve the shape your computer is in.

Pay particular attention to these items:

• Delete Temporary Files:

Please download CCleaner and save it to your desktop.

  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Please do NOT run a scan yet!

Now, open CCleaner:

  • Click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.

    [*]Then, click the "Applications" tab:

    • CHECK everything there.

    [*]Next, click the "Options" button in the left pane, then click the "Advanced" button:

    • CHECK : "Only delete files in Windows Temp folders older than 48 hours".

    [*]Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.

    [*]When done, please exit CCleaner.

CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

• Reduce System Restore space (Drive C):

Right click My Computer and click Properties. Select the System Restore tab, and move the slider to 3%. You're pretty much wasting disk space otherwise.

• Update outdated device drivers:

Right click My Computer, click Properties, click the Hardware tab, and then click Device Manager. Update the drivers for your Sound card, Video card, Ethernet card. Use the trial of Driver Alert from PCPitStop (click • Update outdated device drivers), to see which drivers should be updated.

• Defragment Drive C:

Defragmenting is a must. It's one of the large reasons for system slowdowns. I use Defraggler to defragment. It is free to download and you can use it forever. I recommend installing it and defragmenting as soon as possible.

Also take the time to take a look at the other tips PCPitStop reported. I've just highlighted some of the more important ones.

Link to post
Share on other sites

So, after 3 days!!!! of defrag, it is finally done. (it is just finish). I have followed the recommendations of

PCPit and reinstalled what needed to be. but the computer is always long to boot, and is still slow...

If I understand the logs, there is no virus but is the bad fragmentation the explanation of the bad behavior?

Link to post
Share on other sites

here the result of the new test : My link

I think there is a problem with the disk. it keep changing from DMA or ultra DMA to PIO mode. So, the computer frequently goes black screen and there is no noise coming from the disk.

I have to force the reboot and manually revert to DMA mode. I also use resetdma.vbs to revert to DMA mode.

I also saw in the result of the test that the size of the restore cluster did not changed despite the fact that I brought it to 3% according to your advice. I don't if it did not change of the test got it wrong...

Link to post
Share on other sites

  • Staff

Okay thanks for letting me know.

I highly recommend the PRO version of MBAM; with it, it's likely that this issue would have been prevented in the first place.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

3) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

4) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

5) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.