1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Google redirects - logs included

Discussion in 'Malware and Virus Removal Archive' started by keenyoung, 2011/06/18.

Page 1 of 3
  1. 2011/06/18
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    [Resolved] Google redirects - logs included

    Getting redirects in Google search.

    Running Windows 7 Ultimate

    Avast antivirus

    Tried Hitman and several other malware cleaners

    TDSSKiller will not run on my computer

    Here are the logs requested by the sticky:

    Thanks for your time!

    Keen

    --------------------------------------

    Malwarebytes:

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6891

    Windows 6.1.7601
    Internet Explorer 8.0.7600.16385

    6/18/2011 7:40:40 PM
    mbam-log-2011-06-18 (19-40-40).txt

    Scan type: Quick scan
    Objects scanned: 150527
    Time elapsed: 4 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ------------------------------------------------

    aswMBR

    aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
    Run date: 2011-06-18 20:26:43
    -----------------------------
    20:26:43.011 OS Version: Windows 6.1.7601
    20:26:43.011 Number of processors: 2 586 0xF0D
    20:26:43.014 ComputerName: DSMOKE-COMPAQ UserName: D Smoke
    20:26:44.167 AVAST engine 6.0.1125 defs: 11061801
    20:26:44.168 Initialize success
    20:26:50.294 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
    20:26:50.298 Disk 0 Vendor: ST9120822AS 3.BHE Size: 114473MB BusType: 11
    20:26:52.486 Disk 0 MBR read successfully
    20:26:52.491 Disk 0 MBR scan
    20:26:52.858 Disk 0 Windows 7 default MBR code
    20:26:54.887 Disk 0 scanning sectors +234438656
    20:26:55.027 Disk 0 scanning C:\Windows\system32\drivers
    20:27:29.718 Service scanning
    20:27:30.882 Disk 0 trace - called modules:
    20:27:30.950 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85b0d1ed]<<
    20:27:30.957 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85acea00]
    20:27:30.964 3 CLASSPNP.SYS[892fd59e] -> nt!IofCallDriver -> [0x85a00918]
    20:27:30.972 5 ACPI.sys[88b383b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x859ed030]
    20:27:31.329 \Driver\atapi[0x859b3398] -> IRP_MJ_CREATE -> 0x84c641f8
    20:27:31.339 AVAST engine scan C:\Windows\system32
    20:29:26.256 Scan finished successfully
    20:29:53.203 Disk 0 MBR has been saved successfully to "C:\Users\D Smoke\Desktop\MBR.dat "
    20:29:53.214 The log file has been saved successfully to "C:\Users\D Smoke\Desktop\aswMBR.txt "


    -------------------------------------------

    DDS:

    .
    DDS (Ver_2011-06-12.02) - NTFSx86
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
    Run by D Smoke at 20:44:46 on 2011-06-18
    Microsoft Windows 7 Ultimate 6.1.7601.0.1252.1.1033.18.2038.890 [GMT -5:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\svchost.exe -k Akamai
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe
    C:\Windows\system32\svchost.exe -k HsfXAudioService
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Windows\WindowsMobile\wmdc.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Apoint2K\ApMsgFwd.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe "
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    TCP: Interfaces\{E3A5140F-6019-4024-BABA-22701DDAC182} : DhcpNameServer = 192.168.0.1 205.171.3.25
    TCP: Interfaces\{E3A5140F-6019-4024-BABA-22701DDAC182}\0556163686 : DhcpNameServer = 68.87.66.234 68.87.64.230
    TCP: Interfaces\{E3A5140F-6019-4024-BABA-22701DDAC182}\A4164656F416B6D27657563747 : DhcpNameServer = 68.87.77.134 68.87.72.134
    TCP: Interfaces\{E3A5140F-6019-4024-BABA-22701DDAC182}\C696E6B6379737 : DhcpNameServer = 192.168.0.1 205.171.3.25
    TCP: Interfaces\{E3A5140F-6019-4024-BABA-22701DDAC182}\E4544574541425 : DhcpNameServer = 192.168.1.1
    Notify: igfxcui - igfxdev.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\d smoke\appdata\roaming\mozilla\firefox\profiles\w3xomn2y.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-10 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-6-10 307928]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-6-10 19544]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-6-10 53592]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-6-10 42184]
    R2 havasvc;HAVA Service;c:\program files\monsoon multimedia\hava\common\havasvc.exe [2009-10-4 145408]
    R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
    R3 havabus;HAVA Bus Enumerator;c:\windows\system32\drivers\havabus.sys [2009-6-16 37376]
    R3 HAVATV;Hava Video Device;c:\windows\system32\drivers\HavaTV.sys [2009-6-16 324224]
    R3 HavaTV_10;Hava Remote Video Device;c:\windows\system32\drivers\HavaTV_10.sys [2009-6-16 324224]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
    S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
    S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-9-24 268528]
    .
    =============== Created Last 30 ================
    .
    2011-06-19 00:35:24 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-19 00:35:21 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-19 00:35:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-18 23:22:43 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-06-18 23:07:04 518144 ----a-w- c:\windows\SWREG.exe
    2011-06-18 23:07:04 256512 ----a-w- c:\windows\PEV.exe
    2011-06-18 23:07:04 208896 ----a-w- c:\windows\MBR.exe
    2011-06-18 23:07:03 98816 ----a-w- c:\windows\sed.exe
    2011-06-18 22:48:13 388096 ----a-r- c:\users\d smoke\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-06-18 22:48:13 -------- d-----w- c:\program files\Trend Micro
    2011-06-18 22:11:09 -------- d-----w- c:\users\d smoke\appdata\roaming\SUPERAntiSpyware.com
    2011-06-18 22:11:09 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-06-18 22:11:03 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-06-18 21:18:39 -------- d-----w- c:\users\d smoke\appdata\roaming\Malwarebytes
    2011-06-18 21:18:32 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-18 20:46:18 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2011-06-18 20:38:15 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-06-18 20:38:13 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-06-18 20:36:10 -------- d-----w- c:\programdata\Hitman Pro
    2011-06-12 22:50:37 -------- d-----w- c:\users\d smoke\appdata\local\Apple Computer
    2011-06-12 22:42:39 -------- d-----w- c:\program files\Bonjour
    2011-06-12 22:42:16 -------- d-----w- c:\users\d smoke\appdata\local\Apple
    2011-06-11 01:34:45 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-06-11 01:34:44 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-06-11 01:33:18 40112 ----a-w- c:\windows\avastSS.scr
    2011-06-11 01:33:08 -------- d-----w- c:\programdata\AVAST Software
    2011-06-11 01:33:08 -------- d-----w- c:\program files\AVAST Software
    2011-06-11 01:20:23 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{c32c6171-7ca2-4882-bfba-a58ff51d2ca0}\mpengine.dll
    2011-06-10 00:50:15 -------- d-----w- c:\windows\system32\SPReview
    2011-06-10 00:48:54 -------- d-----w- c:\windows\system32\EventProviders
    2011-06-10 00:48:36 -------- d-----w- C:\9d0918abf386d64be6943cd108bf
    2011-06-06 15:53:41 -------- d--h--w- c:\users\d smoke\appdata\local\Borders Desktop
    2011-06-06 15:52:13 -------- d-----w- c:\program files\Borders Desktop
    2011-06-05 22:23:59 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-24 21:55:42 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
    2011-05-23 20:29:07 750592 ------w- c:\windows\system32\schedsvc.dll
    2011-05-23 20:29:05 1288488 ----a-w- c:\windows\system32\ntdll.dll.1
    2011-05-23 20:29:03 585728 ------w- c:\windows\system32\qmgr.dll
    2011-05-23 20:29:02 1414144 ------w- c:\windows\system32\ole32.dll
    2011-05-23 20:29:01 1128448 ------w- c:\windows\system32\vssapi.dll
    2011-05-23 20:29:00 505856 ------w- c:\windows\system32\taskschd.dll
    2011-05-23 20:27:59 90112 ------w- c:\windows\system32\srvcli.dll
    .
    ==================== Find3M ====================
    .
    2011-04-09 06:13:06 3957632 ----a-w- c:\windows\system32\ntkrnlpa(3039).exe
    2011-04-09 06:13:06 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-04-09 06:02:25 3967872 ------w- c:\windows\system32\ntkrnlpa.exe
    2011-04-09 05:56:38 123904 ----a-w- c:\windows\system32\poqexec.exe
    2011-03-29 19:09:32 21504 ----a-w- c:\windows\system32\drivers\libusb0.sys
    2011-03-29 19:09:30 37376 ----a-w- c:\windows\system32\libusb0.dll
    2011-03-25 03:06:46 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2011-03-25 03:06:25 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
    2011-03-25 03:06:23 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-03-25 03:06:12 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2011-03-25 03:06:11 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2011-03-25 03:06:10 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2011-03-25 03:06:06 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
    .
    ============= FINISH: 20:45:47.06 ===============


    -----------------------------------------------

    DDS Attatch:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-12.02)
    .
    Microsoft Windows 7 Ultimate
    Boot Device: \Device\HarddiskVolume2
    Install Date: 10/3/2009 6:11:18 PM
    System Uptime: 6/18/2011 7:06:57 PM (1 hours ago)
    .
    Motherboard: Hewlett-Packard | | 30D9
    Processor: Intel(R) Pentium(R) Dual CPU T2330 @ 1.60GHz | CPU | 1600/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 102 GiB total, 59.942 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 6.186 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP235: 6/18/2011 5:47:47 PM - Installed HiJackThis
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Absolute Poker
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader X (10.0.1)
    Akamai NetSession Interface
    Apple Application Support
    Apple Software Update
    avast! Free Antivirus
    Bonjour
    Borders Desktop
    Canon Camera Window DC_DV 6 for ZoomBrowser EX
    Canon Camera Window MC 6 for ZoomBrowser EX
    Canon G.726 WMP-Decoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities PhotoStitch
    Canon Utilities ZoomBrowser EX
    Conexant HD Audio
    Full Tilt Poker
    Garmin City Navigator North America NT 2010.40
    Garmin MapInstall
    Garmin MapSource
    Garmin USB Drivers
    Garmin WebUpdater
    Google Earth
    Google Update Helper
    HAVA Software
    HDAUDIO Soft Data Fax Modem with SmartCP
    HiJackThis
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) TV Wizard
    Java Auto Updater
    Java(TM) 6 Update 21
    LionClock Client
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Silverlight
    Microsoft SOAP Toolkit 3.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Monopoly
    Mozilla Firefox 4.0 (x86 en-US)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Octoshape add-in for Adobe Flash Player
    Office Tracker
    PokerStars
    Safari
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Star Wars Galactic Battlegrounds: Saga
    SUPERAntiSpyware
    Touch Pad Driver
    Ulead Straight-to-Disc SDK
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
    Windows Mobile Device Center
    Windows Mobile Device Center Driver Update
    Windows Mobile Device Updater Component
    WinRAR archiver
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    Zune
    Zune Language Pack (DEU)
    Zune Language Pack (ESP)
    Zune Language Pack (FRA)
    Zune Language Pack (ITA)
    Zune Language Pack (NLD)
    Zune Language Pack (PTB)
    Zune Language Pack (PTG)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/18/2011 7:08:50 PM, Error: Microsoft-Windows-WMPNSS-Service [14346] - A new media server was not initialized because RegisterRunningDevice() encountered error '0x80070005'. Restart your computer, and then restart the WMPNetworkSvc service.
    6/18/2011 6:19:35 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    6/18/2011 5:40:02 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the RapiMgr service.
    6/18/2011 3:28:43 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0xcb757000, 0x00000000, 0x82a78eab, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 061811-24570-01.
    6/18/2011 3:26:30 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    6/17/2011 3:54:17 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
    6/15/2011 2:09:22 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    6/13/2011 6:19:30 PM, Error: Microsoft-Windows-HAL [12] - The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.
    6/12/2011 10:10:09 PM, Error: Service Control Manager [7034] - The HAVA Service service terminated unexpectedly. It has done this 1 time(s).
    6/12/2011 10:10:00 PM, Error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    6/12/2011 10:09:35 PM, Error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).
    6/12/2011 10:09:26 PM, Error: Service Control Manager [7034] - The Ulead Burning Helper service terminated unexpectedly. It has done this 1 time(s).
    .
    ==== End Of File ===========================
     
    keenyoung,
    #1
  2. 2011/06/18
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================

    GMER log is missing.
     
    broni,
    #2


  3. to hide this advert.

  4. 2011/06/19
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    Sorry, I removed GMER log because the post was too large, and forgot to repost it. Here it is:

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-06-18 20:25:42
    Windows 6.1.7601 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9120822AS rev.3.BHE
    Running: kqq6fg05.exe; Driver: C:\Users\DSMOKE~1\AppData\Local\Temp\fwdorpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x89383202]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8E4BBCB2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8938581C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x89385874]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8938598A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x89385772]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x893858C4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x893857C6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x89385938]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x89383226]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8E4BBD62]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x89382FF0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8938324A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x89385D82]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x89383CDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8938584C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8938589C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x893859B4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8938579E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x89385904]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x893857F4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x89385962]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8E4BBDFA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x89383BA0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8938326E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x89383292]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8938304A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x89383186]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x89383162]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x893831AA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x893832B6]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13C1 82A78339 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB1D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82AB8DC0 4 Bytes [02, 32, 38, 89]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82AB8DE8 4 Bytes [B2, BC, 4B, 8E]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82AB8E9C 8 Bytes [1C, 58, 38, 89, 74, 58, 38, ...] {SBB AL, 0x58; CMP [ECX-0x76c7a78c], CL}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82AB8EA8 4 Bytes [8A, 59, 38, 89]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82AB8EC4 4 Bytes [72, 57, 38, 89]
    .text ...
    ? System32\Drivers\spfj.sys The system cannot find the path specified. !
    .text USBPORT.SYS!DllUnload 8FD67D18 5 Bytes JMP 85D9F4E0
    .text arctjxc2.SYS 8E593000 12 Bytes [44, 88, A0, 82, EE, 86, A0, ...]
    .text arctjxc2.SYS 8E59300D 9 Bytes [67, A0, 82, 48, 8B, A0, 82, ...]
    .text arctjxc2.SYS 8E593017 170 Bytes [00, DE, B7, B0, 88, E6, B5, ...]
    .text arctjxc2.SYS 8E5930C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
    .text arctjxc2.SYS 8E5930CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
    .text ...
    .text kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text user32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes [E9, 0A, 5C, 68, 89] {JMP 0xffffffff89685c0f}
    .text user32.dll!UnhookWinEvent 76C9B750 5 Bytes [E9, A7, 4C, 68, 89] {JMP 0xffffffff89684cac}
    .text user32.dll!SetWindowsHookExW 76C9E30C 5 Bytes [E9, F3, 24, 68, 89] {JMP 0xffffffff896824f8}
    .text user32.dll!SetWinEventHook 76CA24DC 5 Bytes [E9, 17, DD, 67, 89] {JMP 0xffffffff8967dd1c}
    .text user32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes [E9, EF, 98, 65, 89] {JMP 0xffffffff896598f4}

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\csrss.exe[448] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001703FC
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001701F8
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00200A08
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002003FC
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00200804
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002001F8
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00200600
    .text C:\Windows\system32\wininit.exe[500] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000703FC
    .text C:\Windows\system32\wininit.exe[500] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000701F8
    .text C:\Windows\system32\wininit.exe[500] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[500] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00090A08
    .text C:\Windows\system32\wininit.exe[500] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 000903FC
    .text C:\Windows\system32\wininit.exe[500] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00090804
    .text C:\Windows\system32\wininit.exe[500] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 000901F8
    .text C:\Windows\system32\wininit.exe[500] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00090600
    .text C:\Windows\system32\csrss.exe[512] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\services.exe[556] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\services.exe[556] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\services.exe[556] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\lsass.exe[572] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\lsass.exe[572] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\lsass.exe[572] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\lsass.exe[572] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00140A08
    .text C:\Windows\system32\lsass.exe[572] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001403FC
    .text C:\Windows\system32\lsass.exe[572] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00140804
    .text C:\Windows\system32\lsass.exe[572] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001401F8
    .text C:\Windows\system32\lsass.exe[572] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00140600
    .text C:\Windows\system32\lsm.exe[580] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\lsm.exe[580] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\lsm.exe[580] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[700] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[700] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[700] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[752] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000303FC
    .text C:\Windows\system32\winlogon.exe[752] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000301F8
    .text C:\Windows\system32\winlogon.exe[752] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[752] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 000C0A08
    .text C:\Windows\system32\winlogon.exe[752] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 000C03FC
    .text C:\Windows\system32\winlogon.exe[752] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 000C0804
    .text C:\Windows\system32\winlogon.exe[752] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 000C01F8
    .text C:\Windows\system32\winlogon.exe[752] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 000C0600
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] WS2_32.dll!closesocket 75433918 5 Bytes JMP 0048000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] WS2_32.dll!getaddrinfo 75434296 5 Bytes JMP 004B000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] WS2_32.dll!connect 75436BDD 5 Bytes JMP 0047000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] WS2_32.dll!send 75436F01 5 Bytes JMP 0049000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] WS2_32.dll!gethostbyname 75447673 5 Bytes JMP 004A000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00230A08
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002303FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00230804
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002301F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00230600
    .text C:\Windows\system32\svchost.exe[840] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[840] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[840] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[904] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[904] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[904] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[904] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00200A08
    .text C:\Windows\System32\svchost.exe[904] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002003FC
    .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00200804
    .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002001F8
    .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00200600
    .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[972] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00850A08
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 008503FC
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00850804
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 008501F8
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00850600
    .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00F50A08
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 00F503FC
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00F50804
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 00F501F8
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00F50600
    .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1184] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00250A08
    .text C:\Windows\system32\svchost.exe[1184] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002503FC
    .text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00250804
    .text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002501F8
    .text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00250600
    .text C:\Windows\System32\svchost.exe[1192] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[1192] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[1192] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[1192] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 001C0A08
    .text C:\Windows\System32\svchost.exe[1192] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001C03FC
    .text C:\Windows\System32\svchost.exe[1192] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 001C0804
    .text C:\Windows\System32\svchost.exe[1192] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001C01F8
    .text C:\Windows\System32\svchost.exe[1192] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 001C0600
    .text C:\Windows\system32\svchost.exe[1368] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1368] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1368] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00470A08
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 004703FC
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00470804
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 004701F8
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00470600
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1440] kernel32.dll!SetUnhandledExceptionFilter 76F83162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1440] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[1720] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\spoolsv.exe[1720] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\spoolsv.exe[1720] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00140A08
    .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001403FC
    .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00140804
    .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001401F8
    .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00140600
    .text C:\Windows\system32\svchost.exe[1752] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1752] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1752] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1752] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 003D0A08
    .text C:\Windows\system32\svchost.exe[1752] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 003D03FC
    .text C:\Windows\system32\svchost.exe[1752] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 003D0804
    .text C:\Windows\system32\svchost.exe[1752] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 003D01F8
    .text C:\Windows\system32\svchost.exe[1752] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 003D0600
    .text C:\Windows\System32\svchost.exe[1844] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[1844] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[1844] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[1844] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00510A08
    .text C:\Windows\System32\svchost.exe[1844] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 005103FC
    .text C:\Windows\System32\svchost.exe[1844] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00510804
    .text C:\Windows\System32\svchost.exe[1844] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 005101F8
    .text C:\Windows\System32\svchost.exe[1844] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00510600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00100A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001003FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00100804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001001F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00100600
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000903FC
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000901F8
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00140A08
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001403FC
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00140804
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001401F8
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00140600
    .text C:\Windows\system32\svchost.exe[1952] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1952] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1952] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2004] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[2004] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[2004] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2036] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2036] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2036] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2100] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[2100] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[2100] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2100] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00370A08
    .text C:\Windows\system32\svchost.exe[2100] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 003703FC
    .text C:\Windows\system32\svchost.exe[2100] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00370804
    .text C:\Windows\system32\svchost.exe[2100] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 003701F8
    .text C:\Windows\system32\svchost.exe[2100] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00370600
    .text C:\Windows\System32\svchost.exe[2224] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[2224] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[2224] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[2224] user32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 003D0A08
    .text C:\Windows\System32\svchost.exe[2224] user32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 003D03FC
    .text C:\Windows\System32\svchost.exe[2224] user32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 003D0804
    .text C:\Windows\System32\svchost.exe[2224] user32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 003D01F8
    .text C:\Windows\System32\svchost.exe[2224] user32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 003D0600
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001603FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001601F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00180A08
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001803FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00180804
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001801F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00180600
    .text C:\Windows\system32\NOTEPAD.EXE[2428] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\NOTEPAD.EXE[2428] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\NOTEPAD.EXE[2428] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\NOTEPAD.EXE[2428] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00100A08
    .text C:\Windows\system32\NOTEPAD.EXE[2428] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001003FC
    .text C:\Windows\system32\NOTEPAD.EXE[2428] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00100804
    .text C:\Windows\system32\NOTEPAD.EXE[2428] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001001F8
    .text C:\Windows\system32\NOTEPAD.EXE[2428] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00100600
    .text C:\Windows\system32\Dwm.exe[2452] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\Dwm.exe[2452] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\Dwm.exe[2452] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00080A08
    .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 000803FC
    .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00080804
    .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 000801F8
    .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00080600
    .text C:\Windows\Explorer.EXE[2476] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\Explorer.EXE[2476] ntdll.dll!LdrLoadDll
     
    keenyoung,
    #3
  5. 2011/06/19
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-06-18 20:25:42
    Windows 6.1.7601 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9120822AS rev.3.BHE
    Running: kqq6fg05.exe; Driver: C:\Users\DSMOKE~1\AppData\Local\Temp\fwdorpow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x89383202]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8E4BBCB2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8938581C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x89385874]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8938598A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x89385772]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x893858C4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x893857C6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x89385938]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x89383226]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8E4BBD62]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x89382FF0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8938324A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x89385D82]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x89383CDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8938584C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8938589C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x893859B4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8938579E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x89385904]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x893857F4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x89385962]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8E4BBDFA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x89383BA0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8938326E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x89383292]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8938304A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x89383186]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x89383162]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x893831AA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x893832B6]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKey + 13C1 82A78339 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB1D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82AB8DC0 4 Bytes [02, 32, 38, 89]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82AB8DE8 4 Bytes [B2, BC, 4B, 8E]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82AB8E9C 8 Bytes [1C, 58, 38, 89, 74, 58, 38, ...] {SBB AL, 0x58; CMP [ECX-0x76c7a78c], CL}
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82AB8EA8 4 Bytes [8A, 59, 38, 89]
    .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82AB8EC4 4 Bytes [72, 57, 38, 89]
    .text ...
    ? System32\Drivers\spfj.sys The system cannot find the path specified. !
    .text USBPORT.SYS!DllUnload 8FD67D18 5 Bytes JMP 85D9F4E0
    .text arctjxc2.SYS 8E593000 12 Bytes [44, 88, A0, 82, EE, 86, A0, ...]
    .text arctjxc2.SYS 8E59300D 9 Bytes [67, A0, 82, 48, 8B, A0, 82, ...]
    .text arctjxc2.SYS 8E593017 170 Bytes [00, DE, B7, B0, 88, E6, B5, ...]
    .text arctjxc2.SYS 8E5930C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
    .text arctjxc2.SYS 8E5930CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
    .text ...
    .text kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text user32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes [E9, 0A, 5C, 68, 89] {JMP 0xffffffff89685c0f}
    .text user32.dll!UnhookWinEvent 76C9B750 5 Bytes [E9, A7, 4C, 68, 89] {JMP 0xffffffff89684cac}
    .text user32.dll!SetWindowsHookExW 76C9E30C 5 Bytes [E9, F3, 24, 68, 89] {JMP 0xffffffff896824f8}
    .text user32.dll!SetWinEventHook 76CA24DC 5 Bytes [E9, 17, DD, 67, 89] {JMP 0xffffffff8967dd1c}
    .text user32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes [E9, EF, 98, 65, 89] {JMP 0xffffffff896598f4}

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\csrss.exe[448] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001703FC
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001701F8
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00200A08
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002003FC
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00200804
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002001F8
    .text C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00200600
    .text C:\Windows\system32\wininit.exe[500] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000703FC
    .text C:\Windows\system32\wininit.exe[500] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000701F8
    .text C:\Windows\system32\wininit.exe[500] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[500] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00090A08
    .text C:\Windows\system32\wininit.exe[500] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 000903FC
    .text C:\Windows\system32\wininit.exe[500] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00090804
    .text C:\Windows\system32\wininit.exe[500] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 000901F8
    .text C:\Windows\system32\wininit.exe[500] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00090600
    .text C:\Windows\system32\csrss.exe[512] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\services.exe[556] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\services.exe[556] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\services.exe[556] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\lsass.exe[572] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\lsass.exe[572] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\lsass.exe[572] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\lsass.exe[572] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00140A08
    .text C:\Windows\system32\lsass.exe[572] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001403FC
    .text C:\Windows\system32\lsass.exe[572] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00140804
    .text C:\Windows\system32\lsass.exe[572] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001401F8
    .text C:\Windows\system32\lsass.exe[572] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00140600
    .text C:\Windows\system32\lsm.exe[580] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\lsm.exe[580] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\lsm.exe[580] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[700] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[700] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[700] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[752] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000303FC
    .text C:\Windows\system32\winlogon.exe[752] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000301F8
    .text C:\Windows\system32\winlogon.exe[752] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[752] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 000C0A08
    .text C:\Windows\system32\winlogon.exe[752] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 000C03FC
    .text C:\Windows\system32\winlogon.exe[752] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 000C0804
    .text C:\Windows\system32\winlogon.exe[752] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 000C01F8
    .text C:\Windows\system32\winlogon.exe[752] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 000C0600
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] WS2_32.dll!closesocket 75433918 5 Bytes JMP 0048000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] WS2_32.dll!getaddrinfo 75434296 5 Bytes JMP 004B000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] WS2_32.dll!connect 75436BDD 5 Bytes JMP 0047000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] WS2_32.dll!send 75436F01 5 Bytes JMP 0049000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] WS2_32.dll!gethostbyname 75447673 5 Bytes JMP 004A000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00230A08
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002303FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00230804
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002301F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[824] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00230600
    .text C:\Windows\system32\svchost.exe[840] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[840] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[840] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[904] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[904] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[904] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[904] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00200A08
    .text C:\Windows\System32\svchost.exe[904] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002003FC
    .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00200804
    .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002001F8
    .text C:\Windows\System32\svchost.exe[904] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00200600
    .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[972] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[972] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00850A08
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 008503FC
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00850804
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 008501F8
    .text C:\Windows\System32\svchost.exe[972] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00850600
    .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1028] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1028] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00F50A08
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 00F503FC
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00F50804
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 00F501F8
    .text C:\Windows\system32\svchost.exe[1028] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00F50600
    .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1184] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1184] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1184] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00250A08
    .text C:\Windows\system32\svchost.exe[1184] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002503FC
    .text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00250804
    .text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002501F8
    .text C:\Windows\system32\svchost.exe[1184] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00250600
    .text C:\Windows\System32\svchost.exe[1192] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[1192] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[1192] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[1192] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 001C0A08
    .text C:\Windows\System32\svchost.exe[1192] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001C03FC
    .text C:\Windows\System32\svchost.exe[1192] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 001C0804
    .text C:\Windows\System32\svchost.exe[1192] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001C01F8
    .text C:\Windows\System32\svchost.exe[1192] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 001C0600
    .text C:\Windows\system32\svchost.exe[1368] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1368] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1368] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00470A08
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 004703FC
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00470804
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 004701F8
    .text C:\Windows\system32\svchost.exe[1368] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00470600
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1440] kernel32.dll!SetUnhandledExceptionFilter 76F83162 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1440] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[1720] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\spoolsv.exe[1720] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\spoolsv.exe[1720] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00140A08
    .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001403FC
    .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00140804
    .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001401F8
    .text C:\Windows\System32\spoolsv.exe[1720] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00140600
    .text C:\Windows\system32\svchost.exe[1752] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1752] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1752] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1752] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 003D0A08
    .text C:\Windows\system32\svchost.exe[1752] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 003D03FC
    .text C:\Windows\system32\svchost.exe[1752] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 003D0804
    .text C:\Windows\system32\svchost.exe[1752] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 003D01F8
    .text C:\Windows\system32\svchost.exe[1752] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 003D0600
    .text C:\Windows\System32\svchost.exe[1844] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[1844] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[1844] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[1844] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00510A08
    .text C:\Windows\System32\svchost.exe[1844] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 005103FC
    .text C:\Windows\System32\svchost.exe[1844] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00510804
    .text C:\Windows\System32\svchost.exe[1844] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 005101F8
    .text C:\Windows\System32\svchost.exe[1844] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00510600
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00100A08
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001003FC
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00100804
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001001F8
    .text C:\Program Files\Bonjour\mDNSResponder.exe[1888] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00100600
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000903FC
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000901F8
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00140A08
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001403FC
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00140804
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001401F8
    .text C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe[1924] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00140600
    .text C:\Windows\system32\svchost.exe[1952] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1952] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1952] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2004] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[2004] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[2004] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2036] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001503FC
    .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2036] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001501F8
    .text C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe[2036] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2100] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[2100] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[2100] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[2100] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00370A08
    .text C:\Windows\system32\svchost.exe[2100] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 003703FC
    .text C:\Windows\system32\svchost.exe[2100] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00370804
    .text C:\Windows\system32\svchost.exe[2100] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 003701F8
    .text C:\Windows\system32\svchost.exe[2100] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00370600
    .text C:\Windows\System32\svchost.exe[2224] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[2224] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[2224] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[2224] user32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 003D0A08
    .text C:\Windows\System32\svchost.exe[2224] user32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 003D03FC
    .text C:\Windows\System32\svchost.exe[2224] user32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 003D0804
    .text C:\Windows\System32\svchost.exe[2224] user32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 003D01F8
    .text C:\Windows\System32\svchost.exe[2224] user32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 003D0600
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001603FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001601F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00180A08
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001803FC
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00180804
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001801F8
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe[2400] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00180600
    .text C:\Windows\system32\NOTEPAD.EXE[2428] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\NOTEPAD.EXE[2428] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\NOTEPAD.EXE[2428] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\NOTEPAD.EXE[2428] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00100A08
    .text C:\Windows\system32\NOTEPAD.EXE[2428] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001003FC
    .text C:\Windows\system32\NOTEPAD.EXE[2428] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00100804
    .text C:\Windows\system32\NOTEPAD.EXE[2428] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001001F8
    .text C:\Windows\system32\NOTEPAD.EXE[2428] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00100600
    .text C:\Windows\system32\Dwm.exe[2452] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\Dwm.exe[2452] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\Dwm.exe[2452] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00080A08
    .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 000803FC
    .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00080804
    .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 000801F8
    .text C:\Windows\system32\Dwm.exe[2452] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00080600
    .text C:\Windows\Explorer.EXE[2476] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\Explorer.EXE[2476] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\Explorer.EXE[2476] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\Explorer.EXE[2476] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00150A08
    .text C:\Windows\Explorer.EXE[2476] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001503FC
    .text C:\Windows\Explorer.EXE[2476] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00150804
    .text C:\Windows\Explorer.EXE[2476] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001501F8
    .text C:\Windows\Explorer.EXE[2476] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00150600
    .text C:\Program Files\Apoint2K\Apoint.exe[2604] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001503FC
    .text C:\Program Files\Apoint2K\Apoint.exe[2604] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001501F8
    .text C:\Program Files\Apoint2K\Apoint.exe[2604] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Apoint2K\Apoint.exe[2604] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 001E0A08
    .text C:\Program Files\Apoint2K\Apoint.exe[2604] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001E03FC
    .text C:\Program Files\Apoint2K\Apoint.exe[2604] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 001E0804
    .text C:\Program Files\Apoint2K\Apoint.exe[2604] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001E01F8
    .text C:\Program Files\Apoint2K\Apoint.exe[2604] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 001E0600
    .text C:\Windows\WindowsMobile\wmdc.exe[2616] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000703FC
    .text C:\Windows\WindowsMobile\wmdc.exe[2616] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000701F8
    .text C:\Windows\WindowsMobile\wmdc.exe[2616] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\WindowsMobile\wmdc.exe[2616] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00250A08
    .text C:\Windows\WindowsMobile\wmdc.exe[2616] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002503FC
    .text C:\Windows\WindowsMobile\wmdc.exe[2616] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00250804
    .text C:\Windows\WindowsMobile\wmdc.exe[2616] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002501F8
    .text C:\Windows\WindowsMobile\wmdc.exe[2616] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00250600
    .text C:\Windows\System32\igfxtray.exe[2624] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001603FC
    .text C:\Windows\System32\igfxtray.exe[2624] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001601F8
    .text C:\Windows\System32\igfxtray.exe[2624] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\igfxtray.exe[2624] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00190A08
    .text C:\Windows\System32\igfxtray.exe[2624] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001903FC
    .text C:\Windows\System32\igfxtray.exe[2624] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00190804
    .text C:\Windows\System32\igfxtray.exe[2624] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001901F8
    .text C:\Windows\System32\igfxtray.exe[2624] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00190600
    .text C:\Windows\System32\hkcmd.exe[2632] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001603FC
    .text C:\Windows\System32\hkcmd.exe[2632] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001601F8
    .text C:\Windows\System32\hkcmd.exe[2632] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\hkcmd.exe[2632] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00210A08
    .text C:\Windows\System32\hkcmd.exe[2632] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002103FC
    .text C:\Windows\System32\hkcmd.exe[2632] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00210804
    .text C:\Windows\System32\hkcmd.exe[2632] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002101F8
    .text C:\Windows\System32\hkcmd.exe[2632] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00210600
    .text C:\Windows\System32\igfxpers.exe[2644] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001603FC
    .text C:\Windows\System32\igfxpers.exe[2644] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001601F8
    .text C:\Windows\System32\igfxpers.exe[2644] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\System32\igfxpers.exe[2644] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00200A08
    .text C:\Windows\System32\igfxpers.exe[2644] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002003FC
    .text C:\Windows\System32\igfxpers.exe[2644] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00200804
    .text C:\Windows\System32\igfxpers.exe[2644] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002001F8
    .text C:\Windows\System32\igfxpers.exe[2644] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00200600
    .text C:\Program Files\Zune\ZuneLauncher.exe[2656] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000703FC
    .text C:\Program Files\Zune\ZuneLauncher.exe[2656] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000701F8
     
    Last edited: 2011/06/19
    keenyoung,
    #4
  6. 2011/06/19
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    .text C:\Program Files\Zune\ZuneLauncher.exe[2656] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Zune\ZuneLauncher.exe[2656] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00120A08
    .text C:\Program Files\Zune\ZuneLauncher.exe[2656] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001203FC
    .text C:\Program Files\Zune\ZuneLauncher.exe[2656] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00120804
    .text C:\Program Files\Zune\ZuneLauncher.exe[2656] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001201F8
    .text C:\Program Files\Zune\ZuneLauncher.exe[2656] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00120600
    .text C:\Windows\system32\igfxsrvc.exe[2716] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001603FC
    .text C:\Windows\system32\igfxsrvc.exe[2716] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001601F8
    .text C:\Windows\system32\igfxsrvc.exe[2716] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\igfxsrvc.exe[2716] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 001F0A08
    .text C:\Windows\system32\igfxsrvc.exe[2716] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001F03FC
    .text C:\Windows\system32\igfxsrvc.exe[2716] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 001F0804
    .text C:\Windows\system32\igfxsrvc.exe[2716] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001F01F8
    .text C:\Windows\system32\igfxsrvc.exe[2716] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 001F0600
    .text C:\Program Files\Apoint2K\ApMsgFwd.exe[2744] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001603FC
    .text C:\Program Files\Apoint2K\ApMsgFwd.exe[2744] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001601F8
    .text C:\Program Files\Apoint2K\ApMsgFwd.exe[2744] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Apoint2K\ApMsgFwd.exe[2744] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00200A08
    .text C:\Program Files\Apoint2K\ApMsgFwd.exe[2744] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 002003FC
    .text C:\Program Files\Apoint2K\ApMsgFwd.exe[2744] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00200804
    .text C:\Program Files\Apoint2K\ApMsgFwd.exe[2744] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 002001F8
    .text C:\Program Files\Apoint2K\ApMsgFwd.exe[2744] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00200600
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2788] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2788] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2788] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2788] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00110A08
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2788] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001103FC
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2788] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00110804
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2788] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001101F8
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2788] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00110600
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2820] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[2828] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[2828] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Windows Sidebar\sidebar.exe[2828] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00110A08
    .text C:\Program Files\Windows Sidebar\sidebar.exe[2828] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001103FC
    .text C:\Program Files\Windows Sidebar\sidebar.exe[2828] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00110804
    .text C:\Program Files\Windows Sidebar\sidebar.exe[2828] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001101F8
    .text C:\Program Files\Windows Sidebar\sidebar.exe[2828] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00110600
    .text C:\Users\D Smoke\Downloads\kqq6fg05.exe[2836] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001603FC
    .text C:\Users\D Smoke\Downloads\kqq6fg05.exe[2836] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001601F8
    .text C:\Users\D Smoke\Downloads\kqq6fg05.exe[2836] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Users\D Smoke\Downloads\kqq6fg05.exe[2836] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00320A08
    .text C:\Users\D Smoke\Downloads\kqq6fg05.exe[2836] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 003203FC
    .text C:\Users\D Smoke\Downloads\kqq6fg05.exe[2836] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00320804
    .text C:\Users\D Smoke\Downloads\kqq6fg05.exe[2836] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 003201F8
    .text C:\Users\D Smoke\Downloads\kqq6fg05.exe[2836] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00320600
    .text C:\Windows\system32\svchost.exe[2840] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[2840] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[2840] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2952] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2952] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2952] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2952] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 000F0A08
    .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2952] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 000F03FC
    .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2952] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 000F0804
    .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2952] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 000F01F8
    .text C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe[2952] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 000F0600
    .text C:\Program Files\Apoint2K\Apntex.exe[2964] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 001503FC
    .text C:\Program Files\Apoint2K\Apntex.exe[2964] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 001501F8
    .text C:\Program Files\Apoint2K\Apntex.exe[2964] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Apoint2K\Apntex.exe[2964] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 001E0A08
    .text C:\Program Files\Apoint2K\Apntex.exe[2964] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001E03FC
    .text C:\Program Files\Apoint2K\Apntex.exe[2964] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 001E0804
    .text C:\Program Files\Apoint2K\Apntex.exe[2964] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001E01F8
    .text C:\Program Files\Apoint2K\Apntex.exe[2964] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 001E0600
    .text C:\Windows\system32\conhost.exe[3128] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000303FC
    .text C:\Windows\system32\conhost.exe[3128] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000301F8
    .text C:\Windows\system32\conhost.exe[3128] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\conhost.exe[3128] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 000C0A08
    .text C:\Windows\system32\conhost.exe[3128] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 000C03FC
    .text C:\Windows\system32\conhost.exe[3128] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 000C0804
    .text C:\Windows\system32\conhost.exe[3128] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 000C01F8
    .text C:\Windows\system32\conhost.exe[3128] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 000C0600
    .text C:\Windows\system32\svchost.exe[3208] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[3208] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[3208] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\SearchIndexer.exe[3560] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\SearchIndexer.exe[3560] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\SearchIndexer.exe[3560] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Windows\system32\SearchIndexer.exe[3560] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 000D0A08
    .text C:\Windows\system32\SearchIndexer.exe[3560] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 000D03FC
    .text C:\Windows\system32\SearchIndexer.exe[3560] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 000D0804
    .text C:\Windows\system32\SearchIndexer.exe[3560] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 000D01F8
    .text C:\Windows\system32\SearchIndexer.exe[3560] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 000D0600
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3728] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3728] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3728] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3728] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00100A08
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3728] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 001003FC
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3728] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00100804
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3728] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 001001F8
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3728] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00100600
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] ntdll.dll!LdrUnloadDll 76E3BEAF 5 Bytes JMP 000603FC
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] ntdll.dll!LdrLoadDll 76E3F5B5 5 Bytes JMP 000601F8
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] kernel32.dll!GetBinaryTypeW + 70 76F97984 1 Byte [62]
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!SetWindowLongA 76C98BA3 5 Bytes JMP 675D9777 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!UnhookWindowsHookEx 76C9ADF9 5 Bytes JMP 00090A08
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!UnhookWinEvent 76C9B750 5 Bytes JMP 000903FC
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!SetWindowsHookExW 76C9E30C 5 Bytes JMP 00090804
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!SetWinEventHook 76CA24DC 5 Bytes JMP 000901F8
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!SetWindowLongW 76CA4449 5 Bytes JMP 675D9709 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!GetWindowInfo 76CA4B5E 5 Bytes JMP 67407C37 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!TrackPopupMenu 76CB2228 5 Bytes JMP 6740823A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3956] USER32.dll!SetWindowsHookExA 76CC6D0C 5 Bytes JMP 00090600

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88A0F042] \SystemRoot\System32\Drivers\spfj.sys
    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88A0F6D6] \SystemRoot\System32\Drivers\spfj.sys
    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88A0F800] \SystemRoot\System32\Drivers\spfj.sys
    IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88A0F13E] \SystemRoot\System32\Drivers\spfj.sys
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortNotification] 00147880
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] [7500117B] \Windows\System32\comctl32.dll (Common Controls Library/Microsoft Corporation)
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortReadPortBufferUshort] [7500137B] \Windows\System32\comctl32.dll (Common Controls Library/Microsoft Corporation)
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortInitialize] 157B805E
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
    IAT \SystemRoot\System32\Drivers\arctjxc2.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E85E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E85E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E85E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E85E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74E85E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe[456] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74E85E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Zune\ZuneLauncher.exe[2656] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E85E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Zune\ZuneLauncher.exe[2656] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E85E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Zune\ZuneLauncher.exe[2656] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E85E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
    IAT C:\Program Files\Zune\ZuneLauncher.exe[2656] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E85E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 84C671F8
    Device \Driver\volmgr \Device\VolMgrControl 84C621F8
    Device \Driver\usbuhci \Device\USBPDO-0 85EAE500
    Device \Driver\usbuhci \Device\USBPDO-1 85EAE500
    Device \Driver\sptd \Device\3490222688 spfj.sys
    Device \Driver\usbuhci \Device\USBPDO-2 85EAE500
    Device \Driver\usbehci \Device\USBPDO-3 85E89500

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\NetBT \Device\NetBT_Tcpip_{4E45A906-40AC-4D73-9F7E-EA06FFDCDF7A} 85E011F8
    Device \Driver\volmgr \Device\HarddiskVolume1 84C621F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\volmgr \Device\HarddiskVolume2 84C621F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\cdrom \Device\CdRom0 85D11500
    Device \Driver\volmgr \Device\HarddiskVolume3 84C621F8

    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84C641F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 84C641F8
    Device \Driver\atapi \Device\Ide\IdePort0 84C641F8
    Device \Driver\atapi \Device\Ide\IdePort1 84C641F8
    Device \Driver\atapi \Device\Ide\IdePort2 84C641F8
    Device \Driver\msahci \Device\Ide\PciIde1Channel0 84C651F8
    Device \Driver\cdrom \Device\CdRom1 85D11500
    Device \Driver\NetBT \Device\NetBT_Tcpip_{E3A5140F-6019-4024-BABA-22701DDAC182} 85E011F8
    Device \Driver\NetBT \Device\NetBt_Wins_Export 85E011F8
    Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \Driver\PCI_PNP8683 \Device\0000005d spfj.sys
    Device \Driver\usbuhci \Device\USBFDO-0 85EAE500
    Device \Driver\usbuhci \Device\USBFDO-1 85EAE500
    Device \Driver\usbuhci \Device\USBFDO-2 85EAE500
    Device \Driver\usbehci \Device\USBFDO-3 85E89500
    Device \Driver\arctjxc2 \Device\Scsi\arctjxc21 85F14500
    Device \Driver\arctjxc2 \Device\Scsi\arctjxc21Port3Path0Target0Lun0 85F14500

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:268] 85B11E7A
    Thread System [4:272] 85B14008

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD8 0x84 0x78 0x7A ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF4 0xC4 0xF7 0x63 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA6 0xE2 0xD7 0x3A ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD8 0x84 0x78 0x7A ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF4 0xC4 0xF7 0x63 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA6 0xE2 0xD7 0x3A ...

    ---- EOF - GMER 1.0.15 ----
     
    keenyoung,
    #5
  7. 2011/06/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, make sure, "word wrap" is disabled in your Notepad, because some logs are hard to read.

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay? ".
     
    broni,
    #6
  8. 2011/06/20
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    Sorry about the word wrap. Here is RKUhooker log:

    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows 7
    Version 6.1.7601
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0x8F20B000 C:\Windows\system32\DRIVERS\igdkmd32.sys 5279744 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
    0x82A01000 C:\Windows\system32\ntkrnlpa.exe 4268032 bytes (Microsoft Corporation, NT Kernel & System)
    0x82A01000 PnpManager 4268032 bytes
    0x82A01000 RAW 4268032 bytes
    0x82A01000 WMIxWDM 4268032 bytes
    0x82060000 Win32k 2404352 bytes
    0x82060000 C:\Windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0x8908B000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
    0x88E14000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
    0x93028000 C:\Windows\system32\DRIVERS\athr.sys 1114112 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
    0x93E85000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1056768 bytes (Conexant Systems, Inc., HSF_DP driver)
    0x88A8C000 PCI_PNP4090 995328 bytes
    0x88A8C000 C:\Windows\System32\Drivers\spbl.sys 995328 bytes
    0x88A8C000 sptd 995328 bytes
    0x8F714000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
    0x88D0C000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
    0x9401E000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
    0x88900000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
    0x9875F000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
    0x9861A000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0x8882D000 C:\Windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)
    0x88A0D000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
    0x8937C000 C:\Windows\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
    0x8E016000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
    0x88F81000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
    0x8DA1D000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0xA9E13000 C:\Windows\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
    0x8DB9F000 C:\Windows\system32\DRIVERS\HAVATV.sys 327680 bytes (Monsoon Multimedia Inc., HavaTV WDM driver)
    0x93834000 C:\Windows\system32\DRIVERS\HavaTV_10.sys 327680 bytes (Monsoon Multimedia Inc., HavaTV WDM driver)
    0x93FA8000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
    0x9314D000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0x88C12000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
    0x8E0A0000 C:\Windows\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
    0x88BAE000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
    0x941A8000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
    0x93955000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0x888BE000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
    0x8DB3E000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0x89236000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0x89028000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
    0x93E48000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
    0x986ED000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
    0x8E1AC000 C:\Windows\System32\Drivers\al8ppvyj.SYS 233472 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0x8E147000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
    0x94143000 C:\Windows\system32\drivers\aswMonFlt.sys 229376 bytes (AVAST Software, avast! File System Minifilter for Windows 2003/Vista)
    0x82E13000 ACPI_HAL 225280 bytes
    0x82E13000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0x939AA000 C:\Windows\system32\drivers\CHDRT32.sys 221184 bytes (Conexant Systems Inc., High Definition Audio Function Driver)
    0x88CC7000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0x93800000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
    0x892C2000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
    0x8DA7C000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
    0x88DC3000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
    0x93E00000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0x8927D000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
    0x8E180000 C:\Windows\system32\DRIVERS\Apfiltr.sys 180224 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
    0x88F43000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
    0x889AB000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0x88B88000 C:\Windows\System32\Drivers\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
    0x89305000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
    0x89066000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
    0x88C91000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
    0x986CA000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0x938B9000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0x8DB16000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes
    0x93F87000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
    0x8E0EA000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x8920C000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
    0x8935D000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0x8F7CB000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
    0x8DAB5000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
    0x822F0000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
    0x94128000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
    0x98728000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
    0x9417E000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0x9869F000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
    0x93E2F000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
    0x8E07A000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
    0x931B8000 C:\Windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
    0x93896000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0x938DB000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0x938F3000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0x9390A000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
    0x88810000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
    0x88C72000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
    0x8E124000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
    0x88F6E000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0x94000000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
    0x8DAF3000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0x93884000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
    0x8E10B000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
    0x986B8000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
    0x892F4000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
    0x9410C000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
    0x88CFB000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
    0x93999000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
    0x889D5000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
    0x888A5000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
    0x931A7000 C:\Windows\system32\DRIVERS\Rtnicxp.sys 69632 bytes (Realtek Semiconductor Corporation , Realtek 10/100 NDIS 5.1 Driver )
    0x8DAD4000 C:\Windows\system32\DRIVERS\vwififlt.sys 69632 bytes (Microsoft Corporation, Virtual WiFi Filter Driver)
    0x94198000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
    0x892AA000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
    0x941EE000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
    0x8DB06000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
    0x88800000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
    0x93198000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0x8E092000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
    0x9392D000 C:\Windows\system32\DRIVERS\havabus.sys 57344 bytes (Monsoon Multimedia Inc., HAVA Bus Driver)
    0x8DAE5000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
    0x8900B000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
    0x88C64000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0x88FDE000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
    0x93000000 C:\Windows\system32\DRIVERS\STREAM.SYS 57344 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
    0x9393B000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
    0x88A7E000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
    0x931EA000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
    0x940EA000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
    0x931D0000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
    0x940D3000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
    0x931DD000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
    0x98600000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
    0x891DD000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
    0x8DB93000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
    0x93949000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
    0x89200000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0x889EE000 C:\Windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)
    0x940F7000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
    0x9411D000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
    0x89000000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
    0x938AE000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0x89019000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
    0x93142000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0x88A00000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
    0x88FF5000 C:\Windows\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
    0x94102000 C:\Windows\System32\Drivers\dump_msahci.sys 40960 bytes
    0x940E0000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
    0x88CB4000 C:\Windows\system32\DRIVERS\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
    0x8DB89000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
    0x8DB7F000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
    0x93921000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
    0x987F6000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
    0x93138000 C:\Windows\system32\DRIVERS\vwifibus.sys 40960 bytes (Microsoft Corporation, Virtual WiFi Bus Driver)
    0x88CBE000 C:\Windows\system32\drivers\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
    0x88C88000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0xA9ECF000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0x88FEC000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
    0x822C0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
    0x891D4000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
    0x8E13E000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
    0x88B7F000 C:\Windows\System32\Drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0x888B6000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
    0x889E6000 C:\Windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)
    0x892BA000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
    0x80BC3000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
    0x88BF6000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
    0x8922D000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x891EA000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
    0x891F2000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
    0x89275000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
    0x9860D000 C:\Windows\system32\DRIVERS\XAudio32.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
    0x893F3000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
    0x8E137000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0x88C5D000 C:\Windows\system32\DRIVERS\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
    0x893EC000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
    0x8DAAE000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
    0x8DB38000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes
    0x8DA77000 C:\Windows\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
    0x8E11D000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
    0x9875B000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
    0x9417B000 C:\Windows\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
    0x8E121000 C:\Windows\system32\DRIVERS\cpqbttn.sys 12288 bytes (Hewlett-Packard Development Company, L.P., HP Tablet PC Key Button HID Driver)
    0x9392B000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0x84C671F8 unknown_irp_handler 3592 bytes
    0x84C641F8 unknown_irp_handler 3592 bytes
    0x85EB61F8 unknown_irp_handler 3592 bytes
    0x84C661F8 unknown_irp_handler 3592 bytes
    0x85DFD1F8 unknown_irp_handler 3592 bytes
    0x85D3B1F8 unknown_irp_handler 3592 bytes
    0x84C621F8 unknown_irp_handler 3592 bytes
    0x84C651F8 unknown_irp_handler 3592 bytes
    0x85DC71F8 unknown_irp_handler 3592 bytes
    0x85E82500 unknown_irp_handler 2816 bytes
    0x85EB4500 unknown_irp_handler 2816 bytes
    ==============================================
    >Stealth
    ==============================================
    0x85B89A91 Unknown page with executable code, 1391 bytes
    0x89236000 WARNING: Virus alike driver modification [volsnap.sys], 258048 bytes
    0x85B88288 Unknown page with executable code, 3448 bytes
    0x85B8A191 Unknown page with executable code, 3695 bytes
    0x85B8CE7A Unknown thread object [ ETHREAD 0x85CC7D48 ] TID: 268, 600 bytes
    0x85B8F008 Unknown thread object [ ETHREAD 0x85CC91F0 ] TID: 272, 600 bytes
    WARNING: File locked for read access [C:\Windows\system32\drivers\sptd.sys]
    0x85B8ECDC Unknown page with executable code, 804 bytes
     
    keenyoung,
    #7
  9. 2011/06/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We have a rootkited driver there (volsnap.sys).

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #8
  10. 2011/06/20
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    Combofix crashed to blue screen first several times. Rkill crashed several times. I finally got Rkill.scr to run and then a renamed combofix. Here are the logs:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 06/20/2011 at 20:52:54.
    Operating System: Windows 7 Ultimate


    Processes terminated by Rkill or while it was running:



    Rkill completed on 06/20/2011 at 20:53:04.


    ComboFix 11-06-19.0r1 - D Smoke 06/20/2011 20:55:26.3.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.0.1252.1.1033.18.2038.1371 [GMT -5:00]
    Running from: c:\users\D Smoke\Desktop\k_young.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-21 to 2011-06-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-21 02:07 . 2011-06-21 02:07 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-06-21 02:07 . 2011-06-21 02:07 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-20 20:51 . 2011-06-20 21:59 -------- d-----w- C:\VideoOutput
    2011-06-20 20:51 . 2011-06-20 20:51 -------- d-----w- c:\program files\Avi to Mpeg
    2011-06-19 00:35 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-19 00:35 . 2011-06-19 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-18 22:48 . 2011-06-18 22:48 388096 ----a-r- c:\users\D Smoke\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-06-18 22:48 . 2011-06-18 22:48 -------- d-----w- c:\program files\Trend Micro
    2011-06-18 22:11 . 2011-06-18 22:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-06-18 21:18 . 2011-06-18 21:18 -------- d-----w- c:\users\D Smoke\AppData\Roaming\Malwarebytes
    2011-06-18 21:18 . 2011-06-18 21:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-18 20:46 . 2011-06-18 20:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2011-06-18 20:38 . 2011-06-18 20:50 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-06-18 20:38 . 2011-06-18 20:38 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-06-18 20:36 . 2011-06-18 20:46 -------- d-----w- c:\programdata\Hitman Pro
    2011-06-12 22:50 . 2011-06-12 22:50 -------- d-----w- c:\users\D Smoke\AppData\Roaming\Apple Computer
    2011-06-12 22:50 . 2011-06-12 22:50 -------- d-----w- c:\users\D Smoke\AppData\Local\Apple Computer
    2011-06-12 22:43 . 2011-06-12 22:43 -------- d-----w- c:\program files\Safari
    2011-06-12 22:43 . 2011-06-12 22:43 -------- d-----w- c:\programdata\Apple Computer
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\program files\Bonjour
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\program files\Common Files\Apple
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\users\D Smoke\AppData\Local\Apple
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\programdata\Apple
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\program files\Apple Software Update
    2011-06-11 01:34 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-06-11 01:34 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-06-11 01:34 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-06-11 01:34 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-06-11 01:34 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-06-11 01:34 . 2011-05-10 11:59 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-06-11 01:33 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-06-11 01:33 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-06-11 01:33 . 2011-06-11 01:33 -------- d-----w- c:\programdata\AVAST Software
    2011-06-11 01:33 . 2011-06-11 01:33 -------- d-----w- c:\program files\AVAST Software
    2011-06-11 01:20 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C32C6171-7CA2-4882-BFBA-A58FF51D2CA0}\mpengine.dll
    2011-06-10 00:50 . 2011-06-11 01:13 -------- d-----w- c:\windows\system32\SPReview
    2011-06-10 00:48 . 2011-06-11 01:15 -------- d-----w- c:\windows\system32\EventProviders
    2011-06-10 00:48 . 2011-06-11 01:14 -------- d-----w- C:\9d0918abf386d64be6943cd108bf
    2011-06-06 15:53 . 2011-06-06 15:53 -------- d--h--w- c:\users\D Smoke\AppData\Local\Borders Desktop
    2011-06-06 15:52 . 2011-06-11 01:14 -------- d-----w- c:\program files\Borders Desktop
    2011-06-06 15:12 . 2011-06-11 01:14 -------- d-----w- c:\program files\Common Files\Adobe
    2011-06-05 22:23 . 2011-06-06 05:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-24 21:55 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
    2011-05-23 20:29 . 2010-11-20 12:21 750592 ------w- c:\windows\system32\schedsvc.dll
    2011-05-23 20:29 . 2010-11-20 12:24 1288488 ----a-w- c:\windows\system32\ntdll.dll.1
    2011-05-23 20:29 . 2010-11-20 12:20 585728 ------w- c:\windows\system32\qmgr.dll
    2011-05-23 20:29 . 2010-11-20 12:20 1414144 ------w- c:\windows\system32\ole32.dll
    2011-05-23 20:29 . 2010-11-20 12:21 1128448 ------w- c:\windows\system32\vssapi.dll
    2011-05-23 20:29 . 2010-11-20 12:21 505856 ------w- c:\windows\system32\taskschd.dll
    2011-05-23 20:27 . 2010-11-20 12:21 162304 ------w- c:\windows\system32\WUDFPlatform.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-09 06:13 . 2011-05-11 05:05 3957632 ----a-w- c:\windows\system32\ntkrnlpa(3039).exe
    2011-04-09 06:13 . 2011-05-11 05:05 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-04-09 06:02 . 2011-05-11 05:05 3967872 ------w- c:\windows\system32\ntkrnlpa.exe
    2011-04-09 05:56 . 2011-05-17 13:58 123904 ----a-w- c:\windows\system32\poqexec.exe
    2011-03-29 19:09 . 2011-03-29 19:09 21504 ----a-w- c:\windows\system32\drivers\libusb0.sys
    2011-03-29 19:09 . 2011-03-29 19:09 37376 ----a-w- c:\windows\system32\libusb0.dll
    2011-03-25 03:06 . 2011-05-11 05:05 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2011-03-25 03:06 . 2011-05-11 05:05 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
    2011-03-25 03:06 . 2011-05-11 05:05 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-03-25 03:06 . 2011-05-11 05:05 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2011-03-25 03:06 . 2011-05-11 05:05 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2011-03-25 03:06 . 2011-05-11 05:05 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2011-03-25 03:06 . 2011-05-11 05:05 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
    2010-01-01 08:00 . 2011-04-01 20:50 135168 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @= "{472083B0-C522-11CF-8763-00608CC02F24} "
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint "= "c:\program files\Apoint2K\Apoint.exe" [2007-10-25 212992]
    "Windows Mobile Device Center "= "c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
    "Zune Launcher "= "c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "avast "= "c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "= 0 (0x0)
    "ConsentPromptBehaviorUser "= 3 (0x3)
    "EnableLUA "= 0 (0x0)
    "EnableUIADesktopToggle "= 0 (0x0)
    "PromptOnSecureDesktop "= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux "=wdmaud.drv
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Tracker Alarmer.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Tracker Alarmer.lnk
    backup=c:\windows\pss\Office Tracker Alarmer.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-23 691696]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    S2 havasvc;HAVA Service;c:\program files\Monsoon Multimedia\HAVA\Common\havasvc.exe [2009-06-17 145408]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S3 havabus;HAVA Bus Enumerator;c:\windows\system32\DRIVERS\havabus.sys [2009-06-17 37376]
    S3 HAVATV;Hava Video Device;c:\windows\system32\DRIVERS\HAVATV.sys [2009-06-17 324224]
    S3 HavaTV_10;Hava Remote Video Device;c:\windows\system32\DRIVERS\HavaTV_10.sys [2009-06-17 324224]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
    HsfXAudioService REG_MULTI_SZ HsfXAudioService
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    Akamai REG_MULTI_SZ Akamai
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    FF - ProfilePath - c:\users\D Smoke\AppData\Roaming\Mozilla\Firefox\Profiles\w3xomn2y.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-06-20 21:18:53
    ComboFix-quarantined-files.txt 2011-06-21 02:18
    ComboFix2.txt 2011-06-21 01:19
    ComboFix3.txt 2011-06-18 23:22
    .
    Pre-Run: 60,234,297,344 bytes free
    Post-Run: 59,986,415,616 bytes free
    .
    - - End Of File - - 59967896A5FD7F22B9AA46D830C19086
     
    keenyoung,
    #9
  11. 2011/06/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Navigate to C:\Qoobox and post the content of ComboFix2.txt file.
     
    broni,
    #10
  12. 2011/06/20
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    ComboFix 11-06-19.0r1 - D Smoke 06/20/2011 19:42:11.2.2 - x86
    Microsoft Windows 7 Ultimate 6.1.7601.0.1252.1.1033.18.2038.1278 [GMT -5:00]
    Running from: c:\users\D Smoke\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-21 to 2011-06-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-21 01:08 . 2011-06-21 01:08 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-06-21 01:08 . 2011-06-21 01:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-20 20:51 . 2011-06-20 21:59 -------- d-----w- C:\VideoOutput
    2011-06-20 20:51 . 2011-06-20 20:51 -------- d-----w- c:\program files\Avi to Mpeg
    2011-06-19 00:35 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-19 00:35 . 2011-06-19 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-18 22:48 . 2011-06-18 22:48 388096 ----a-r- c:\users\D Smoke\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-06-18 22:48 . 2011-06-18 22:48 -------- d-----w- c:\program files\Trend Micro
    2011-06-18 22:11 . 2011-06-18 22:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-06-18 21:18 . 2011-06-18 21:18 -------- d-----w- c:\users\D Smoke\AppData\Roaming\Malwarebytes
    2011-06-18 21:18 . 2011-06-18 21:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-18 20:46 . 2011-06-18 20:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2011-06-18 20:38 . 2011-06-18 20:50 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-06-18 20:38 . 2011-06-18 20:38 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-06-18 20:36 . 2011-06-18 20:46 -------- d-----w- c:\programdata\Hitman Pro
    2011-06-12 22:50 . 2011-06-12 22:50 -------- d-----w- c:\users\D Smoke\AppData\Roaming\Apple Computer
    2011-06-12 22:50 . 2011-06-12 22:50 -------- d-----w- c:\users\D Smoke\AppData\Local\Apple Computer
    2011-06-12 22:43 . 2011-06-12 22:43 -------- d-----w- c:\program files\Safari
    2011-06-12 22:43 . 2011-06-12 22:43 -------- d-----w- c:\programdata\Apple Computer
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\program files\Bonjour
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\program files\Common Files\Apple
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\users\D Smoke\AppData\Local\Apple
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\programdata\Apple
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\program files\Apple Software Update
    2011-06-11 01:34 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-06-11 01:34 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-06-11 01:34 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-06-11 01:34 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-06-11 01:34 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-06-11 01:34 . 2011-05-10 11:59 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-06-11 01:33 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-06-11 01:33 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-06-11 01:33 . 2011-06-11 01:33 -------- d-----w- c:\programdata\AVAST Software
    2011-06-11 01:33 . 2011-06-11 01:33 -------- d-----w- c:\program files\AVAST Software
    2011-06-11 01:20 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C32C6171-7CA2-4882-BFBA-A58FF51D2CA0}\mpengine.dll
    2011-06-10 00:50 . 2011-06-11 01:13 -------- d-----w- c:\windows\system32\SPReview
    2011-06-10 00:48 . 2011-06-11 01:15 -------- d-----w- c:\windows\system32\EventProviders
    2011-06-10 00:48 . 2011-06-11 01:14 -------- d-----w- C:\9d0918abf386d64be6943cd108bf
    2011-06-06 15:53 . 2011-06-06 15:53 -------- d--h--w- c:\users\D Smoke\AppData\Local\Borders Desktop
    2011-06-06 15:52 . 2011-06-11 01:14 -------- d-----w- c:\program files\Borders Desktop
    2011-06-06 15:12 . 2011-06-11 01:14 -------- d-----w- c:\program files\Common Files\Adobe
    2011-06-05 22:23 . 2011-06-06 05:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-24 21:55 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
    2011-05-23 20:29 . 2010-11-20 12:21 750592 ------w- c:\windows\system32\schedsvc.dll
    2011-05-23 20:29 . 2010-11-20 12:24 1288488 ----a-w- c:\windows\system32\ntdll.dll.1
    2011-05-23 20:29 . 2010-11-20 12:20 585728 ------w- c:\windows\system32\qmgr.dll
    2011-05-23 20:29 . 2010-11-20 12:20 1414144 ------w- c:\windows\system32\ole32.dll
    2011-05-23 20:29 . 2010-11-20 12:21 1128448 ------w- c:\windows\system32\vssapi.dll
    2011-05-23 20:29 . 2010-11-20 12:21 505856 ------w- c:\windows\system32\taskschd.dll
    2011-05-23 20:27 . 2010-11-20 12:21 162304 ------w- c:\windows\system32\WUDFPlatform.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-09 06:13 . 2011-05-11 05:05 3957632 ----a-w- c:\windows\system32\ntkrnlpa(3039).exe
    2011-04-09 06:13 . 2011-05-11 05:05 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-04-09 06:02 . 2011-05-11 05:05 3967872 ------w- c:\windows\system32\ntkrnlpa.exe
    2011-04-09 05:56 . 2011-05-17 13:58 123904 ----a-w- c:\windows\system32\poqexec.exe
    2011-03-29 19:09 . 2011-03-29 19:09 21504 ----a-w- c:\windows\system32\drivers\libusb0.sys
    2011-03-29 19:09 . 2011-03-29 19:09 37376 ----a-w- c:\windows\system32\libusb0.dll
    2011-03-25 03:06 . 2011-05-11 05:05 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2011-03-25 03:06 . 2011-05-11 05:05 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
    2011-03-25 03:06 . 2011-05-11 05:05 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-03-25 03:06 . 2011-05-11 05:05 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2011-03-25 03:06 . 2011-05-11 05:05 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2011-03-25 03:06 . 2011-05-11 05:05 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2011-03-25 03:06 . 2011-05-11 05:05 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
    2010-01-01 08:00 . 2011-04-01 20:50 135168 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @= "{472083B0-C522-11CF-8763-00608CC02F24} "
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint "= "c:\program files\Apoint2K\Apoint.exe" [2007-10-25 212992]
    "Windows Mobile Device Center "= "c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
    "Zune Launcher "= "c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "avast "= "c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "= 0 (0x0)
    "ConsentPromptBehaviorUser "= 3 (0x3)
    "EnableLUA "= 0 (0x0)
    "EnableUIADesktopToggle "= 0 (0x0)
    "PromptOnSecureDesktop "= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux "=wdmaud.drv
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Tracker Alarmer.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Tracker Alarmer.lnk
    backup=c:\windows\pss\Office Tracker Alarmer.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-23 691696]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    S2 havasvc;HAVA Service;c:\program files\Monsoon Multimedia\HAVA\Common\havasvc.exe [2009-06-17 145408]
    S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
    S3 havabus;HAVA Bus Enumerator;c:\windows\system32\DRIVERS\havabus.sys [2009-06-17 37376]
    S3 HAVATV;Hava Video Device;c:\windows\system32\DRIVERS\HAVATV.sys [2009-06-17 324224]
    S3 HavaTV_10;Hava Remote Video Device;c:\windows\system32\DRIVERS\HavaTV_10.sys [2009-06-17 324224]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
    HsfXAudioService REG_MULTI_SZ HsfXAudioService
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    Akamai REG_MULTI_SZ Akamai
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    FF - ProfilePath - c:\users\D Smoke\AppData\Roaming\Mozilla\Firefox\Profiles\w3xomn2y.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-06-20 20:19:21
    ComboFix-quarantined-files.txt 2011-06-21 01:19
    ComboFix2.txt 2011-06-18 23:22
    .
    Pre-Run: 60,087,918,592 bytes free
    Post-Run: 60,053,282,816 bytes free
    .
    - - End Of File - - 343D69A2B8ED1BFB0E6CB77BA52D3D22
     
    keenyoung,
    #11
  13. 2011/06/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
    broni,
    #12
  14. 2011/06/20
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    TDSSKiller will not execute on my laptop running Windows 7 Ultimate. I tried it in safe mode, and in compatibility mode too. I get a short cursor change, and then nothing. It never opens up a window. Also tried as administrator
     
    Last edited: 2011/06/21
    keenyoung,
    #13
  15. 2011/06/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Post fresh log from RKUnhooker
     
    broni,
    #14
  16. 2011/06/21
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows 7
    Version 6.1.7601
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0x8E829000 C:\Windows\system32\DRIVERS\igdkmd32.sys 5279744 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
    0x82A42000 C:\Windows\system32\ntkrnlpa.exe 4268032 bytes (Microsoft Corporation, NT Kernel & System)
    0x82A42000 PnpManager 4268032 bytes
    0x82A42000 RAW 4268032 bytes
    0x82A42000 WMIxWDM 4268032 bytes
    0x82530000 Win32k 2404352 bytes
    0x82530000 C:\Windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0x89070000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
    0x88E1F000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
    0x93006000 C:\Windows\system32\DRIVERS\athr.sys 1114112 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
    0x94671000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1056768 bytes (Conexant Systems, Inc., HSF_DP driver)
    0x88AAD000 PCI_PNP3851 995328 bytes
    0x88AAD000 sptd 995328 bytes
    0x88AAD000 C:\Windows\System32\Drivers\spyq.sys 995328 bytes
    0x8ED32000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
    0x88D1B000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
    0x9482D000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
    0x888EA000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
    0xAC6AF000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
    0x94773000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0x88817000 C:\Windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)
    0x88A2E000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
    0x8935E000 C:\Windows\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
    0x8DB85000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
    0x88F8C000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
    0x8DA2B000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0xAD82D000 C:\Windows\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
    0x8E54E000 C:\Windows\system32\DRIVERS\HAVATV.sys 327680 bytes (Monsoon Multimedia Inc., HavaTV WDM driver)
    0x92E03000 C:\Windows\system32\DRIVERS\HavaTV_10.sys 327680 bytes (Monsoon Multimedia Inc., HavaTV WDM driver)
    0xAC786000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
    0x9312B000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0x88C21000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
    0x8E435000 C:\Windows\System32\Drivers\aswSP.SYS 303104 bytes (AVAST Software, avast! self protection module)
    0x88995000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
    0x949B7000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
    0x92F24000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0x888A8000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
    0x8DB24000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0x89218000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0x8900D000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
    0x94634000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
    0xAC63D000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
    0x8E515000 C:\Windows\System32\Drivers\ab7dskbt.SYS 233472 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0x8E4DC000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
    0x94952000 C:\Windows\system32\drivers\aswMonFlt.sys 229376 bytes (AVAST Software, avast! File System Minifilter for Windows 2003/Vista)
    0x82A0B000 ACPI_HAL 225280 bytes
    0x82A0B000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0x92F79000 C:\Windows\system32\drivers\CHDRT32.sys 221184 bytes (Conexant Systems Inc., High Definition Audio Function Driver)
    0x88CD6000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0x8E5AC000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
    0x892A4000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
    0x8DA8A000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
    0x891B9000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
    0x92FAF000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0x8925F000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
    0x931BB000 C:\Windows\system32\DRIVERS\Apfiltr.sys 180224 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
    0x88F4E000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
    0x88A00000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0x88BA9000 C:\Windows\System32\Drivers\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
    0x892E7000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
    0x8904B000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
    0x88CA0000 C:\Windows\system32\DRIVERS\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
    0x8E400000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0x92E88000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0xAC750000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
    0x8E47F000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
    0x88DD2000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
    0x8933F000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0x8E800000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
    0x8DAC3000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
    0x827C0000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
    0x94937000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
    0xAC678000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
    0x9498D000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0x94600000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
    0x92FDE000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
    0x8DA00000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
    0x93196000 C:\Windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
    0x92E65000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0x92EAA000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0x92EC2000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0x92ED9000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
    0x88C00000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
    0x88C81000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
    0x8E4B9000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
    0x88F79000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0x94810000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
    0x8DB01000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0x92E53000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
    0x8E4A0000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
    0x94619000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
    0x892D6000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
    0x9491B000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
    0x88D0A000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
    0x92F68000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
    0x88BE2000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
    0x8888F000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
    0x93185000 C:\Windows\system32\DRIVERS\Rtnicxp.sys 69632 bytes (Realtek Semiconductor Corporation , Realtek 10/100 NDIS 5.1 Driver )
    0x8DAE2000 C:\Windows\system32\DRIVERS\vwififlt.sys 69632 bytes (Microsoft Corporation, Virtual WiFi Filter Driver)
    0x949A7000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
    0x8928C000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
    0x94800000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
    0x8DB14000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
    0x889E8000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
    0x93176000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0x8DA18000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
    0x92EFC000 C:\Windows\system32\DRIVERS\havabus.sys 57344 bytes (Monsoon Multimedia Inc., HAVA Bus Driver)
    0x8DAF3000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
    0x88E00000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
    0x88C73000 C:\Windows\system32\DRIVERS\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0x88FE9000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
    0x8E59E000 C:\Windows\system32\DRIVERS\STREAM.SYS 57344 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
    0x92F0A000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
    0x88A9F000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
    0x8EDE9000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
    0x948F9000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
    0x931AE000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
    0x948E2000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
    0x931E7000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
    0xAC771000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
    0x893E8000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
    0x8DB79000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
    0x92F18000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
    0x893DC000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0x889DD000 C:\Windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)
    0x94906000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
    0x9492C000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
    0x891F3000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
    0x92E7D000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0x89000000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
    0x93120000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0x88BD7000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
    0x88E0E000 C:\Windows\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
    0x94911000 C:\Windows\System32\Drivers\dump_msahci.sys 40960 bytes
    0x948EF000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
    0x88CC3000 C:\Windows\system32\DRIVERS\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
    0x8DB6F000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
    0x8DB65000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
    0x92EF0000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
    0xAC746000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
    0x93116000 C:\Windows\system32\DRIVERS\vwifibus.sys 40960 bytes (Microsoft Corporation, Virtual WiFi Bus Driver)
    0x88CCD000 C:\Windows\system32\drivers\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
    0x88C97000 C:\Windows\system32\DRIVERS\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
    0xAD8F2000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0x88FF7000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
    0x82790000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
    0x891EA000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
    0x8E4D3000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
    0x88BA0000 C:\Windows\System32\Drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0x888A0000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
    0x88BF3000 C:\Windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)
    0x8929C000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
    0x80BB4000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
    0x88BCF000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
    0x893F5000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
    0x89200000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
    0x89208000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
    0x89257000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
    0xAC77E000 C:\Windows\system32\DRIVERS\XAudio32.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
    0x893D5000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
    0x8E4CC000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0x88C6C000 C:\Windows\system32\DRIVERS\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
    0x893CE000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
    0x8DABC000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
    0x8DA85000 C:\Windows\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
    0x8E4B2000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
    0xAC6AB000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
    0x9498A000 C:\Windows\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
    0x8E4B6000 C:\Windows\system32\DRIVERS\cpqbttn.sys 12288 bytes (Hewlett-Packard Development Company, L.P., HP Tablet PC Key Button HID Driver)
    0x92EFA000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0x84C661F8 unknown_irp_handler 3592 bytes
    0x84C631F8 unknown_irp_handler 3592 bytes
    0x84C651F8 unknown_irp_handler 3592 bytes
    0x85E8D1F8 unknown_irp_handler 3592 bytes
    0x85DFE1F8 unknown_irp_handler 3592 bytes
    0x85D111F8 unknown_irp_handler 3592 bytes
    0x84C611F8 unknown_irp_handler 3592 bytes
    0x85ECA1F8 unknown_irp_handler 3592 bytes
    0x84C641F8 unknown_irp_handler 3592 bytes
    0x84CD01F8 unknown_irp_handler 3592 bytes
    0x85EBF500 unknown_irp_handler 2816 bytes
    ==============================================
    >Stealth
    ==============================================
    0x85B14A91 Unknown page with executable code, 1391 bytes
    0x89218000 WARNING: Virus alike driver modification [volsnap.sys], 258048 bytes
    0x85B13288 Unknown page with executable code, 3448 bytes
    0x85B15191 Unknown page with executable code, 3695 bytes
    0x85B17E7A Unknown thread object [ ETHREAD 0x85D057D0 ] TID: 268, 600 bytes
    0x85B1A008 Unknown thread object [ ETHREAD 0x85D37D48 ] TID: 272, 600 bytes
    WARNING: File locked for read access [C:\Windows\system32\drivers\sptd.sys]
    0x85B19CDC Unknown page with executable code, 804 bytes
     
    keenyoung,
    #15
  17. 2011/06/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    It looks like we still have same issue there.

    Are you still getting redirected?

    Getting ready for bed, but if you have some time, you can get me this:

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    volsnap.sys
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #16
  18. 2011/06/21
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    Yup, still getting redirected.

    OTL logfile created on: 6/21/2011 12:33:41 AM - Run 1
    OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\D Smoke\Desktop
    Ultimate Edition (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 69.54% Memory free
    3.98 Gb Paging File | 3.18 Gb Available in Paging File | 79.99% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 101.63 Gb Total Space | 55.07 Gb Free Space | 54.18% Space Free | Partition Type: NTFS
    Drive D: | 10.06 Gb Total Space | 6.19 Gb Free Space | 61.50% Space Free | Partition Type: NTFS

    Computer Name: DSMOKE-COMPAQ | User Name: D Smoke | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/06/21 00:30:14 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\D Smoke\Desktop\OTL.exe
    PRC - [2011/05/10 07:10:58 | 003,459,712 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2011/05/10 07:10:57 | 000,042,184 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2011/02/26 00:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2010/09/24 13:19:08 | 000,159,472 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Zune\ZuneLauncher.exe
    PRC - [2009/07/13 20:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
    PRC - [2009/06/16 23:16:16 | 000,145,408 | ---- | M] (Monsoon Multimedia Inc.) -- C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe
    PRC - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    PRC - [2004/12/13 04:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/06/21 00:30:14 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\D Smoke\Desktop\OTL.exe
    MOD - [2011/05/10 07:10:55 | 000,199,792 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\snxhk.dll
    MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/06/15 22:01:56 | 003,435,096 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_e877e12.dll -- (Akamai)
    SRV - [2011/05/10 07:10:57 | 000,042,184 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/09/24 13:19:16 | 000,444,656 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
    SRV - [2010/09/24 13:19:16 | 000,268,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\WMZuneComm.exe -- (WMZuneComm)
    SRV - [2010/09/24 13:19:08 | 006,351,600 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
    SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2009/06/16 23:16:16 | 000,145,408 | ---- | M] (Monsoon Multimedia Inc.) [Auto | Running] -- C:\Program Files\Monsoon Multimedia\HAVA\Common\havasvc.exe -- (havasvc)
    SRV - [2009/04/29 03:21:04 | 000,410,624 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\XAudio32.dll -- (HsfXAudioService)
    SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
    SRV - [2007/05/31 10:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
    SRV - [2007/05/31 10:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
    SRV - [2004/12/13 04:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/05/10 07:03:54 | 000,441,176 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011/05/10 07:03:44 | 000,307,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/05/10 07:02:37 | 000,049,240 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/05/10 06:59:56 | 000,025,432 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/05/10 06:59:44 | 000,053,592 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2011/05/10 06:59:35 | 000,019,544 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/01/22 21:56:46 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
    DRV - [2009/10/09 02:37:44 | 001,096,704 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
    DRV - [2009/07/13 20:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
    DRV - [2009/07/13 20:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
    DRV - [2009/07/13 20:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
    DRV - [2009/07/13 18:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WINUSB)
    DRV - [2009/07/13 18:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
    DRV - [2009/07/13 18:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
    DRV - [2009/06/16 23:16:16 | 000,324,224 | ---- | M] (Monsoon Multimedia Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HavaTV_10.sys -- (HavaTV_10)
    DRV - [2009/06/16 23:16:16 | 000,324,224 | ---- | M] (Monsoon Multimedia Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HavaTV.sys -- (HAVATV)
    DRV - [2009/06/16 23:16:14 | 000,037,376 | ---- | M] (Monsoon Multimedia Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\havabus.sys -- (havabus)
    DRV - [2009/04/29 03:20:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio32.sys -- (XAudio)
    DRV - [2009/04/20 15:38:54 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)
    DRV - [2008/07/22 07:42:58 | 000,051,200 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
    DRV - [2008/02/26 15:26:04 | 000,201,728 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
    DRV - [2007/10/29 10:38:38 | 000,162,088 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-3190924427-557382148-1485280098-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-3190924427-557382148-1485280098-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
    IE - HKU\S-1-5-21-3190924427-557382148-1485280098-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = A8 50 15 32 80 44 CA 01 [binary data]
    IE - HKU\S-1-5-21-3190924427-557382148-1485280098-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm "
    FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm "
    FF - prefs.js..browser.search.param.yahoo-type: "${8} "
    FF - prefs.js..browser.startup.homepage: "http://www.google.com/ "
    FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.98
    FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
    FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20100408.6
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
    FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21


    FF - HKLM\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/06/10 20:33:34 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/10 20:14:43 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/10 20:14:45 | 000,000,000 | ---D | M]

    [2009/10/03 18:25:33 | 000,000,000 | -H-D | M] (No name found) -- C:\Users\D Smoke\AppData\Roaming\Mozilla\Extensions
    [2011/06/11 15:32:43 | 000,000,000 | ---D | M] (No name found) -- C:\Users\D Smoke\AppData\Roaming\Mozilla\Firefox\Profiles\w3xomn2y.default\extensions
    [2011/06/10 20:02:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/06/10 20:14:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    [2011/06/10 20:14:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    [2011/06/10 20:02:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\distribution\extensions
    [2011/06/10 20:14:44 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Program Files\Mozilla Firefox\distribution\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    File not found (No name found) --
    [2011/06/10 20:33:34 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
    [2010/01/01 03:00:00 | 000,135,168 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
    [2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    [2010/01/01 03:00:00 | 000,002,252 | -H-- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

    O1 HOSTS File: ([2011/06/18 18:19:31 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O3 - HKU\S-1-5-21-3190924427-557382148-1485280098-1000\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
    O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-21-3190924427-557382148-1485280098-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-3190924427-557382148-1485280098-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-21-3190924427-557382148-1485280098-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-3190924427-557382148-1485280098-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
    O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab (Java Plug-in 1.6.0_21)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 205.171.3.25
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | -H-- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)


    ========== Files/Folders - Created Within 30 Days ==========

    [2011/06/21 00:30:11 | 000,579,072 | ---- | C] (OldTimer Tools) -- C:\Users\D Smoke\Desktop\OTL.exe
    [2011/06/20 23:54:19 | 000,000,000 | ---D | C] -- C:\Users\D Smoke\AppData\Local\ElevatedDiagnostics
    [2011/06/20 23:41:44 | 000,000,000 | ---D | C] -- C:\Users\D Smoke\Desktop\tdsskiller
    [2011/06/20 21:17:29 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/06/20 20:49:03 | 004,131,325 | R--- | C] (Swearware) -- C:\Users\D Smoke\Desktop\k_young.exe
    [2011/06/20 15:51:46 | 000,000,000 | ---D | C] -- C:\VideoOutput
    [2011/06/20 15:51:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avi to Mpeg
    [2011/06/20 15:51:40 | 000,000,000 | ---D | C] -- C:\Program Files\Avi to Mpeg
    [2011/06/20 12:25:11 | 000,000,000 | ---D | C] -- C:\Users\D Smoke\Desktop\Garmin
    [2011/06/18 19:35:24 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2011/06/18 19:35:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/06/18 19:35:21 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/06/18 18:07:04 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2011/06/18 18:07:04 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
    [2011/06/18 18:07:03 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2011/06/18 18:06:56 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2011/06/18 17:48:13 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
    [2011/06/18 17:48:13 | 000,000,000 | ---D | C] -- C:\Users\D Smoke\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
    [2011/06/18 17:11:09 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
    [2011/06/18 17:09:30 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/06/18 16:18:39 | 000,000,000 | ---D | C] -- C:\Users\D Smoke\AppData\Roaming\Malwarebytes
    [2011/06/18 16:18:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/06/18 15:46:18 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
    [2011/06/18 15:38:13 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
    [2011/06/18 15:36:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
    [2011/06/18 15:28:38 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
    [2011/06/12 17:50:37 | 000,000,000 | ---D | C] -- C:\Users\D Smoke\AppData\Roaming\Apple Computer
    [2011/06/12 17:50:37 | 000,000,000 | ---D | C] -- C:\Users\D Smoke\AppData\Local\Apple Computer
    [2011/06/12 17:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Safari
    [2011/06/12 17:43:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
    [2011/06/12 17:42:39 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
    [2011/06/12 17:42:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
    [2011/06/12 17:42:16 | 000,000,000 | ---D | C] -- C:\Users\D Smoke\AppData\Local\Apple
    [2011/06/12 17:42:14 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
    [2011/06/12 17:42:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
    [2011/06/10 20:34:50 | 000,019,544 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
    [2011/06/10 20:34:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
    [2011/06/10 20:34:49 | 000,307,928 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSP.sys
    [2011/06/10 20:34:48 | 000,025,432 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswRdr.sys
    [2011/06/10 20:34:46 | 000,049,240 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswTdi.sys
    [2011/06/10 20:34:45 | 000,441,176 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswSnx.sys
    [2011/06/10 20:34:44 | 000,053,592 | ---- | C] (AVAST Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
    [2011/06/10 20:33:18 | 000,040,112 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
    [2011/06/10 20:33:17 | 000,199,304 | ---- | C] (AVAST Software) -- C:\Windows\System32\aswBoot.exe
    [2011/06/10 20:33:08 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
    [2011/06/10 20:33:08 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2011/06/09 19:50:15 | 000,000,000 | ---D | C] -- C:\Windows\System32\SPReview
    [2011/06/09 19:48:54 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders
    [2011/06/09 19:48:36 | 000,000,000 | ---D | C] -- C:\9d0918abf386d64be6943cd108bf
    [2011/06/06 10:53:41 | 000,000,000 | -H-D | C] -- C:\Users\D Smoke\AppData\Local\Borders Desktop
    [2011/06/06 10:53:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Borders Desktop
    [2011/06/06 10:52:13 | 000,000,000 | ---D | C] -- C:\Program Files\Borders Desktop
    [2011/06/06 10:12:49 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe

    ========== Files - Modified Within 30 Days ==========

    [2011/06/21 00:30:14 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\D Smoke\Desktop\OTL.exe
    [2011/06/20 23:56:07 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/06/20 23:56:07 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/06/20 23:48:24 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2011/06/20 23:48:19 | 1602,760,704 | -HS- | M] () -- C:\hiberfil.sys
    [2011/06/20 23:40:51 | 001,309,375 | ---- | M] () -- C:\Users\D Smoke\Desktop\tdsskiller.zip
    [2011/06/20 20:50:43 | 001,007,120 | ---- | M] () -- C:\Users\D Smoke\Desktop\rkill.scr
    [2011/06/20 20:49:23 | 004,131,325 | R--- | M] (Swearware) -- C:\Users\D Smoke\Desktop\k_young.exe
    [2011/06/20 20:46:03 | 160,071,380 | ---- | M] () -- C:\Windows\MEMORY.DMP
    [2011/06/20 15:31:30 | 000,624,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2011/06/20 15:31:30 | 000,106,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2011/06/20 01:18:11 | 000,139,264 | ---- | M] () -- C:\Users\D Smoke\Desktop\RKUnhookerLE.EXE
    [2011/06/18 20:29:53 | 000,000,512 | ---- | M] () -- C:\Users\D Smoke\Desktop\MBR.dat
    [2011/06/18 18:19:31 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2011/06/18 17:48:13 | 000,002,975 | ---- | M] () -- C:\Users\D Smoke\Desktop\HiJackThis.lnk
    [2011/06/18 15:50:50 | 000,020,552 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
    [2011/06/18 15:46:18 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
    [2011/06/12 17:50:40 | 000,109,784 | -H-- | M] () -- C:\Windows\System32\mlfcache.dat
    [2011/06/12 17:43:31 | 000,002,503 | ---- | M] () -- C:\Users\D Smoke\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
    [2011/06/10 20:34:44 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
    [2011/06/10 19:50:49 | 000,000,128 | -H-- | M] () -- C:\ProgramData\~27385592r
    [2011/06/10 19:50:49 | 000,000,112 | -H-- | M] () -- C:\ProgramData\~27385592
    [2011/06/10 19:46:32 | 000,000,344 | -H-- | M] () -- C:\ProgramData\27385592
    [2011/06/06 10:53:07 | 000,001,039 | ---- | M] () -- C:\Users\Public\Desktop\Borders Desktop.lnk
    [2011/06/06 10:13:12 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
    [2011/05/29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys

    ========== Files Created - No Company Name ==========

    [2011/06/20 23:40:43 | 001,309,375 | ---- | C] () -- C:\Users\D Smoke\Desktop\tdsskiller.zip
    [2011/06/20 23:19:48 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
    [2011/06/20 23:19:47 | 000,001,515 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
    [2011/06/20 20:50:39 | 001,007,120 | ---- | C] () -- C:\Users\D Smoke\Desktop\rkill.scr
    [2011/06/20 01:18:07 | 000,139,264 | ---- | C] () -- C:\Users\D Smoke\Desktop\RKUnhookerLE.EXE
    [2011/06/18 20:29:53 | 000,000,512 | ---- | C] () -- C:\Users\D Smoke\Desktop\MBR.dat
    [2011/06/18 18:07:04 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
    [2011/06/18 18:07:04 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2011/06/18 18:07:04 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2011/06/18 18:07:04 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2011/06/18 18:07:03 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2011/06/18 17:48:13 | 000,002,975 | ---- | C] () -- C:\Users\D Smoke\Desktop\HiJackThis.lnk
    [2011/06/18 15:38:15 | 000,020,552 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
    [2011/06/18 15:28:36 | 160,071,380 | ---- | C] () -- C:\Windows\MEMORY.DMP
    [2011/06/12 17:50:40 | 000,109,784 | -H-- | C] () -- C:\Windows\System32\mlfcache.dat
    [2011/06/12 17:43:31 | 000,002,503 | ---- | C] () -- C:\Users\D Smoke\Application Data\Microsoft\Internet Explorer\Quick Launch\Apple Safari.lnk
    [2011/06/12 17:42:14 | 000,002,519 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
    [2011/06/10 19:50:49 | 000,000,128 | -H-- | C] () -- C:\ProgramData\~27385592r
    [2011/06/10 19:50:49 | 000,000,112 | -H-- | C] () -- C:\ProgramData\~27385592
    [2011/06/10 19:46:32 | 000,000,344 | -H-- | C] () -- C:\ProgramData\27385592
    [2011/06/06 10:53:07 | 000,001,039 | ---- | C] () -- C:\Users\Public\Desktop\Borders Desktop.lnk
    [2011/06/06 10:13:12 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
    [2011/06/06 10:13:11 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
    [2010/04/06 16:03:22 | 000,000,000 | ---- | C] () -- C:\Windows\PowerReg.dat
    [2010/01/22 22:14:47 | 000,056,320 | ---- | C] () -- C:\Windows\System32\iyvu9_32.dll
    [2010/01/22 22:09:14 | 000,000,193 | ---- | C] () -- C:\Windows\WORDPAD.INI
    [2009/10/03 18:35:56 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
    [2009/09/11 17:58:52 | 002,050,952 | ---- | C] () -- C:\Windows\System32\igkrng400.bin
    [2009/07/13 23:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
    [2009/07/13 23:33:53 | 000,268,184 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
    [2009/07/13 21:05:48 | 000,624,178 | ---- | C] () -- C:\Windows\System32\perfh009.dat
    [2009/07/13 21:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
    [2009/07/13 21:05:48 | 000,106,522 | ---- | C] () -- C:\Windows\System32\perfc009.dat
    [2009/07/13 21:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
    [2009/07/13 21:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
    [2009/07/13 21:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
    [2009/07/13 19:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
    [2009/07/13 18:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
    [2009/07/13 18:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
    [2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
    [2009/06/10 16:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

    ========== LOP Check ==========

    [2011/06/10 20:14:49 | 000,000,000 | ---D | M] -- C:\Users\D Smoke\AppData\Roaming\Absolute Poker
    [2009/11/15 12:31:59 | 000,000,000 | -H-D | M] -- C:\Users\D Smoke\AppData\Roaming\com.directv.supercast.AA1ECC8BBAFE4E1BBF2D418DC006AF207FACE6CA.1
    [2010/01/22 22:08:54 | 000,000,000 | -H-D | M] -- C:\Users\D Smoke\AppData\Roaming\DAEMON Tools Lite
    [2010/02/22 00:48:50 | 000,000,000 | -H-D | M] -- C:\Users\D Smoke\AppData\Roaming\GARMIN
    [2011/06/20 15:28:38 | 000,000,000 | ---D | M] -- C:\Users\D Smoke\AppData\Roaming\uTorrent
    [2010/09/06 20:59:57 | 000,032,582 | -H-- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/06/10 16:42:20 | 000,000,024 | -H-- | M] () -- C:\autoexec.bat
    [2011/06/20 21:19:00 | 000,011,930 | ---- | M] () -- C:\ComboFix.txt
    [2009/06/10 16:42:20 | 000,000,010 | -H-- | M] () -- C:\config.sys
    [2007/11/07 08:00:40 | 000,001,110 | ---- | M] () -- C:\globdata.ini
    [2011/06/20 23:48:19 | 1602,760,704 | -HS- | M] () -- C:\hiberfil.sys
    [2007/11/07 08:00:40 | 000,000,843 | ---- | M] () -- C:\install.ini
    [2007/11/07 08:03:18 | 000,076,304 | ---- | M] (Microsoft Corporation) -- C:\install.res.1028.dll
    [2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.1031.dll
    [2007/11/07 08:03:18 | 000,091,152 | ---- | M] (Microsoft Corporation) -- C:\install.res.1033.dll
    [2007/11/07 08:03:18 | 000,097,296 | ---- | M] (Microsoft Corporation) -- C:\install.res.1036.dll
    [2007/11/07 08:03:18 | 000,095,248 | ---- | M] (Microsoft Corporation) -- C:\install.res.1040.dll
    [2007/11/07 08:03:18 | 000,081,424 | ---- | M] (Microsoft Corporation) -- C:\install.res.1041.dll
    [2007/11/07 08:03:18 | 000,079,888 | ---- | M] (Microsoft Corporation) -- C:\install.res.1042.dll
    [2007/11/07 08:03:18 | 000,075,792 | ---- | M] (Microsoft Corporation) -- C:\install.res.2052.dll
    [2007/11/07 08:03:18 | 000,096,272 | ---- | M] (Microsoft Corporation) -- C:\install.res.3082.dll
    [2011/06/20 23:48:23 | 2137,014,272 | -HS- | M] () -- C:\pagefile.sys
    [2011/06/20 20:53:04 | 000,000,357 | ---- | M] () -- C:\rkill.log
    [2007/11/07 08:00:40 | 000,005,686 | -H-- | M] () -- C:\vcredist.bmp
    [2007/11/07 08:09:22 | 001,442,522 | -H-- | M] () -- C:\VC_RED.cab
    [2007/11/07 08:12:28 | 000,232,960 | ---- | M] () -- C:\VC_RED.MSI

    < %systemroot%\Fonts\*.com >
    [2009/07/13 23:52:25 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2009/07/13 23:52:25 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2009/07/13 23:52:25 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2009/07/13 23:52:25 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/10 16:31:19 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2009/07/13 20:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
    [2009/07/13 20:16:19 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint(3066).dll
    [2010/11/20 07:21:36 | 000,030,208 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/05/10 07:10:59 | 000,040,112 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/07/13 23:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009/10/03 18:21:06 | 000,000,221 | -HS- | M] () -- C:\Users\D Smoke\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2011/06/20 20:49:23 | 004,131,325 | R--- | M] (Swearware) -- C:\Users\D Smoke\Desktop\k_young.exe
    [2011/06/21 00:30:14 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Users\D Smoke\Desktop\OTL.exe
    [2011/06/20 01:18:11 | 000,139,264 | ---- | M] () -- C:\Users\D Smoke\Desktop\RKUnhookerLE.EXE

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009/06/10 16:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2010/08/04 09:07:29 | 000,000,402 | -HS- | M] () -- C:\Users\D Smoke\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >
    [2011/06/10 19:46:32 | 000,000,344 | -H-- | M] () -- C:\ProgramData\27385592
    [2011/06/10 19:50:49 | 000,000,112 | -H-- | M] () -- C:\ProgramData\~27385592
    [2011/06/10 19:50:49 | 000,000,128 | -H-- | M] () -- C:\ProgramData\~27385592r

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < MD5 for: VOLSNAP.SYS >
    [2009/07/13 20:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\System32\drivers\volsnap.sys
    [2009/07/13 20:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_29364d30156a24ca\volsnap.sys
    [2009/07/13 20:19:10 | 000,245,328 | ---- | M] (Microsoft Corporation) MD5=58DF9D2481A56EDDE167E51B334D44FD -- C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys

    < End of report >
     
    keenyoung,
    #17
  19. 2011/06/21
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    OTL Extras logfile created on: 6/21/2011 12:33:41 AM - Run 1
    OTL by OldTimer - Version 3.2.24.1 Folder = C:\Users\D Smoke\Desktop
    Ultimate Edition (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.99 Gb Total Physical Memory | 1.38 Gb Available Physical Memory | 69.54% Memory free
    3.98 Gb Paging File | 3.18 Gb Available in Paging File | 79.99% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 101.63 Gb Total Space | 55.07 Gb Free Space | 54.18% Space Free | Partition Type: NTFS
    Drive D: | 10.06 Gb Total Space | 6.19 Gb Free Space | 61.50% Space Free | Partition Type: NTFS

    Computer Name: DSMOKE-COMPAQ | User Name: D Smoke | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
    .html [@ = htmlfile] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome

    [HKEY_USERS\S-1-5-21-3190924427-557382148-1485280098-1000\SOFTWARE\Classes\<extension>]
    .html [@ = htmlfile] -- Reg Error: Key error. File not found

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1 ",%* (Microsoft Corporation)
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- Reg Error: Key error.
    htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
    htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1
    http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
    https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1 "
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [explore] -- Reg Error: Value error.
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1
    CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "DisableNotifications" = 0
    "EnableFirewall" = 1

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    "{07EEE598-5F21-4B57-B40B-46592625B3D9}" = Zune Language Pack (PTB)
    "{081E540C-1A6F-4C46-994B-6E3229222A10}" = HAVA Software
    "{10133CDD-50B9-4783-B336-8B48F3653715}" = Star Wars Galactic Battlegrounds: Saga
    "{14BF164E-80A4-422E-BE43-39FB759666C2}_is1" = Avi to Mpeg 3.2
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{20FA8AEE-E785-4F79-98EB-2067A8F395F4}" = Monopoly
    "{26A24AE4-039D-4CA4-87B4-2F83216019FF}" = Java(TM) 6 Update 21
    "{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
    "{2C4E2E4E-A7C9-4CCB-BF03-FE6EBD5D4AB7}" = Windows Mobile Device Updater Component
    "{3A05B900-A3E7-11DE-A9B7-005056806466}" = Google Earth
    "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
    "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
    "{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
    "{6740BCB0-5863-47F4-80F4-44F394DE4FE2}" = Zune Language Pack (NLD)
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{6B33492E-FBBC-4EC3-8738-09E16E395A10}" = Zune Language Pack (ESP)
    "{6C1E7AA1-44E9-446D-AAB2-0DE6D9EFEAB1}" = Safari
    "{7006ED29-58F2-40C3-AE87-039287AD20B6}" = Zune
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
    "{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
    "{920A9E89-3494-41C8-9C3B-CD1870F002C3}" = Office Tracker
    "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Touch Pad Driver
    "{A1EFAC47-885A-4E74-AAA4-8B56B71B706A}" = Garmin City Navigator North America NT 2010.40
    "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
    "{BCB4C18A-ACA6-4383-8688-E19933A705DD}" = Microsoft SOAP Toolkit 3.0
    "{BE236D9A-52EC-4A17-82DA-84B5EAD31E3E}" = Zune Language Pack (DEU)
    "{C4D26D60-7B43-4CE9-AE19-A380D9DF126B}" = Garmin MapSource
    "{C5D37FFA-7483-410B-982B-91E93FD3B7DA}" = Zune Language Pack (ITA)
    "{C68D33B1-0204-4EBE-BC45-A6E432B1D13A}" = Zune Language Pack (FRA)
    "{D0A3275D-F67F-4C6B-AE4A-753170C2EAC8}" = Garmin MapInstall
    "{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
    "{E0783143-EAE2-4047-A8D6-E155523C594C}" = Garmin WebUpdater
    "{E7044E25-3038-4A76-9064-344AC038043E}" = Windows Mobile Device Center Driver Update
    "{FA7621DC-7144-4A24-973C-B9BC0E945628}" = Ulead Straight-to-Disc SDK
    "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    "49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Akamai" = Akamai NetSession Interface
    "avast" = avast! Free Antivirus
    "Borders Desktop" = Borders Desktop
    "CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
    "CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
    "Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
    "CNXT_AUDIO_HDA" = Conexant HD Audio
    "CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
    "HDMI" = Intel(R) Graphics Media Accelerator Driver
    "InstallShield_{081E540C-1A6F-4C46-994B-6E3229222A10}" = HAVA Software
    "LionClock Client3.22" = LionClock Client
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.0.1200
    "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
    "MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
    "Mozilla Firefox 4.0 (x86 en-US)" = Mozilla Firefox 4.0 (x86 en-US)
    "PhotoStitch" = Canon Utilities PhotoStitch
    "PokerStars" = PokerStars
    "RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
    "RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
    "TVWiz" = Intel(R) TV Wizard
    "uTorrent" = µTorrent
    "WinRAR archiver" = WinRAR archiver
    "Yahoo! Companion" = Yahoo! Toolbar
    "Yahoo! Messenger" = Yahoo! Messenger
    "Yahoo! Software Update" = Yahoo! Software Update
    "ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
    "Zune" = Zune

    ========== HKEY_USERS Uninstall List ==========

    [HKEY_USERS\S-1-5-21-3190924427-557382148-1485280098-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "Absolute Poker" = Absolute Poker
    "Octoshape add-in for Adobe Flash Player" = Octoshape add-in for Adobe Flash Player

    ========== Last 10 Event Log Errors ==========

    Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

    < End of report >
     
    keenyoung,
    #18
  20. 2011/06/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Do you have Windows 7 DVD?

    Delete your Combofix file, download fresh one and post new log.
     
    broni,
    #19
  21. 2011/06/21
    keenyoung

    keenyoung Inactive Thread Starter

    Joined:
    2011/06/18
    Messages:
    28
    Likes Received:
    0
    Cant find Window 7 DVD, but have a copy on separate hard drive partition.

    Combofix blue screened me 3 times in normal mode and 3 times in safe mode. So I ran rkill in safe mode and then Combofix also in safe mode.


    ComboFix 11-06-17.04 - D Smoke 06/21/2011 20:57:22.4.2 - x86 MINIMAL
    Microsoft Windows 7 Ultimate 6.1.7601.0.1252.1.1033.18.2038.1373 [GMT -5:00]
    Running from: c:\users\D Smoke\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-22 02:05 . 2011-06-22 02:05 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-06-22 02:05 . 2011-06-22 02:05 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-06-21 19:12 . 2011-06-21 19:12 -------- d-----w- c:\programdata\HP Product Assistant
    2011-06-21 19:06 . 2011-06-21 19:06 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
    2011-06-21 18:55 . 2011-06-07 15:55 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5CB15C75-207F-4E51-837B-CE49A3C3D54B}\mpengine.dll
    2011-06-21 18:34 . 2011-06-21 18:34 -------- d-----w- c:\users\D Smoke\AppData\Roaming\HP
    2011-06-21 18:34 . 2011-06-21 18:34 -------- d-----w- c:\users\D Smoke\AppData\Local\HP
    2011-06-21 18:26 . 2008-12-16 23:17 315392 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp6en.dll
    2011-06-21 18:26 . 2008-10-29 18:46 271704 ----a-w- c:\windows\system32\hpzids01.dll
    2011-06-21 18:26 . 2008-12-16 23:17 126976 ----a-w- c:\windows\system32\hpfll6en.dll
    2011-06-21 18:25 . 2011-06-21 20:25 -------- d-----w- c:\program files\HP
    2011-06-21 18:24 . 2011-06-21 19:12 -------- d-----w- c:\programdata\HP
    2011-06-21 18:12 . 2009-07-14 01:15 319488 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfppw73.dll
    2011-06-21 17:41 . 2011-06-21 17:41 -------- d-----w- c:\program files\Common Files\Adobe
    2011-06-21 04:54 . 2011-06-21 18:18 -------- d-----w- c:\users\D Smoke\AppData\Local\ElevatedDiagnostics
    2011-06-21 04:18 . 2011-06-21 04:18 -------- d-----w- c:\users\Default\AppData\Roaming\Media Center Programs
    2011-06-20 20:51 . 2011-06-20 20:51 -------- d-----w- c:\program files\Avi to Mpeg
    2011-06-19 00:35 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-19 00:35 . 2011-06-19 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-18 22:48 . 2011-06-18 22:48 -------- d-----w- c:\program files\Trend Micro
    2011-06-18 22:11 . 2011-06-18 22:11 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-06-18 21:18 . 2011-06-18 21:18 -------- d-----w- c:\users\D Smoke\AppData\Roaming\Malwarebytes
    2011-06-18 21:18 . 2011-06-18 21:18 -------- d-----w- c:\programdata\Malwarebytes
    2011-06-18 20:46 . 2011-06-18 20:46 12872 ----a-w- c:\windows\system32\bootdelete.exe
    2011-06-18 20:38 . 2011-06-18 20:50 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2011-06-18 20:38 . 2011-06-18 20:38 -------- d-----w- c:\program files\Hitman Pro 3.5
    2011-06-18 20:36 . 2011-06-18 20:46 -------- d-----w- c:\programdata\Hitman Pro
    2011-06-12 22:50 . 2011-06-12 22:50 -------- d-----w- c:\users\D Smoke\AppData\Roaming\Apple Computer
    2011-06-12 22:50 . 2011-06-12 22:50 -------- d-----w- c:\users\D Smoke\AppData\Local\Apple Computer
    2011-06-12 22:43 . 2011-06-12 22:43 -------- d-----w- c:\program files\Safari
    2011-06-12 22:43 . 2011-06-12 22:43 -------- d-----w- c:\programdata\Apple Computer
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\program files\Bonjour
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\program files\Common Files\Apple
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\users\D Smoke\AppData\Local\Apple
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\programdata\Apple
    2011-06-12 22:42 . 2011-06-12 22:42 -------- d-----w- c:\program files\Apple Software Update
    2011-06-11 01:34 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-06-11 01:34 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-06-11 01:34 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-06-11 01:34 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-06-11 01:34 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-06-11 01:34 . 2011-05-10 11:59 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-06-11 01:33 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-06-11 01:33 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-06-11 01:33 . 2011-06-11 01:33 -------- d-----w- c:\programdata\AVAST Software
    2011-06-11 01:33 . 2011-06-11 01:33 -------- d-----w- c:\program files\AVAST Software
    2011-06-10 00:50 . 2011-06-11 01:13 -------- d-----w- c:\windows\system32\SPReview
    2011-06-10 00:48 . 2011-06-11 01:15 -------- d-----w- c:\windows\system32\EventProviders
    2011-06-10 00:48 . 2011-06-11 01:14 -------- d-----w- C:\9d0918abf386d64be6943cd108bf
    2011-06-06 17:55 . 2011-06-06 17:55 183696 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-06-06 15:53 . 2011-06-06 15:53 -------- d--h--w- c:\users\D Smoke\AppData\Local\Borders Desktop
    2011-06-06 15:52 . 2011-06-11 01:14 -------- d-----w- c:\program files\Borders Desktop
    2011-06-05 22:23 . 2011-06-06 05:56 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-24 21:55 . 2011-04-22 19:36 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
    2011-05-23 20:29 . 2010-11-20 12:21 750592 ------w- c:\windows\system32\schedsvc.dll
    2011-05-23 20:29 . 2010-11-20 12:24 1288488 ----a-w- c:\windows\system32\ntdll.dll.1
    2011-05-23 20:29 . 2010-11-20 12:20 585728 ------w- c:\windows\system32\qmgr.dll
    2011-05-23 20:29 . 2010-11-20 12:20 1414144 ------w- c:\windows\system32\ole32.dll
    2011-05-23 20:29 . 2010-11-20 12:21 1128448 ------w- c:\windows\system32\vssapi.dll
    2011-05-23 20:29 . 2010-11-20 12:21 505856 ------w- c:\windows\system32\taskschd.dll
    2011-05-23 20:27 . 2010-11-20 12:21 162304 ------w- c:\windows\system32\WUDFPlatform.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-25 00:14 . 2009-10-03 23:31 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-04-09 06:13 . 2011-05-11 05:05 3957632 ----a-w- c:\windows\system32\ntkrnlpa(3039).exe
    2011-04-09 06:13 . 2011-05-11 05:05 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-04-09 06:02 . 2011-05-11 05:05 3967872 ------w- c:\windows\system32\ntkrnlpa.exe
    2011-04-09 05:56 . 2011-05-17 13:58 123904 ----a-w- c:\windows\system32\poqexec.exe
    2011-03-29 19:09 . 2011-03-29 19:09 21504 ----a-w- c:\windows\system32\drivers\libusb0.sys
    2011-03-29 19:09 . 2011-03-29 19:09 37376 ----a-w- c:\windows\system32\libusb0.dll
    2011-03-25 03:06 . 2011-05-11 05:05 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
    2011-03-25 03:06 . 2011-05-11 05:05 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
    2011-03-25 03:06 . 2011-05-11 05:05 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
    2011-03-25 03:06 . 2011-05-11 05:05 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
    2011-03-25 03:06 . 2011-05-11 05:05 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
    2011-03-25 03:06 . 2011-05-11 05:05 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
    2011-03-25 03:06 . 2011-05-11 05:05 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
    2010-01-01 08:00 . 2011-04-01 20:50 135168 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @= "{472083B0-C522-11CF-8763-00608CC02F24} "
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint "= "c:\program files\Apoint2K\Apoint.exe" [2007-10-25 212992]
    "Windows Mobile Device Center "= "c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
    "IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
    "Persistence "= "c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
    "Zune Launcher "= "c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 159472]
    "avast "= "c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv "= "grpconv -o" [X]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin "= 0 (0x0)
    "ConsentPromptBehaviorUser "= 3 (0x3)
    "EnableLUA "= 0 (0x0)
    "EnableUIADesktopToggle "= 0 (0x0)
    "PromptOnSecureDesktop "= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux "=wdmaud.drv
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Tracker Alarmer.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Tracker Alarmer.lnk
    backup=c:\windows\pss\Office Tracker Alarmer.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
    2009-10-30 11:57 369200 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-23 691696]
    R1 aswSnx;aswSnx; [x]
    R1 aswSP;aswSP; [x]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
    R2 aswFsBlk;aswFsBlk; [x]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 havasvc;HAVA Service;c:\program files\Monsoon Multimedia\HAVA\Common\havasvc.exe [2009-06-17 145408]
    R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
    R3 HAVATV;Hava Video Device;c:\windows\system32\DRIVERS\HAVATV.sys [2009-06-17 324224]
    R3 HavaTV_10;Hava Remote Video Device;c:\windows\system32\DRIVERS\HavaTV_10.sys [2009-06-17 324224]
    R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
    R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
    R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 268528]
    S3 havabus;HAVA Bus Enumerator;c:\windows\system32\DRIVERS\havabus.sys [2009-06-17 37376]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
    HsfXAudioService REG_MULTI_SZ HsfXAudioService
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    Akamai REG_MULTI_SZ Akamai
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    FF - ProfilePath - c:\users\D Smoke\AppData\Roaming\Mozilla\Firefox\Profiles\w3xomn2y.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial "=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-06-21 21:07:12
    ComboFix-quarantined-files.txt 2011-06-22 02:07
    ComboFix2.txt 2011-06-21 02:19
    ComboFix3.txt 2011-06-21 01:19
    ComboFix4.txt 2011-06-18 23:22
    .
    Pre-Run: 58,277,527,552 bytes free
    Post-Run: 57,892,040,704 bytes free
    .
    - - End Of File - - 39A0006794EA22F4B416B7CF78528CDC
     
    keenyoung,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...