1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved I think I have a virus - system is VERY slow

Discussion in 'Malware and Virus Removal Archive' started by Bocagal1, 2013/04/18.

Page 2 of 3
  1. 2013/04/26
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    Results of screen317's Security Check version 0.99.63
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Please wait while WMIC compiles updated MOF files.d
    i
    s
    p
    l
    a
    y
    N
    a
    m
    e
    ECHO is off.
    M
    i
    c
    r
    o
    s
    o
    f
    t
    ECHO is off.
    S
    e
    c
    u
    r
    i
    t
    y
    ECHO is off.
    E
    s
    e
    n
    t
    i
    a
    l
    s
    ECHO is off.
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Spybot - Search & Destroy
    Malwarebytes Anti-Malware version 1.75.0.1300
    EasyCleaner 2.2
    EasyCleaner
    Adobe Flash Player 11.7.700.169
    Adobe Reader XI
    Mozilla Firefox (20.0.1)
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 3%
    ````````````````````End of Log``````````````````````
     
    Bocagal1,
    #21
  2. 2013/04/26
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    Downloading FSS I was redirected several times to an invlid link containg the test 'doubleclik' in the link name. After 4 tries I finally used the CLICK here link to get FSS downloaded.

    Log here.

    Farbar Service Scanner Version: 14-04-2013
    Ran by Rosemary (administrator) on 26-04-2013 at 02:51:06
    Running from "C:\Documents and Settings\Rosemary\Local Settings\Temporary Internet Files\Content.IE5\AYZG1NWP "
    Microsoft Windows XP Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Attempt to access Yahoo IP returned error. Yahoo IP is offline
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
    0x080000000500000001000000020000000300000004000000080000000600000007000000
    IpSec Tag value is correct.

    **** End of log ****
     
    Bocagal1,
    #22


  3. to hide this advert.

  4. 2013/04/26
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    Reboot after running TFC took almost 1 min to fully restore the desktop. no log from ESET
     
    Bocagal1,
    #23
  5. 2013/04/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Which browser redirects you?
     
    broni,
    #24
  6. 2013/04/26
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    Internet Explorer 8.0.6001.1872
     
    Bocagal1,
    #25
  7. 2013/04/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You have also Firefox installed.
    Can you check if Firefox is affected as well?

    As for IE...

    Reset Internet Explorer.
    Go here: http://support.microsoft.com/kb/923737 and run "FixIt" procedure.
    Make sure you follow ALL steps listed there.
     
    broni,
    #26
  8. 2013/04/26
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    GMER 2.1.19163 - http://www.gmer.net
    Rootkit scan 2013-04-26 23:46:39
    Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 Hitachi_HDS721010CLA332 rev.JP4OA3MA 931.51GB
    Running: tdznvn8v.exe; Driver: C:\DOCUME~1\Rosemary\LOCALS~1\Temp\kxtoiaob.sys


    ---- Kernel code sections - GMER 2.1 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5A643C0, 0x84E4FA, 0xE8000020]
    .text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0xA4918000, 0x2892, 0xE8000020]
    .vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0xA493B050]
    ? C:\DOCUME~1\Rosemary\LOCALS~1\Temp\kxtoiaoc.sys The filename, directory name, or volume label syntax is incorrect. !

    ---- User code sections - GMER 2.1 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21550D C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A95 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD10D C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254674 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E727F C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E71B1 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E721C C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E7082 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E70E4 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E72E2 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E7146 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[1232] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E7600 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtAddAtom + 6 7C90CEE4 4 Bytes CALL 7B915535
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtAddAtom + B 7C90CEE9 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 48, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtCreateKey + 6 7C90D0F4 4 Bytes [68, 49, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtCreateKey + B 7C90D0F9 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtCreateMutant + 6 7C90D114 4 Bytes [28, 4A, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtCreateMutant + B 7C90D119 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtCreateSection + 6 7C90D184 4 Bytes [68, 4A, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtCreateSection + B 7C90D189 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtDeleteAtom + 6 7C90D224 4 Bytes [68, 4D, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtDeleteAtom + B 7C90D229 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtDeleteValueKey + 6 7C90D274 4 Bytes CALL 7B9158C3
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtDeleteValueKey + B 7C90D279 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtFindAtom + 6 7C90D324 4 Bytes [28, 4D, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtFindAtom + B 7C90D329 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes CALL 7B915B76
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 48, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenKey + 6 7C90D5D4 4 Bytes [A8, 49, 86, 00] {TEST AL, 0x49; XCHG [EAX], AL}
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenKey + B 7C90D5D9 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenMutant + 6 7C90D5E4 4 Bytes CALL 7B915C32
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenMutant + B 7C90D5E9 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [68, 4B, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes [A8, 4B, 86, 00] {TEST AL, 0x4b; XCHG [EAX], AL}
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [68, 4C, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenSection + 6 7C90D634 4 Bytes [A8, 4A, 86, 00] {TEST AL, 0x4a; XCHG [EAX], AL}
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenSection + B 7C90D639 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [28, 4B, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [28, 4C, 86, 00] {SUB [ESI+EAX*4+0x0], CL}
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes [A8, 4C, 86, 00] {TEST AL, 0x4c; XCHG [EAX], AL}
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 48, 86, 00] {TEST AL, 0x48; XCHG [EAX], AL}
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B915E01
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtQueryInformationAtom + 6 7C90D7C4 4 Bytes [A8, 4D, 86, 00] {TEST AL, 0x4d; XCHG [EAX], AL}
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtQueryInformationAtom + B 7C90D7C9 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 49, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes CALL 7B916304
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [28, 4E, 86, 00]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C00B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] kernel32.dll!CreateEventW 7C80A749 5 Bytes JMP 009C0030
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] kernel32.dll!CreateThread 7C810707 5 Bytes JMP 009C0170
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] kernel32.dll!OpenEventW 7C81F472 5 Bytes JMP 009C0070
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!RegisterClassExA 7E427C39 5 Bytes JMP 00AB0430
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!ActivateKeyboardLayout 7E428673 5 Bytes JMP 00AB03F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!IsClipboardFormatAvailable 7E42F166 5 Bytes JMP 00AB00F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!GetClipboardSequenceNumber 7E42F17A 2 Bytes JMP 00AB02B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!GetClipboardSequenceNumber + 3 7E42F17D 2 Bytes [68, 82]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!CloseClipboard 7E430265 5 Bytes JMP 00AB00B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!OpenClipboard 7E430277 5 Bytes JMP 00AB0070
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!EmptyClipboard 7E430D96 5 Bytes JMP 00AB0130
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!GetClipboardOwner 7E430DA8 5 Bytes JMP 00AB02F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!GetClipboardData 7E430DBA 5 Bytes JMP 00AB0030
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 00AB0170
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!GetClipboardFormatNameA 7E431290 5 Bytes JMP 00AB0270
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!CountClipboardFormats 7E43167F 5 Bytes JMP 00AB01F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!GetOpenClipboardWindow 7E431691 5 Bytes JMP 00AB0370
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!EnumClipboardFormats 7E43E53D 5 Bytes JMP 00AB01B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!GetClipboardFormatNameW 7E45957F 5 Bytes JMP 00AB0230
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!GetClipboardViewer 7E46CB94 5 Bytes JMP 00AB03B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] USER32.dll!GetPriorityClipboardFormat 7E46CC96 5 Bytes JMP 00AB0330
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!GetDeviceCaps 77F15A71 5 Bytes JMP 00AC0370
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SelectObject 77F15B70 5 Bytes JMP 00AC05B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SetTextColor 77F15D77 5 Bytes JMP 00AC0970
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SetBkMode 77F15EDB 5 Bytes JMP 00AC0830
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!IntersectClipRect 77F16A56 5 Bytes JMP 00AC03B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!GetClipBox 77F16AA1 5 Bytes JMP 00AC0330
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!DeleteObject 77F16BFA 5 Bytes JMP 00AC01B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 00AC0170
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!ExtSelectClipRgn 77F17874 5 Bytes JMP 00AC02F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SelectClipRgn 77F17AA0 5 Bytes JMP 00AC0570
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!GetTextMetricsW 77F17DB9 5 Bytes JMP 00AC0D30
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 00AC08B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SetStretchBltMode 77F18597 5 Bytes JMP 00AC05F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!RestoreDC 77F18B28 5 Bytes JMP 00AC04F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SaveDC 77F18BEE 5 Bytes JMP 00AC0530
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SetTextAlign 77F18C8B 5 Bytes JMP 00AC0930
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!MoveToEx 77F1A21A 5 Bytes JMP 00AC0430
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!GetTextFaceW 77F1A5CB 5 Bytes JMP 00AC0C70
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!StretchDIBits 77F1B0AE 2 Bytes JMP 00AC06B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!StretchDIBits + 3 77F1B0B1 2 Bytes [BA, 88]
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SetWorldTransform 77F1B457 5 Bytes JMP 00AC0630
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 00AC00B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 00AC00F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!ExtEscape 77F1C3CC 5 Bytes JMP 00AC02B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 00AC0870
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!LineTo 77F1D997 5 Bytes JMP 00AC03F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!GetTextMetricsA 77F1DF45 5 Bytes JMP 00AC0CF0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SetICMMode 77F1E868 5 Bytes JMP 00AC0CB0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!Rectangle 77F1E9BE 5 Bytes JMP 00AC08F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!GetFontData 77F1F314 5 Bytes JMP 00AC0BB0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!GetTextFaceA 77F1F365 5 Bytes JMP 00AC0C30
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SetPolyFillMode 77F20817 5 Bytes JMP 00AC0A70
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SetMiterLimit 77F20E8E 5 Bytes JMP 00AC0AB0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 00AC0270
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!ResetDCW 77F2B9AF 5 Bytes JMP 00AC09F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!CreateICW 77F2C813 5 Bytes JMP 00AC0130
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!BeginPath 77F2D4B0 5 Bytes JMP 00AC0770
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!EndPath 77F2D530 5 Bytes JMP 00AC09B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!SelectClipPath 77F2D5B7 5 Bytes JMP 00AC0A30
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!EndPage 77F2DC61 5 Bytes JMP 00AC0230
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!EndDoc 77F2DEF1 5 Bytes JMP 00AC01F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!PolyBezierTo 77F2EBD1 5 Bytes JMP 00AC0470
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!PolylineTo 77F2EC7E 5 Bytes JMP 00AC04B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!CloseFigure 77F2ED1A 5 Bytes JMP 00AC0070
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!StartPage 77F2F49E 5 Bytes JMP 00AC0670
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!RemoveFontResourceW 77F3D07C 5 Bytes JMP 00AC0B70
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!GetGlyphOutlineW 77F3E6D1 5 Bytes JMP 00AC0BF0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!AddFontResourceW 77F3FFAB 5 Bytes JMP 00AC0B30
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!CreateScalableFontResourceW 77F40160 5 Bytes JMP 00AC0AF0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!AbortDoc 77F44CD2 5 Bytes JMP 00AC0030
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 00AC0730
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!StrokePath 77F460B7 5 Bytes JMP 00AC06F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!FillPath 77F46144 5 Bytes JMP 00AC07B0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] GDI32.dll!PolyDraw 77F4667B 5 Bytes JMP 00AC07F0
    .text C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe[2352] ole32.dll!OleSetClipboard 77547808 5 Bytes JMP 00C20030
    .text C:\Program Files\Internet Explorer\iexplore.exe[2380] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21550D C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2380] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2380] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E727F C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2380] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E71B1 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2380] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E721C C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2380] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E7082 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2380] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E70E4 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2380] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E72E2 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2380] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E7146 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21550D C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A95 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD10D C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254674 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E727F C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E71B1 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E721C C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E7082 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E70E4 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E72E2 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E7146 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[2524] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E7600 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21550D C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A95 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD10D C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254674 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E727F C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E71B1 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E721C C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E7082 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E70E4 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E72E2 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E7146 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[3120] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E7600 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E21550D C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A95 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD10D C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB04 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254674 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E727F C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E71B1 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E721C C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E7082 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E70E4 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E72E2 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E7146 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB60 C:\WINDOWS\system32\IEFRAME.dll
    .text C:\Program Files\Internet Explorer\iexplore.exe[6012] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E7600 C:\WINDOWS\system32\IEFRAME.dll

    ---- Devices - GMER 2.1 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys

    ---- Registry - GMER 2.1 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{8D62E448-0EB0-48D8-872C-E9889409C5E2}\0000@D3D_\x3332\x3331 2089309684
    Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{8D62E448-0EB0-48D8-872C-E9889409C5E2}\0001@D3D_\x3332\x3331 2089309684
    Reg HKLM\SYSTEM\ControlSet002\Control\Video\{8D62E448-0EB0-48D8-872C-E9889409C5E2}\0000@D3D_\x3332\x3331 2089309684
    Reg HKLM\SYSTEM\ControlSet002\Control\Video\{8D62E448-0EB0-48D8-872C-E9889409C5E2}\0001@D3D_\x3332\x3331 2089309684
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

    ---- Disk sectors - GMER 2.1 ----

    Disk \Device\Harddisk0\DR0 unknown MBR code

    ---- EOF - GMER 2.1 ----
     
    Bocagal1,
    #27
  9. 2013/04/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I didn't ask for GMER.
     
    broni,
    #28
  10. 2013/04/27
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    oopps, In Task Manager I found WPPFontCache-v0400.exe

    MajorGeeks suggests it be removed, but it doesnt' show in my local Services list to allow me to disable it??

    http://forums.majorgeeks.com/showthread.php?t=258529

    I also received the 'DO you want to stop the script to running on thispage..." message when trying to re-open this window just now??
     
    Bocagal1,
    #29
  11. 2013/04/27
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I suggest you re-read my reply #26.
     
    broni,
    #30
  12. 2013/04/27
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    Shall do
     
    Last edited: 2013/04/27
    Bocagal1,
    #31
  13. 2013/04/28
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    I did re-run #26 Still running at 68% with only this window, windows live mail open???
    Now a new IE windows opens to About:Tabs, not the default start page of Google as specified in Tools/Internet options/ Home Page
     
    Last edited: 2013/04/28
    Bocagal1,
    #32
  14. 2013/04/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. What is running at 68%?

    2. If you really did reset IE it should be opening to a blank page not to Google.
    Is the redirection gone.

    3. I'm not sure how carefully you re-read my post #26 since you still didn't answer my question:
     
    broni,
    #33
  15. 2013/04/30
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    System performance is running at 68% with only this window and Live mail open. I did look at Firefox and it seems to run normally.
     
    Bocagal1,
    #34
  16. 2013/04/30
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    System performance was running at 68%. I didn't read #26 carfully enough, and didn't also try Firefox, appologies. Firefox now starts with the home page set to Google. as does new opening of IE. I think you may have solved the problem. , Thousands of thanks.

    Do I mark the thread as resolved, or do you?
     
    Bocagal1,
    #35
  17. 2013/04/30
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    Once again, with only this window open, windows live mail system performance is pegged at 87 to 100% busy. Microsoft Security essentials has alerted a problem being fixed.
     
    Bocagal1,
    #36
  18. 2013/04/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
    Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
    Click on View > Select Colunms.
    In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
    Go File>Save As, and save the report as Procexp.txt.
    Attach the file to your next reply.
     
    broni,
    #37
  19. 2013/05/01
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    Code:
    Process	PID	CPU	Private Bytes	Working Set	Description	Company Name	Command Line
System Idle Process	0	65.91	0 K	28 K			
System	4		0 K	260 K			
 Interrupts	n/a	0.76	0 K	0 K	Hardware Interrupts and DPCs		
 smss.exe	612		172 K	928 K	Windows NT Session Manager	Microsoft Corporation	\SystemRoot\System32\smss.exe
  csrss.exe	660	0.76	2,176 K	10,768 K	Client Server Runtime Process	Microsoft Corporation	C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
  winlogon.exe	688		8,368 K	4,988 K	Windows NT Logon Application	Microsoft Corporation	winlogon.exe
   services.exe	732		1,980 K	8,556 K	Services and Controller app	Microsoft Corporation	C:\WINDOWS\system32\services.exe
    svchost.exe	916		3,908 K	21,336 K	Generic Host Process for Win32 Services	Microsoft Corporation	C:\WINDOWS\system32\svchost.exe -k DcomLaunch
     axlbridge.exe	4840		1,628 K	4,800 K	AXLBridge Module	Intuit Inc.	 "C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe" -Embedding
     iexplore.exe	1296		81,812 K	83,792 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding
      ctfmon.exe	3076		4,048 K	5,108 K	CTF Loader	Microsoft Corporation	ctfmon.exe
      iexplore.exe	384	20.45	81,088 K	92,756 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145451
      iexplore.exe	4256		33,912 K	45,512 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145452
      iexplore.exe	8160		7,472 K	10,564 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145453
      iexplore.exe	5036		7,468 K	10,580 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145454
      iexplore.exe	5016		7,476 K	10,532 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145455
      iexplore.exe	7352		7,472 K	10,508 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145456
      iexplore.exe	5464		7,468 K	10,524 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145457
      iexplore.exe	3620		7,364 K	10,400 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145458
      iexplore.exe	7056		7,364 K	10,396 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145459
      iexplore.exe	4432		7,360 K	10,412 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145460
      iexplore.exe	7792		7,360 K	10,396 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145461
      iexplore.exe	7444		7,356 K	10,396 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145462
      iexplore.exe	7364		7,348 K	10,388 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145463
      iexplore.exe	7892		7,360 K	10,376 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145464
      iexplore.exe	6908		7,356 K	10,364 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145465
      iexplore.exe	5840		7,004 K	10,072 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:145466
     igfxsrvc.exe	4468		1,108 K	3,388 K	igfxsrvc Module	Intel Corporation	C:\WINDOWS\system32\igfxsrvc.exe -Embedding
     wlcomm.exe	2664		24,412 K	31,172 K	Windows Live Communications Platform	Microsoft Corporation	 "C:\Program Files\Windows Live\Contacts\wlcomm.exe" -Embedding
     wmiprvse.exe	7908		2,552 K	5,128 K	WMI	Microsoft Corporation	C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
    svchost.exe	984		3,192 K	20,224 K	Generic Host Process for Win32 Services	Microsoft Corporation	C:\WINDOWS\system32\svchost.exe -k rpcss
    MsMpEng.exe	1080		70,544 K	68,944 K	Antimalware Service Executable	Microsoft Corporation	 "C:\Program Files\Microsoft Security Client\MsMpEng.exe "
    svchost.exe	1116		32,684 K	88,916 K	Generic Host Process for Win32 Services	Microsoft Corporation	C:\WINDOWS\System32\svchost.exe -k netsvcs
     wuauclt.exe	4592		2,376 K	4,476 K	Windows Update	Microsoft Corporation	 "C:\WINDOWS\system32\wuauclt.exe "
    svchost.exe	1156		2,532 K	17,588 K	Generic Host Process for Win32 Services	Microsoft Corporation	C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe	1316		1,896 K	17,724 K	Generic Host Process for Win32 Services	Microsoft Corporation	C:\WINDOWS\system32\svchost.exe -k NetworkService
    svchost.exe	1436		1,356 K	17,036 K	Generic Host Process for Win32 Services	Microsoft Corporation	C:\WINDOWS\system32\svchost.exe -k LocalService
    spoolsv.exe	1568		6,120 K	23,540 K	Spooler SubSystem App	Microsoft Corporation	C:\WINDOWS\system32\spoolsv.exe
    svchost.exe	1960		2,332 K	19,160 K	Generic Host Process for Win32 Services	Microsoft Corporation	C:\WINDOWS\system32\svchost.exe -k LocalService
    svchost.exe	2028		11,528 K	27,592 K	Generic Host Process for Win32 Services	Microsoft Corporation	C:\WINDOWS\system32\svchost.exe -k netsvcs
    E_S40ST7.EXE	1420		752 K	14,032 K	EPSON Status Monitor 3	SEIKO EPSON CORPORATION	 "C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE "
    E_S40RP7.EXE	1448		544 K	4,876 K	EPSON Status Monitor 3	SEIKO EPSON CORPORATION	 "C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE "
    IntuitUpdateService.exe	1536		51,036 K	1,052 K	Intuit Update Service	Intuit Inc.	 "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe "
    nvsvc32.exe	1676		5,280 K	20,776 K	NVIDIA Driver Helper Service, Version 307.90	NVIDIA Corporation	C:\WINDOWS\system32\nvsvc32.exe
    QBCFMonitorService.exe	288		15,152 K	18,704 K	QuickBooks Company File Monitoring Service	Intuit	 "C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe "
    QBIDPService.exe	564		11,088 K	24,256 K	QBIDPService	Intuit Inc.	 "C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe "
    svchost.exe	648		2,624 K	18,512 K	Generic Host Process for Win32 Services	Microsoft Corporation	C:\WINDOWS\system32\svchost.exe -k imgsvc
    alg.exe	2848		1,304 K	17,076 K	Application Layer Gateway Service	Microsoft Corporation	C:\WINDOWS\System32\alg.exe
    dllhost.exe	2940		3,168 K	21,824 K	COM Surrogate	Microsoft Corporation	C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    msdtc.exe	2456		2,016 K	18,672 K	MS DTC console program	Microsoft Corporation	C:\WINDOWS\system32\msdtc.exe
    WPFFontCache_v0400.exe	2188		1,476 K	21,172 K	wpffontcache_v0400.exe	Microsoft Corporation	C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
    CarboniteService.exe	2284	0.76	20,820 K	50,136 K	Carbonite Secure Backup Engine	Carbonite, Inc. ([url]www.carbonite.com[/url])	 "C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe "
    IntuitUpdateService.exe	4380		72,212 K	10,760 K	Intuit Update Service	Intuit Inc.	 "C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe "
    dllhost.exe	6896		2,268 K	6,172 K	COM Surrogate	Microsoft Corporation	C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{36422178-2786-4D93-B465-6147274AC729}
    vssvc.exe	7580		3,424 K	7,684 K	Microsoft® Volume Shadow Copy Service	Microsoft Corporation	C:\WINDOWS\System32\vssvc.exe
   lsass.exe	744		5,752 K	4,196 K	LSA Shell (Export Version)	Microsoft Corporation	C:\WINDOWS\system32\lsass.exe
explorer.exe	1856		44,448 K	16,804 K	Windows Explorer	Microsoft Corporation	C:\WINDOWS\Explorer.EXE
 CarboniteUI.exe	3576		54,604 K	75,160 K	Carbonite User Interface	Carbonite, Inc.	 "C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" 
 msseces.exe	3592		8,196 K	27,300 K	Microsoft Security Client User Interface	Microsoft Corporation	 "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
 msmsgs.exe	3704		3,872 K	19,072 K	Windows Messenger	Microsoft Corporation	 "C:\Program Files\Messenger\msmsgs.exe" /background
 ctfmon.exe	3724		3,484 K	19,924 K	CTF Loader	Microsoft Corporation	 "C:\WINDOWS\system32\ctfmon.exe" 
 Dropbox.exe	3760		81,476 K	97,568 K	Dropbox	Dropbox, Inc.	 "C:\Documents and Settings\Rosemary\Application Data\Dropbox\bin\Dropbox.exe" 
 iexplore.exe	2276		22,652 K	31,544 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\iexplore.exe" 
  iexplore.exe	2992		451,952 K	462,812 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2276 CREDAT:79873
  iexplore.exe	3020		145,504 K	156,976 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2276 CREDAT:14348
  iexplore.exe	4084		34,436 K	45,336 K	Internet Explorer	Microsoft Corporation	 "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2276 CREDAT:145494
   WinRAR.exe	7384		9,492 K	13,976 K	WinRAR archiver	Alexander Roshal	 "C:\Program Files\WinRAR\WinRAR.exe"   "C:\Documents and Settings\Rosemary\Local Settings\Temporary Internet Files\Content.IE5\QLYAE1N7\ProcessExplorer[1].zip "
    procexp.exe	3496	0.76	15,972 K	23,832 K	Sysinternals Process Explorer	Sysinternals - [url]www.sysinternals.com[/url]	 "C:\DOCUME~1\Rosemary\LOCALS~1\Temp\Rar$EXa0.001\procexp.exe" 
 wlmail.exe	3552		43,700 K	63,948 K	Windows Live Mail	Microsoft Corporation	 "C:\Program Files\Windows Live\Mail\wlmail.exe" 
QBW32.EXE	2576		105,020 K	28,968 K	QuickBooks	Intuit Inc.	 "C:\Program Files\Intuit\QuickBooks 2012\qbw32.exe" /Fpro -TickCount=31896781 /NoShowLoadingQBWnd
 QBDBMgr.exe	3548		144,524 K	43,480 K	Intuit Personal Database Manager	Intuit, Inc.	C:\PROGRA~1\Intuit\QUICKB~3\QBDBMgr.exe -n QB_data_engine_22 -qs -gd ALL -gk all -gp 4096 -gu all -ch 256M -ti 0 -c 128M -x none  -qi -qw  -tl 120 -oe  "C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks\DBStartup.log "
  dbextclr11.exe	4144		29,660 K	29,744 K	iAnywhere.SAClrClassLoader	iAnywhere Solutions, Inc.	 "C:\PROGRA~1\Intuit\QUICKB~3\dbextclr11.exe"  "QB_data_engine_22"  "a31b206cac9a4f0cb4c764f7c044c791"  "PUBLIC"  "495494379:539003336:4::2013-04-27 07:01:00.125" 
TurboTax.exe	204	10.61	224,600 K	106,240 K	TurboTax	Intuit	 "C:\Program Files\TurboTax\Deluxe 2012\32bit\TurboTax.exe" -NOCHECK
rundll32.exe	5452		5,948 K	7,336 K	Run a DLL as an App	Microsoft Corporation	rundll32.exe  "C:\Documents and Settings\Rosemary\Application Data\nscsre.dll ",Display
rundll32.exe	180		6,064 K	9,140 K	Run a DLL as an App	Microsoft Corporation	rundll32.exe  "C:\Documents and Settings\Rosemary\Application Data\ksgig.dll ",Optimize
MpCmdRun.exe	7300		6,308 K	8,456 K	Microsoft Malware Protection Command Line Utility	Microsoft Corporation	 "C:\Program Files\Microsoft Security Client\MpCmdRun.exe" SpyNetService -RestrictPrivileges -AccessKey 3F0B2274-47FF-D138-0D11-F0AF9F36C4F8 -Reinvoke
     
    Last edited by a moderator: 2013/05/01
    Bocagal1,
    #38
  20. 2013/05/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Check Primary and Secondary IDE settings: Device Manager -> IDE ATA/ATAPI controllers -> Primary or Secondary IDE Channel -> Properties -> Advanced Settings. Look at the Current Transfer Mode field.
    See, if it's in PIO mode instead of DMA mode.
     
    broni,
    #39
  21. 2013/05/02
    Bocagal1

    Bocagal1 Banned Thread Starter

    Joined:
    2013/04/17
    Messages:
    33
    Likes Received:
    0
    IDE/ATA/ATAPI controllers shows two ATA Storage Contgrollers -27DF and 27Co

    and two primary and two secondary IDE channels.

    First primary IDE Channel
    Current ransfer mode = PIO (device 0) and = Not applicable (Device 1)
    Second Primary IDE Channel both Device 0 & Device 1 = Not applicable
    Transfer mode = DMA (if available)

    First "Secondary IDE Channel "
    Current Trans Mode (Device 0) = Ultra DMA Mode 5
    Current Trans Mode (Device 1) = Not applicable

    Second "Secondary IDE Channel "
    Current Trans Mode (Device 0) = Not applicable
    Current Trans Mode (Device 1) = Not applicable



    What changes should I make?
     
    Bocagal1,
    #40
Page 2 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...