Solved Can't stop the Pop-Ups --Main.txt Posted

[Resolved] Can't stop the Pop-Ups --Main.txt Posted

Deckard's System Scanner v20070804.61
Run by Tom on 2007-08-06 at 20:53:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-08-07 03:53:35 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2007-08-06 10:01:42 UTC - RP3 - Software Distribution Service 3.0
2: 2007-08-05 10:01:09 UTC - RP2 - Software Distribution Service 3.0
1: 2007-08-05 03:47:01 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Tom.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:55:30 PM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Drafix\PRO Landscape\PRO Landscape Dashboard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\SoftInform\AdsCleaner Trial\AdsCleaner.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tom\Desktop\dss.exe
C:\DOCUME~1\Tom\Desktop\Tom.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=cdd
O2 - BHO: AdsCleaner Helper - {40FB69E1-9B7B-453F-B238-37D8E9528929} - C:\Program Files\SoftInform\AdsCleaner Trial\PAKIEPlugins.dll
O2 - BHO: FormFiller Helper - {C0D5D8B0-D626-4C77-8ED4-CFE4C41BCDA1} - C:\PROGRA~1\INETFO~1\FORMFI~1.DLL
O2 - BHO: Offliner AdFilter Helper - {DC9377A2-2E8D-44A1-99DB-F8A821DF254D} - C:\WINDOWS\system32\SiPlugins.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: AdsCleaner Links Bar - {A8415B7A-F661-4D31-92D7-4398E50483DF} - C:\PROGRA~1\SOFTIN~1\ADSCLE~1\PAKIEGUI.dll
O3 - Toolbar: AdsCleaner Bar - {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - C:\PROGRA~1\SOFTIN~1\ADSCLE~1\PAKIEGUI.dll
O3 - Toolbar: iNetFormFiller Bar - {B9F7135C-B512-4CC3-9316-FA0044083914} - C:\PROGRA~1\INETFO~1\FORMFI~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [PRO Landscape Dashboard] C:\Program Files\Drafix\PRO Landscape\PRO Landscape Dashboard.exe /hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AdsCleaner] C:\Program Files\SoftInform\AdsCleaner Trial\AdsCleaner.exe /MIN
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add banner url(s) to AdsCleaner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_banner.htm
O8 - Extra context menu item: Add selected links to Link Container - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_collector_sel.htm
O8 - Extra context menu item: Bookmark all links in AdsCleaner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_all.htm
O8 - Extra context menu item: Bookmark selected link(s) in AdsCleaner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_sel.htm
O8 - Extra context menu item: Open all links in new windows - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_open_all.htm
O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_open_sel.htm
O8 - Extra context menu item: Say to AdsCleaner Team about banner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_report_ad.htm
O8 - Extra context menu item: Show domain links - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_domain_links.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: iNetFormFiller Bar - {8B393324-2563-4E7A-B272-859BE0D2BA11} - C:\PROGRA~1\INETFO~1\FORMFI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AdsCleaner Bar - {B5D8F853-BEC9-4F9C-B3C9-0F744B6869D1} - C:\PROGRA~1\SOFTIN~1\ADSCLE~1\PAKIEGUI.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186285809390
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AD0D0.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>

S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys
S3 RDID1059 (Cakewalk Music Connector 1) - c:\windows\system32\drivers\rdwm1059.sys <Not Verified; Roland Corporation; >


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AdobeActiveFileMonitor4.0 (Adobe Active File Monitor V4) - c:\program files\adobe\photoshop elements 4.0\photoshopelementsfileagent.exe
R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>

S2 MskService (McAfee SpamKiller Server) - c:\progra~1\mcafee\spamki~1\msksrvr.exe <Not Verified; McAfee Inc.; McAfee SpamKiller>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 82865G Graphics Controller
Device ID: PCI\VEN_8086&DEV_2572&SUBSYS_01D51028&REV_02\3&172E68DD&0&10
Manufacturer: Intel Corporation
Name: Intel(R) 82865G Graphics Controller
PNP Device ID: PCI\VEN_8086&DEV_2572&SUBSYS_01D51028&REV_02\3&172E68DD&0&10
Service: ialm


-- Scheduled Tasks -------------------------------------------------------------

2007-08-06 02:03:52 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-08-01 01:00:28 348 --a------ C:\WINDOWS\Tasks\McQcTask.job
2007-07-15 01:13:42 346 --a------ C:\WINDOWS\Tasks\McDefragTask.job


-- Files created between 2007-07-06 and 2007-08-06 -----------------------------

2007-08-06 08:53:07 0 d-------- C:\WINDOWS\system32\Panda Software
2007-08-06 08:42:15 0 d-------- C:\Program Files\Panda Security
2007-08-05 21:50:43 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-05 21:08:07 0 d-------- C:\Documents and Settings\Tom\Application Data\McAfee
2007-08-05 17:51:05 0 d-------- C:\Program Files\Windows Live Safety Center
2007-08-05 17:51:03 0 d-------- C:\WINDOWS\LastGood
2007-08-05 09:30:34 0 d-------- C:\Documents and Settings\Tom\Application Data\SoftInform
2007-08-05 03:01:53 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-04 08:43:08 0 d-------- C:\Documents and Settings\Tom\Application Data\iNetFormFiller
2007-08-04 08:43:03 0 d-------- C:\Program Files\iNetFormFiller Trial
2007-08-04 08:40:22 0 d-------- C:\Documents and Settings\Tom\Application Data\AdsCleaner
2007-08-04 08:40:17 0 d-------- C:\Program Files\SoftInform
2007-08-03 15:48:09 28672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-08-02 07:55:56 0 d-------- C:\Program Files\MSXML 6.0
2007-08-02 07:52:48 0 d-------- C:\Program Files\MSBuild
2007-08-02 07:37:57 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-08-02 07:35:41 0 d-------- C:\Program Files\Reference Assemblies
2007-08-02 06:56:18 0 d-------- C:\cf1edb0b461f19f11d10c88bd3211a95
2007-08-02 06:53:28 0 d-------- C:\Program Files\Windows Media Connect 2
2007-08-02 06:45:37 0 d-------- C:\WINDOWS\system32\LogFiles
2007-08-02 06:45:37 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-02 00:32:50 0 d-------- C:\Program Files\Windows Defender
2007-08-02 00:04:45 0 d-------- C:\Program Files\RegistryFix
2007-08-01 20:37:55 1152 --a------ C:\WINDOWS\system32\windrv.sys
2007-08-01 20:37:20 0 d-------- C:\Program Files\Common Files\Download Manager
2007-08-01 12:04:29 0 d-------- C:\Documents and Settings\Tom\.housecall6.6
2007-07-31 22:56:31 64991 --a------ C:\WINDOWS\system32\__c00FECE8.dat
2007-07-31 22:56:27 106496 --a------ C:\WINDOWS\system32\__c00AD0D0.dat
2007-07-19 07:36:45 0 d-------- C:\Documents and Settings\Tom\Application Data\Google
2007-07-19 07:27:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-07-19 07:27:38 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2007-08-06 03:03:34 0 d-------- C:\Program Files\OFFICE11
2007-08-03 09:45:22 0 d-------- C:\Program Files\XoftSpy
2007-08-01 20:37:20 0 d-------- C:\Program Files\Common Files
2007-08-01 07:45:39 0 d-------- C:\Program Files\McAfee
2007-07-31 17:11:00 0 d-------- C:\Documents and Settings\Tom\Application Data\Simple Star
2007-07-23 20:00:43 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_137D34E5-C842-4378-B260-A9DBF3403999.txt
2007-07-23 20:00:33 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_5AB595CC-B9BB-4287-8111-C8823380AB21.txt
2007-07-23 20:00:32 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_8C7FA684-C179-4457-8F99-5F5760CC48AD.txt
2007-07-23 09:29:02 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_8CD3F5FB-DCF5-4B23-94A2-81E8ACCF5766.txt
2007-07-23 09:28:51 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_0101F549-A1B2-40EC-AE43-A1DC74F81B14.txt
2007-07-23 09:28:48 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_91ED0771-8BE6-4808-977E-7E1599BDFE8D.txt
2007-07-20 08:43:56 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_7EF702D7-45DE-457B-A1EE-D6A9A22C8401.txt
2007-07-20 08:43:49 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_533067C9-B8D6-435C-81AF-7D8DB97E9383.txt
2007-07-20 08:43:48 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_F3F267A5-434F-41C6-A848-267C246B760C.txt
2007-07-20 08:31:17 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_B85C4704-CE3A-42E1-A619-CD74EFCFDFAD.txt
2007-07-20 08:31:06 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_37CABFD6-8D1F-4EB9-A873-9A6A49FE881B.txt
2007-07-20 08:31:03 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_393411BE-8B58-4B25-8560-0E31F14CF05B.txt
2007-07-01 13:52:13 6686 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-01 13:52:13 104 -r-hs---- C:\WINDOWS\system32\50B17CCD2B.sys
2007-06-30 08:49:39 0 d-------- C:\Documents and Settings\Tom\Application Data\Comcast
2007-06-15 20:37:08 0 d-------- C:\Program Files\Common Files\Simple Star Shared
2007-06-15 20:17:47 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_133DDF98-D20D-4BDB-B96F-A68575F2B09A.txt
2007-06-15 20:17:37 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_14AE935B-3BE2-4A25-8783-CC35404A94F7.txt
2007-06-15 20:17:35 2 --a------ C:\Documents and Settings\Tom\Application Data\7zip_progress_A9011AE0-C302-46AB-9D7F-F173F928A397.txt
2007-06-15 19:57:41 0 d-------- C:\Program Files\Simple Star


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC9377A2-2E8D-44A1-99DB-F8A821DF254D}]
04/26/2007 01:56 AM 237568 --a------ C:\WINDOWS\system32\SiPlugins.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [10/14/2004 05:42 PM]
"DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [10/05/2005 01:12 AM]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/13/2004 01:30 PM]
"ISUSPM Startup "= "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 08:44 AM]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 08:44 AM]
"MSKDetectorExe "= "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [11/07/2006 03:49 PM]
"DLA "= "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [09/08/2005 03:20 AM]
"MSKAGENTEXE "= "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [09/26/2005 11:26 AM]
"BuildBU "= "c:\dell\bldbubg.exe" [04/29/2006 01:33 PM]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [09/09/2005 01:18 AM]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [04/01/2005 04:16 PM]
"nwiz "= "nwiz.exe" [04/01/2005 04:16 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [04/01/2005 04:16 PM]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [04/29/2006 01:50 PM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/11/2006 09:19 AM]
"Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [05/20/2005 03:46 PM C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [09/20/2005 09:35 AM]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [09/20/2005 09:32 AM]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [09/20/2005 09:36 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRO Landscape Dashboard "= "C:\Program Files\Drafix\PRO Landscape\PRO Landscape Dashboard.exe" [12/26/2005 09:49 PM]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:00 AM]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [03/15/2007 11:09 AM]
"Simple Star PhotoShow Media Manager "= "C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [02/23/2007 04:13 PM]
"AdsCleaner "= "C:\Program Files\SoftInform\AdsCleaner Trial\AdsCleaner.exe" [04/27/2007 06:09 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
ColorVisionStartup.lnk - C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe [12/21/2004 10:37:55 AM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [4/29/2006 1:47:27 PM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [12/12/2006 5:44:18 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8} "= C:\WINDOWS\system32\ieframe.dll [04/25/2007 01:41 AM 6058496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINDOWS\system32\__c00AD0D0.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0428380b-0c8e-11dc-b577-00167650aeca}]
AutoRun\command- G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e44ad7b-6fa6-11db-b4db-00167650aeca}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2007-08-06 at 20:57:39 ---------

 

Welcome to WindowsBBS ebsteve

Let's run another tool that will show us a bit more.

Note: You must be logged onto an account with administrator privileges to complete the following.

Download Deckard's System Scanner (dss.exe) to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

Please do not edit your previous posts with new information. Instead, click the Reply button to the lower left of the last post in the topic. Thanks!

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Download GMER

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.

It will likely take several posts to get all of the logs posted, as there is a character limit per post on this forum.

 

Thank you here are the logs.. Combo Fix

ComboFix 07-08-04.3 - "Tom" 2007-08-08 8:46:49.1 [GMT -7:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-08 08:39 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 16:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-07 16:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 20:53 <DIR> d-------- C:\Deckard
2007-08-06 08:53 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-08-06 08:42 <DIR> d-------- C:\Program Files\Panda Security
2007-08-05 21:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-05 21:08 <DIR> d-------- C:\DOCUME~1\Tom\APPLIC~1\McAfee
2007-08-05 17:51 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-08-05 11:24 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-08-05 09:30 <DIR> d-------- C:\DOCUME~1\Tom\APPLIC~1\SoftInform
2007-08-05 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-05 02:40 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-04 08:43 <DIR> d-------- C:\Program Files\iNetFormFiller Trial
2007-08-04 08:43 <DIR> d-------- C:\DOCUME~1\Tom\APPLIC~1\iNetFormFiller
2007-08-04 08:40 <DIR> d-------- C:\Program Files\SoftInform
2007-08-04 08:40 <DIR> d-------- C:\DOCUME~1\Tom\APPLIC~1\AdsCleaner
2007-08-03 15:48 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-08-02 07:55 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-02 07:52 <DIR> d-------- C:\Program Files\MSBuild
2007-08-02 07:37 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-08-02 07:35 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-08-02 06:58 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-08-02 06:56 <DIR> d-------- C:\cf1edb0b461f19f11d10c88bd3211a95
2007-08-02 06:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-02 06:45 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-02 06:45 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-02 01:14 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-08-02 01:14 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-08-02 01:14 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-08-02 00:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-02 00:04 <DIR> d-------- C:\Program Files\RegistryFix
2007-08-01 20:37 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-08-01 20:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-08-01 12:04 <DIR> d-------- C:\DOCUME~1\Tom\.housecall6.6
2007-07-31 22:56 64,991 --a------ C:\WINDOWS\system32\__c00FECE8.dat
2007-07-31 22:56 106,496 --a------ C:\WINDOWS\system32\__c00AD0D0.dat
2007-07-19 07:36 <DIR> d-------- C:\DOCUME~1\Tom\APPLIC~1\Google
2007-07-19 07:27 <DIR> d-------- C:\Program Files\Google
2007-07-19 07:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 11:23 --------- d-------- C:\DOCUME~1\Tom\APPLIC~1\Simple Star
2007-08-06 23:02 --------- d-------- C:\Program Files\OFFICE11
2007-08-03 09:45 --------- d-------- C:\Program Files\XoftSpy
2007-08-01 07:45 --------- d-------- C:\Program Files\McAfee
2007-07-01 13:52 6686 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-01 13:52 104 -r-hs---- C:\WINDOWS\system32\50B17CCD2B.sys
2007-06-30 08:49 --------- d-------- C:\DOCUME~1\Tom\APPLIC~1\Comcast
2007-06-15 20:37 --------- d-------- C:\Program Files\Common Files\Simple Star Shared
2007-06-15 19:57 --------- d-------- C:\Program Files\Simple Star
2007-05-16 08:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-08 02:24 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2002-09-11 07:26 63730 --a--c--- C:\Program Files\viewsonicinstruct_xp.pdf
2007-01-09 08:47:18 88 -csh--r C:\WINDOWS\system32\2BCD7CB150.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC9377A2-2E8D-44A1-99DB-F8A821DF254D}]
2007-04-26 01:56 237568 --a------ C:\WINDOWS\system32\SiPlugins.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 01:12]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 13:30]
"ISUSPM Startup "= "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44]
"MSKDetectorExe "= "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 15:49]
"DLA "= "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20]
"MSKAGENTEXE "= "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 11:26]
"BuildBU "= "c:\dell\bldbubg.exe" [2006-04-29 13:33]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16]
"nwiz "= "nwiz.exe" [2005-04-01 16:16 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 16:16]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-04-29 13:50]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-11 09:19]
"Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2005-05-20 15:46 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRO Landscape Dashboard "= "C:\Program Files\Drafix\PRO Landscape\PRO Landscape Dashboard.exe" [2005-12-26 21:49]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"Simple Star PhotoShow Media Manager "= "C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2007-07-11 11:07]
"AdsCleaner "= "C:\Program Files\SoftInform\AdsCleaner Trial\AdsCleaner.exe" [2007-04-27 06:09]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
ColorVisionStartup.lnk - C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe [2004-12-21 10:37:55]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-29 13:47:27]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-12-12 17:44:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8} "= C:\WINDOWS\system32\ieframe.dll [2007-04-25 01:41 6058496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINDOWS\system32\__c00AD0D0.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 CO_Mon;CO_Mon;\??\C:\WINDOWS\system32\Drivers\CO_Mon.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys
S3 idsvc;Windows CardSpace; "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "
S3 L8042Kbd;Logitech SetPoint Keyboard Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
S3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
S3 RDID1059;Cakewalk Music Connector 1;C:\WINDOWS\system32\Drivers\rdwm1059.sys
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe "


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0428380b-0c8e-11dc-b577-00167650aeca}]
AutoRun\command- G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e44ad7b-6fa6-11db-b4db-00167650aeca}]
AutoRun\command- F:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-07-15 08:13:42 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-01 08:00:28 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-08 15:16:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 08:50:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 8:52:32

--- E O F ---

 

HiJackThis Log 2

Logfile of HijackThis v1.99.1
Scan saved at 8:54:10 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Drafix\PRO Landscape\PRO Landscape Dashboard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\SoftInform\AdsCleaner Trial\AdsCleaner.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Tom\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=cdd
O2 - BHO: AdsCleaner Helper - {40FB69E1-9B7B-453F-B238-37D8E9528929} - C:\Program Files\SoftInform\AdsCleaner Trial\PAKIEPlugins.dll
O2 - BHO: FormFiller Helper - {C0D5D8B0-D626-4C77-8ED4-CFE4C41BCDA1} - C:\PROGRA~1\INETFO~1\FORMFI~1.DLL
O2 - BHO: Offliner AdFilter Helper - {DC9377A2-2E8D-44A1-99DB-F8A821DF254D} - C:\WINDOWS\system32\SiPlugins.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: AdsCleaner Links Bar - {A8415B7A-F661-4D31-92D7-4398E50483DF} - C:\PROGRA~1\SOFTIN~1\ADSCLE~1\PAKIEGUI.dll
O3 - Toolbar: AdsCleaner Bar - {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - C:\PROGRA~1\SOFTIN~1\ADSCLE~1\PAKIEGUI.dll
O3 - Toolbar: iNetFormFiller Bar - {B9F7135C-B512-4CC3-9316-FA0044083914} - C:\PROGRA~1\INETFO~1\FORMFI~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [PRO Landscape Dashboard] C:\Program Files\Drafix\PRO Landscape\PRO Landscape Dashboard.exe /hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AdsCleaner] C:\Program Files\SoftInform\AdsCleaner Trial\AdsCleaner.exe /MIN
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add banner url(s) to AdsCleaner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_banner.htm
O8 - Extra context menu item: Add selected links to Link Container - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_collector_sel.htm
O8 - Extra context menu item: Bookmark all links in AdsCleaner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_all.htm
O8 - Extra context menu item: Bookmark selected link(s) in AdsCleaner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_sel.htm
O8 - Extra context menu item: Open all links in new windows - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_open_all.htm
O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_open_sel.htm
O8 - Extra context menu item: Say to AdsCleaner Team about banner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_report_ad.htm
O8 - Extra context menu item: Show domain links - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_domain_links.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: iNetFormFiller Bar - {8B393324-2563-4E7A-B272-859BE0D2BA11} - C:\PROGRA~1\INETFO~1\FORMFI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AdsCleaner Bar - {B5D8F853-BEC9-4F9C-B3C9-0F744B6869D1} - C:\PROGRA~1\SOFTIN~1\ADSCLE~1\PAKIEGUI.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186285809390
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AD0D0.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

gmerLOG 1

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-08 09:16:11
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwCreateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwDeleteValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwOpenKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwProtectVirtualMemory
Code \SystemRoot\system32\drivers\mfehidk.sys ZwRenameKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwSetValueKey
Code \SystemRoot\system32\drivers\mfehidk.sys ZwTerminateProcess
Code \SystemRoot\system32\drivers\mfehidk.sys ZwUnmapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys ZwYieldExecution
Code \SystemRoot\system32\drivers\mfehidk.sys NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys NtMapViewOfSection

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP F30A65BD \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwOpenKey 80567EFB 5 Bytes JMP F30A64EB \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateKey 8056E9A9 5 Bytes JMP F30A64FF \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtCreateFile 805710D8 5 Bytes JMP F30A657F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805733D1 5 Bytes JMP F30A65E9 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!NtMapViewOfSection 8057384C 7 Bytes JMP F30A65D3 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80574595 7 Bytes JMP F30A6593 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwSetValueKey 8057516D 7 Bytes JMP F30A6555 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwTerminateProcess 80584781 5 Bytes JMP F30A656B \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteValueKey 805936FB 7 Bytes JMP F30A653F \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwDeleteKey 80594D25 7 Bytes JMP F30A6513 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwCreateProcess 805B0199 5 Bytes JMP F30A65A9 \SystemRoot\system32\drivers\mfehidk.sys
PAGE ntoskrnl.exe!ZwRenameKey 8064D523 7 Bytes JMP F30A6529 \SystemRoot\system32\drivers\mfehidk.sys
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified.
? C:\DOCUME~1\Tom\LOCALS~1\Temp\catchme.sys The system cannot find the file specified.

 

gmerLOG 2

---- User code sections - GMER 1.0.13 ----

.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FB0000
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FB0FB2
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FB0FC3
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FB0091
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FB0076
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FB0FD4
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FB00DD
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FB00CC
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FB0102
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FB0F69
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00FB0F4E
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00FB005B
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00FB001B
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00FB0FA1
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00FB0040
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00FB0FE5
.text C:\WINDOWS\system32\services.exe[764] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00FB0F7A
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00AD0011
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00AD0F5E
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00AD0FD4
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00AD0F6F
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00AD0F8A
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00AD0FE5
.text C:\WINDOWS\system32\services.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00AD0F9B
.text C:\WINDOWS\system32\services.exe[764] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D90095
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D90084
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW 7C801AF1 3 Bytes JMP 00D90073
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExW + 4 7C801AF5 1 Byte [ 84 ]
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D90FB6
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D90062
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D90F71
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D900B7
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D90F45
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D900DE
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00D90F20
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00D90FDB
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00D9001B
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00D900A6
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00D90047
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00D90036
.text C:\WINDOWS\system32\lsass.exe[776] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00D90F60
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00D80FC0
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00D80062
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00D8001B
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00D8000A
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00D80FA5
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00D80047
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\lsass.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00D8002C
.text C:\WINDOWS\system32\lsass.exe[776] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\lsass.exe[776] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\lsass.exe[776] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\lsass.exe[776] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\lsass.exe[776] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A70F4B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A70F5C
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A70F83
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A70F9E
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A70FAF
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A70F1F
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A7005B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A7008C
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A70EF3
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A70ED8
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A70036
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A70FE5
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A70F3A
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A70FCA
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[952] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A70F04
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A60040
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A60080
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A6001B
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A60FC3
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A60FD4
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[952] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A6005B
.text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00A30FCA
.text C:\WINDOWS\system32\svchost.exe[952] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00A30025
.text C:\WINDOWS\system32\svchost.exe[952] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BF0FB6
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BF0FD1
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BF009F
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BF008E
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BF0058
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BF00EB
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BF0FA5
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BF0F6D
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BF0106
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00BF012B
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00BF0069
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00BF00C6
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00BF003D
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\svchost.exe[1032] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00BF0F88
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00BE0040
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1032] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[1032] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\svchost.exe[1032] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1032] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00BB0FC0
.text C:\WINDOWS\system32\svchost.exe[1032] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\svchost.exe[1032] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 017D0FEF
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 017D00A7
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 017D008C
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 017D0FB2
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 017D0FC3
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 017D004A
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 017D00B8
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 017D0F7C
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 017D00E4
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 017D0F4B
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 017D0F26
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 017D005B
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 017D0FDE
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 017D0F8D
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 017D002F
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 017D0014
.text C:\WINDOWS\System32\svchost.exe[1172] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 017D00D3
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01500025
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01500073
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01500FD4
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0150000A
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01500062
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 01500047
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01500FE5
.text C:\WINDOWS\System32\svchost.exe[1172] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 01500036
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00F50000
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00F50011
.text C:\WINDOWS\System32\svchost.exe[1172] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00F50FC0
.text C:\WINDOWS\System32\svchost.exe[1172] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009D0F8D
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009D0078
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009D0FAF
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009D00CE
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009D00A7
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009D0F50
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009D00E9
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 009D0F2B
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 009D0FC0
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 009D001B
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 009D0F7C
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 009D0047
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 009D002C
.text C:\WINDOWS\system32\svchost.exe[1228] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 009D0F6B
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 009C0025
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 009C0F8A
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 009C0FDE
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 009C0FA5
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 009C0051
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1228] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 009C0040
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00900FDB
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00900FC0
.text C:\WINDOWS\system32\svchost.exe[1228] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00900011
.text C:\WINDOWS\system32\svchost.exe[1228] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A40F6B
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A40F7C
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A40056
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A40039
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A40FB2
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A40F33
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A4007B
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A400CC
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A400B1
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00A40F18
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00A40F97
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00A40F50
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00A40FC3
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00A400A0
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 0095002F
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00950F9E
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0095000A
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00950FD4
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00950FB9
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0095005B
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00950FEF
.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00950040
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00920FD4
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00920025
.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00930000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00260000
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00260F6D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00260F88
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00260F99
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00260062
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00260FC0
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00260F35
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0026007D
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00260F1A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 002600B3
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 00260F09
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 00260047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 00260011
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 00260F52
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 00260FDB
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 0026002C
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 00260098
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00340FB9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00340F8A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00340FCA
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 0034000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00340047
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00340036
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00340FEF
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0034001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F2A1 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A0277 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A01F8 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A023C C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A0184 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A01BE C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A02B2 C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F3164E C:\WINDOWS\system32\IEFRAME.dll
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00370FEF

 

gmerLOG 3

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 0037000A
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 0037001B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00370FD4
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1352] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00390FEF
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F68
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0F79
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A005D
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0F94
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0036
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A009A
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0089
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00BF
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F26
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001A0F0B
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A0011
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A0078
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001A0FCA
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\svchost.exe[2400] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A0F37
.text C:\WINDOWS\system32\svchost.exe[2400] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00280FCD
.text C:\WINDOWS\system32\svchost.exe[2400] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00280F7C
.text C:\WINDOWS\system32\svchost.exe[2400] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 0028001E
.text C:\WINDOWS\system32\svchost.exe[2400] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00280FDE
.text C:\WINDOWS\system32\svchost.exe[2400] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00280F97
.text C:\WINDOWS\system32\svchost.exe[2400] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00280FB2
.text C:\WINDOWS\system32\svchost.exe[2400] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00280FEF
.text C:\WINDOWS\system32\svchost.exe[2400] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00280039
.text C:\WINDOWS\system32\svchost.exe[2400] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 00370FEF
.text C:\WINDOWS\system32\svchost.exe[2400] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 00370014
.text C:\WINDOWS\system32\svchost.exe[2400] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 00370FDE
.text C:\WINDOWS\system32\svchost.exe[2400] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 00370FC3
.text C:\WINDOWS\system32\svchost.exe[2400] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00390FEF
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0097
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0086
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0069
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A0FAC
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0047
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A0F59
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A0F76
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A0F1C
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A0F2D
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001A0F0B
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001A0058
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001A0011
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001A0F91
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001A002C
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001A0FDB
.text C:\WINDOWS\explorer.exe[3200] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001A0F3E
.text C:\WINDOWS\explorer.exe[3200] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00290FA5
.text C:\WINDOWS\explorer.exe[3200] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00290040
.text C:\WINDOWS\explorer.exe[3200] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00290FCA
.text C:\WINDOWS\explorer.exe[3200] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00290000
.text C:\WINDOWS\explorer.exe[3200] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00290025
.text C:\WINDOWS\explorer.exe[3200] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00290F83
.text C:\WINDOWS\explorer.exe[3200] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[3200] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00290F94
.text C:\WINDOWS\explorer.exe[3200] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 002B0000
.text C:\WINDOWS\explorer.exe[3200] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\explorer.exe[3200] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 002B0011
.text C:\WINDOWS\explorer.exe[3200] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 002B0FCA
.text C:\WINDOWS\explorer.exe[3200] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 003B0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001B0000
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001B0086
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001B0F9B
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001B0FAC
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001B0069
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001B004E
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001B0F59
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001B00AB
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001B00F2
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001B00CD
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!GetProcAddress 7C80ADA0 5 Bytes JMP 001B0103
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!LoadLibraryW 7C80AE4B 5 Bytes JMP 001B0FC7
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!CreateFileW 7C810760 5 Bytes JMP 001B001B
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!CreatePipe 7C81E0C7 5 Bytes JMP 001B0F80
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!CreateNamedPipeW 7C82F0D4 5 Bytes JMP 001B003D
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!CreateNamedPipeA 7C85FC74 5 Bytes JMP 001B002C
.text C:\Program Files\Messenger\msmsgs.exe[3324] kernel32.dll!WinExec 7C86136D 5 Bytes JMP 001B00BC
.text C:\Program Files\Messenger\msmsgs.exe[3324] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 002A0FAF
.text C:\Program Files\Messenger\msmsgs.exe[3324] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 002A0F57
.text C:\Program Files\Messenger\msmsgs.exe[3324] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 002A0FCA
.text C:\Program Files\Messenger\msmsgs.exe[3324] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 002A0FE5
.text C:\Program Files\Messenger\msmsgs.exe[3324] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 002A0F72
.text C:\Program Files\Messenger\msmsgs.exe[3324] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 002A0F83
.text C:\Program Files\Messenger\msmsgs.exe[3324] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 002A0000
.text C:\Program Files\Messenger\msmsgs.exe[3324] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 002A0F94
.text C:\Program Files\Messenger\msmsgs.exe[3324] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 002B0FEF
.text C:\Program Files\Messenger\msmsgs.exe[3324] WININET.dll!InternetOpenA 42C2C869 5 Bytes JMP 002C0000
.text C:\Program Files\Messenger\msmsgs.exe[3324] WININET.dll!InternetOpenW 42C2CEA1 5 Bytes JMP 002C0011
.text C:\Program Files\Messenger\msmsgs.exe[3324] WININET.dll!InternetOpenUrlA 42C306DD 5 Bytes JMP 002C0022
.text C:\Program Files\Messenger\msmsgs.exe[3324] WININET.dll!InternetOpenUrlW 42C7A8B1 5 Bytes JMP 002C0033

 

gmerLOG 4

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F30A7E01] mfehidk.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_NAMED_PIPE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLOSE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_EA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_EA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DIRECTORY_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FILE_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_LOCK_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE_MAILSLOT [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CHANGE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_QUERY_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SET_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE_NAMED_PIPE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLOSE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_READ [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_WRITE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_EA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_EA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FLUSH_BUFFERS [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DIRECTORY_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_FILE_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_INTERNAL_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SHUTDOWN [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_LOCK_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CLEANUP [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_CREATE_MAILSLOT [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_POWER [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_DEVICE_CHANGE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_QUERY_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 IRP_MJ_SET_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE_NAMED_PIPE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLOSE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_READ [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_WRITE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_EA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_EA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FLUSH_BUFFERS [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DIRECTORY_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_FILE_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SHUTDOWN [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_LOCK_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CLEANUP [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_CREATE_MAILSLOT [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_POWER [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_DEVICE_CHANGE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_QUERY_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 IRP_MJ_SET_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE_NAMED_PIPE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLOSE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_READ [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_WRITE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_EA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_EA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FLUSH_BUFFERS [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DIRECTORY_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_FILE_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_INTERNAL_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SHUTDOWN [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_LOCK_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CLEANUP [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_CREATE_MAILSLOT [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_POWER [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_DEVICE_CHANGE [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_QUERY_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 IRP_MJ_SET_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F64A110E] Mpfp.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F64A110E] Mpfp.sys

 

gmerLOG 5

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE F1A21C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE F1A1E7C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ F1A1A60A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE F1A1AAED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION F1A25958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION F1A28821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA F1A3138A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA F1A30D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS F1A2ABBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION F1A2B331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION F1A394F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL F1A21B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL F1A1D948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL F1A2746B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN F1A3879D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL F1A37C4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP F1A1E2FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP F1A381DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible F1A331F9

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F844A3D4] SymSnap.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F30A7E01] mfehidk.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F30A7E01] mfehidk.sys

Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F42BB912] DLAIFS_M.SYS

---- EOF - GMER 1.0.13 ----

 

First, create a new folder on your desktop named HJT, then move HijackThis.exe into the folder and run it from there. Scan again with HijackThis and place a check next to the following entry. Close all other windows and click Fix Checked.

O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AD0D0.dat

Close HijackThis.

Click Start>Run, type cmd then hit enter to open a command window. Copy the following command and paste it into the window, then hit enter.

attrib -r -h -s C:\WINDOWS\system32\50B17CCD2B.sys

then do this one

attrib -r -h -s C:\WINDOWS\system32\2BCD7CB150.sys

Close the command window.

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\WINDOWS\system32\__c00FECE8.dat
C:\WINDOWS\system32\__c00AD0D0.dat

Look::
C:\WINDOWS\system32\50B17CCD2B.sys
C:\WINDOWS\system32\2BCD7CB150.sys

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="Black"]currentversion\[/COLOR]explorer\mountpoints2\{0428380b-0c8e-11dc-b577-00167650aeca}]
[-HKEY_CURRENT_USER\software\microsoft\windows\[COLOR="Black"]currentversion[/COLOR]\explorer\mountpoints2\{5e44ad7b-6fa6-11db-b4db-00167650aeca}]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a new HijackThis log.

Please upload the following files to my submission channel. Leave a link back to this topic.

C:\WINDOWS\system32\50B17CCD2B.sys
C:\WINDOWS\system32\2BCD7CB150.sys

Thanks!

 

Files uploaded -- Can't stop the Pop-Ups

The files are uploaded

log.txt
hijackthis.log3.txt

I hope I did this right for you -- I sure don't want to confuse you or make things difficult. I've never down this "link back to file" part.

 

You uploaded the ComboFix log and HijackThis log rather than the two files listed above.

Please go back to my submission channel, click browse then navigate to and select the following file.

C:\WINDOWS\system32\50B17CCD2B.sys

While viewing this post, copy the address from your browser, then paste it into the 'Link to topic where this file was requested:' field. Then click send file.
Do this file next.

C:\WINDOWS\system32\2BCD7CB150.sys


I'm posting your ComboFix and HijackThis log here. I have some errands and will be back later.


ComboFix 07-08-04.3 - "Tom" 2007-08-08 22:10:16.2 [GMT -7:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Tom\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\__c00AD0D0.dat
C:\WINDOWS\system32\__c00FECE8.dat


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-08 08:39 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 16:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-07 16:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-06 20:53 <DIR> d-------- C:\Deckard
2007-08-06 08:53 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-08-06 08:42 <DIR> d-------- C:\Program Files\Panda Security
2007-08-05 21:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-05 21:08 <DIR> d-------- C:\DOCUME~1\Tom\APPLIC~1\McAfee
2007-08-05 17:51 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-08-05 11:24 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-08-05 09:30 <DIR> d-------- C:\DOCUME~1\Tom\APPLIC~1\SoftInform
2007-08-05 03:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-05 02:40 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-04 08:43 <DIR> d-------- C:\Program Files\iNetFormFiller Trial
2007-08-04 08:43 <DIR> d-------- C:\DOCUME~1\Tom\APPLIC~1\iNetFormFiller
2007-08-04 08:40 <DIR> d-------- C:\Program Files\SoftInform
2007-08-04 08:40 <DIR> d-------- C:\DOCUME~1\Tom\APPLIC~1\AdsCleaner
2007-08-03 15:48 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-08-02 07:55 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-08-02 07:52 <DIR> d-------- C:\Program Files\MSBuild
2007-08-02 07:37 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-08-02 07:35 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-08-02 06:58 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-08-02 06:56 <DIR> d-------- C:\cf1edb0b461f19f11d10c88bd3211a95
2007-08-02 06:53 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-08-02 06:45 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-08-02 06:45 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-08-02 01:14 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-08-02 01:14 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-08-02 01:14 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-08-02 00:32 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-02 00:04 <DIR> d-------- C:\Program Files\RegistryFix
2007-08-01 20:37 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-08-01 20:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-08-01 12:04 <DIR> d-------- C:\DOCUME~1\Tom\.housecall6.6
2007-07-19 07:36 <DIR> d-------- C:\DOCUME~1\Tom\APPLIC~1\Google
2007-07-19 07:27 <DIR> d-------- C:\Program Files\Google
2007-07-19 07:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 11:23 --------- d-------- C:\DOCUME~1\Tom\APPLIC~1\Simple Star
2007-08-06 23:02 --------- d-------- C:\Program Files\OFFICE11
2007-08-03 09:45 --------- d-------- C:\Program Files\XoftSpy
2007-08-01 07:45 --------- d-------- C:\Program Files\McAfee
2007-07-01 13:52 6686 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-01 13:52 104 --------- C:\WINDOWS\system32\50B17CCD2B.sys
2007-06-30 08:49 --------- d-------- C:\DOCUME~1\Tom\APPLIC~1\Comcast
2007-06-15 20:37 --------- d-------- C:\Program Files\Common Files\Simple Star Shared
2007-06-15 19:57 --------- d-------- C:\Program Files\Simple Star
2007-05-16 08:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --a------ C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2002-09-11 07:26 63730 --a--c--- C:\Program Files\viewsonicinstruct_xp.pdf


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC9377A2-2E8D-44A1-99DB-F8A821DF254D}]
2007-04-26 01:56 237568 --a------ C:\WINDOWS\system32\SiPlugins.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 17:42]
"DMXLauncher "= "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 01:12]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 13:30]
"ISUSPM Startup "= "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44]
"ISUSScheduler "= "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44]
"MSKDetectorExe "= "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" [2006-11-07 15:49]
"DLA "= "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 03:20]
"MSKAGENTEXE "= "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 11:26]
"BuildBU "= "c:\dell\bldbubg.exe" [2006-04-29 13:33]
"Adobe Photo Downloader "= "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16]
"nwiz "= "nwiz.exe" [2005-04-01 16:16 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2005-04-01 16:16]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-04-29 13:50]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-11 09:19]
"Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2005-05-20 15:46 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender "= "C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRO Landscape Dashboard "= "C:\Program Files\Drafix\PRO Landscape\PRO Landscape Dashboard.exe" [2005-12-26 21:49]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"Simple Star PhotoShow Media Manager "= "C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe" [2007-07-11 11:07]
"AdsCleaner "= "C:\Program Files\SoftInform\AdsCleaner Trial\AdsCleaner.exe" [2007-04-27 06:09]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
ColorVisionStartup.lnk - C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe [2004-12-21 10:37:55]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-29 13:47:27]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-12-12 17:44:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8} "= C:\WINDOWS\system32\ieframe.dll [2007-04-25 01:41 6058496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINDOWS\system32\__c00AD0D0.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

R1 MPFP;MPFP;C:\WINDOWS\system32\Drivers\Mpfp.sys
R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 LHidKe;Logitech SetPoint HID Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
R3 LMouKE;Logitech SetPoint Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 CO_Mon;CO_Mon;\??\C:\WINDOWS\system32\Drivers\CO_Mon.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys
S3 idsvc;Windows CardSpace; "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe "
S3 L8042Kbd;Logitech SetPoint Keyboard Driver;C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
S3 L8042mou;Logitech SetPoint PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
S3 RDID1059;Cakewalk Music Connector 1;C:\WINDOWS\system32\Drivers\rdwm1059.sys
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe "


Contents of the 'Scheduled Tasks' folder
2007-07-15 08:13:42 C:\WINDOWS\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-01 08:00:28 C:\WINDOWS\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe
2007-08-09 05:19:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 22:16:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-08 22:21:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 22:20
C:\ComboFix2.txt ... 2007-08-08 08:52

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 10:26:36 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Drafix\PRO Landscape\PRO Landscape Dashboard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\SoftInform\AdsCleaner Trial\AdsCleaner.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Documents and Settings\Tom\Desktop\HJT\Tom.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=cdd
O2 - BHO: AdsCleaner Helper - {40FB69E1-9B7B-453F-B238-37D8E9528929} - C:\Program Files\SoftInform\AdsCleaner Trial\PAKIEPlugins.dll
O2 - BHO: FormFiller Helper - {C0D5D8B0-D626-4C77-8ED4-CFE4C41BCDA1} - C:\PROGRA~1\INETFO~1\FORMFI~1.DLL
O2 - BHO: Offliner AdFilter Helper - {DC9377A2-2E8D-44A1-99DB-F8A821DF254D} - C:\WINDOWS\system32\SiPlugins.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O3 - Toolbar: AdsCleaner Links Bar - {A8415B7A-F661-4D31-92D7-4398E50483DF} - C:\PROGRA~1\SOFTIN~1\ADSCLE~1\PAKIEGUI.dll
O3 - Toolbar: AdsCleaner Bar - {75CD0BC5-E317-449C-9FF6-4986B3D48F64} - C:\PROGRA~1\SOFTIN~1\ADSCLE~1\PAKIEGUI.dll
O3 - Toolbar: iNetFormFiller Bar - {B9F7135C-B512-4CC3-9316-FA0044083914} - C:\PROGRA~1\INETFO~1\FORMFI~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [PRO Landscape Dashboard] C:\Program Files\Drafix\PRO Landscape\PRO Landscape Dashboard.exe /hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AdsCleaner] C:\Program Files\SoftInform\AdsCleaner Trial\AdsCleaner.exe /MIN
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\PANTONE COLORVISION\Startup\ColorVisionStartup.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Add banner url(s) to AdsCleaner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_banner.htm
O8 - Extra context menu item: Add selected links to Link Container - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_collector_sel.htm
O8 - Extra context menu item: Bookmark all links in AdsCleaner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_all.htm
O8 - Extra context menu item: Bookmark selected link(s) in AdsCleaner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_sel.htm
O8 - Extra context menu item: Open all links in new windows - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_open_all.htm
O8 - Extra context menu item: Open selected link(s) in new windows - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_open_sel.htm
O8 - Extra context menu item: Say to AdsCleaner Team about banner - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_report_ad.htm
O8 - Extra context menu item: Show domain links - C:\Program Files\SoftInform\AdsCleaner Trial\System\Scripts\off_domain_links.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: iNetFormFiller Bar - {8B393324-2563-4E7A-B272-859BE0D2BA11} - C:\PROGRA~1\INETFO~1\FORMFI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AdsCleaner Bar - {B5D8F853-BEC9-4F9C-B3C9-0F744B6869D1} - C:\PROGRA~1\SOFTIN~1\ADSCLE~1\PAKIEGUI.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1186285809390
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AD0D0.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

Upload to channel

files submitted... although done in reverse order.... I apologize -- I'm olaying middle man on this one...
To many thumbs in the pie --- so to speak.

Thanks again...

 

Thanks for the files!

Scan again with HijackThis. Place a check next to the following entries.

O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AD0D0.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

Close all other windows and click Fix Checked.
Close HijackThis.

Open CFScript.txt on your desktop. Delete everything in it, then copy the contents of the quote box below and paste it into CFScript.txt. Close and save the changes.

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log, along with a fresh HijackThis log.

 

Update

Our end user is gone for the weekend.. here is his last email to me...
We'll have to pick this up on Monday.

I'm going through his insructions and got stuck:
After running Hijackthis I located the two files mentioned in the instructions and I clicked on "Fix Checked ". It then asked me if I wanted to delete - I deleted (even though "delete" was not in the instructions).

Moving on, I can't seem to find CFScript.txt on my desktop, nr when I search files and folders

This is where I am now stuck ....

 

Monday it is then.

He can always create a new CFScript.

 

He's back

Steve,

I'm forwarding the e-mail from last Friday (below)... unless Dave's
instructions haven't changed since then, I'm still stuck. For instance, I
can't locate the file "CFScript.txt " even when I do a search of my computer.

What should I do?

 

Checking In

Noahdfear,

If there is something else we can for you let us know...

The Pop-Ups have completely stopped and the end client is very happy...

Many Thanks...

ebsteve

 

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log, along with a fresh HijackThis log.