1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved java hogging cpu

Discussion in 'Malware and Virus Removal Archive' started by DugE, 2009/05/28.

  1. 2009/05/28
    DugE

    DugE Well-Known Member Thread Starter

    Joined:
    2002/09/10
    Messages:
    726
    Likes Received:
    3
    [Resolved] java hogging cpu

    Hi all. I was refered to post here by broni from this thread:

    http://www.windowsbbs.com/other-software/84418-java-question.html

    Please read this post first.


    Here are my dds logs:

    DDS (Ver_09-05-14.01) - NTFSx86
    Run by Owner at 13:12:51.59 on Thu 05/28/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.13 [GMT -4:00]

    AV: avast! antivirus 4.8.1335 [VPS 090527-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = https://pbells.broadjump.com/wizlet/iw60/launch.htm
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} -
    EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [PS2] c:\windows\system32\ps2.exe
    mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
    mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
    mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:eek:s_startup
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228958232656
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
    Notify: igfxcui - igfxsrvc.dll
    AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\obnsslyn.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\program files\gobit games\browserplugin\npgobitgamesplugin.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-17 114768]
    R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-5-17 704384]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
    R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2009-5-17 1195008]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-17 20560]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-17 138680]
    R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-5-17 31128]
    R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-5-17 257432]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-17 254040]
    R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-17 352920]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]

    =============== Created Last 30 ================

    2009-05-28 12:08 <DIR> --d----- c:\program files\CCleaner
    2009-05-27 21:02 69,632 a------- c:\windows\system32\javacpl.cpl
    2009-05-27 11:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2009-05-27 11:06 <DIR> --d----- c:\program files\SUPERAntiSpyware
    2009-05-27 11:06 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
    2009-05-27 11:05 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
    2009-05-24 16:28 <DIR> --d----- c:\docume~1\owner\applic~1\WIPE
    2009-05-24 16:27 76,288 a------- c:\windows\system32\taskkill.exe
    2009-05-24 16:27 <DIR> --d----- c:\program files\Wipe
    2009-05-24 16:22 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
    2009-05-24 16:12 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
    2009-05-24 14:46 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
    2009-05-24 14:42 <DIR> --d----- c:\windows\ie8updates
    2009-05-24 14:41 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
    2009-05-24 14:40 <DIR> -cd-h--- c:\windows\ie8
    2009-05-17 18:49 219,136 a------- c:\windows\sqlite3_engine.dll
    2009-05-17 18:49 139,776 a------- c:\windows\system32\dhSQLite.dll
    2009-05-17 18:04 1,060,864 a------- c:\windows\system32\MFC71.dll
    2009-05-17 18:04 499,712 a------- c:\windows\system32\MSVCP71.dll
    2009-05-17 18:04 348,160 a------- c:\windows\system32\MSVCR71.dll
    2009-05-17 16:37 704,384 a------- c:\windows\system32\drivers\SandBox.sys
    2009-05-17 16:37 257,432 a------- c:\windows\system32\drivers\afwcore.sys
    2009-05-17 16:35 49 a------- c:\windows\transp.gif
    2009-05-17 16:35 31,128 a------- c:\windows\system32\drivers\afw.sys
    2009-05-17 16:35 <DIR> --d----- c:\program files\Agnitum
    2009-05-17 16:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Agnitum
    2009-05-17 16:10 272 a------- c:\windows\system32\drivers\sfi.dat
    2009-05-05 20:07 <DIR> --d----- c:\program files\IObit

    ==================== Find3M ====================

    2009-05-28 12:49 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
    2009-05-27 11:47 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
    2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
    2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
    2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
    2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
    2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
    2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
    2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
    2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
    2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
    2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
    2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
    2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
    2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
    2004-01-17 14:14 0 a--sh--- c:\windows\sminst\HPCD.SYS

    ============= FINISH: 13:14:03.28 ===============



    If you need any more info just ask.
     
    DugE,
    #1
  2. 2009/05/28
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under Configuration and Preferences, click the Preferences button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Scan for tracking cookies.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * Back on the main screen, under Scan for Harmful Software click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under Complete Scan, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.
    NOTE: Tracking cookies may be omitted from the log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/05/29
    DugE

    DugE Well-Known Member Thread Starter

    Joined:
    2002/09/10
    Messages:
    726
    Likes Received:
    3
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 05/29/2009 at 08:36 AM

    Application Version : 4.26.1004

    Core Rules Database Version : 3915
    Trace Rules Database Version: 1859

    Scan type : Complete Scan
    Total Scan Time : 00:21:20

    Memory items scanned : 213
    Memory threats detected : 0
    Registry items scanned : 4348
    Registry threats detected : 0
    File items scanned : 10880
    File threats detected : 0


    ===================================================

    Malwarebytes' Anti-Malware 1.37
    Database version: 2192
    Windows 5.1.2600 Service Pack 3

    5/29/2009 9:17:52 AM
    mbam-log-2009-05-29 (09-17-52).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 106031
    Time elapsed: 21 minute(s), 57 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected


    ====================================================

    GMER 1.0.15.14972 - http://www.gmer.net
    Rootkit scan 2009-05-29 10:06:49
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwAssignProcessToJobObject [0xAFCF6A60]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAFBD46B8]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwConnectPort [0xAFCF8920]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateFile [0xAFCD7F60]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAFBD4574]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcess [0xAFCEF2B0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateProcessEx [0xAFCEFBB0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSection [0xAFCD6D10]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateSymbolicLinkObject [0xAFCE2E40]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwCreateThread [0xAFCEDD70]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDebugActiveProcess [0xAFCFBF30]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteFile [0xAFCE1B20]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwDeleteKey [0xAFCE4900]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAFBD4A52]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAFBD414C]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwLoadDriver [0xAFCECBB0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwMakeTemporaryObject [0xAFCE26B0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenFile [0xAFCDAC10]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAFBD464E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAFBD408C]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwOpenSection [0xAFCD7580]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAFBD40F0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwProtectVirtualMemory [0xAFCF7DA0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xAFCDC8A0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryKey [0xAFCE6750]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAFBD476E]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueueApcThread [0xAFCF5ED0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRenameKey [0xAFCEA590]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwReplaceKey [0xAFCE8500]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestPort [0xAFCFAA50]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwRequestWaitReplyPort [0xAFCFAD70]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAFBD472E]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKey [0xAFCE8C80]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSaveKeyEx [0xAFCE94D0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSecureConnectPort [0xAFCF9480]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetContextThread [0xAFCF5440]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationDebugObject [0xAFCFC520]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetInformationFile [0xAFCDDBF0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSetSystemInformation [0xAFCEC1C0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAFBD48AE]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendProcess [0xAFCF4190]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSuspendThread [0xAFCF4AC0]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwSystemDebugControl [0xAFCFB770]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateProcess [0xAFCF2790]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwTerminateThread [0xAFCF3620]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwUnloadDriver [0xAFCED530]
    SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwWriteVirtualMemory [0xAFCF72B0]

    INT 0x63 ? FE7339C4
    INT 0x73 ? FEB84224
    INT 0x83 ? FEA1E044
    INT 0x92 ? FE7137BC
    INT 0x93 ? FE7167BC
    INT 0x94 ? FE7207BC
    INT 0xA3 ? FE71C7BC
    INT 0xA4 ? FE72EB5C
    INT 0xB4 ? FE72FDD4

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [90, 41, CF, AF, C0, 4A, CF, ...] {NOP ; INC ECX; IRET ; SCASD ; ROR BYTE [EDX-0x31], 0xaf; JO 0xffffffffffffffc1; IRET ; SCASD }

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\spoolsv.exe[188] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\windows\system\hpsysdrv.exe[348] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\windows\system\hpsysdrv.exe[348] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\windows\system\hpsysdrv.exe[348] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\windows\system\hpsysdrv.exe[348] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\hkcmd.exe[376] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 0090A1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\hkcmd.exe[376] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 0090A174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\hkcmd.exe[376] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 0090A1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\hkcmd.exe[376] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 0090A224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\ps2.exe[384] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\ps2.exe[384] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\ps2.exe[384] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\ps2.exe[384] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\AT&T\Internet Security Wizard\ISW.exe[392] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\AT&T\Internet Security Wizard\ISW.exe[392] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\AT&T\Internet Security Wizard\ISW.exe[392] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\AT&T\Internet Security Wizard\ISW.exe[392] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[444] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0059EB4C C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[444] kernel32.dll!LoadResource 7C80A055 5 Bytes JMP 0059E828 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[444] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0059EA88 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[444] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 0059EB20 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[444] USER32.dll!EnableWindow 7E429849 5 Bytes JMP 0116944C C:\PROGRA~1\Agnitum\OUTPOS~1\op_cmn.dll (Outpost Common Controls Library/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe[444] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 0059EAF4 C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe (Outpost User Interface/Agnitum Ltd.)
    .text C:\Documents and Settings\Owner\Desktop\jtfbhokk.exe[492] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Documents and Settings\Owner\Desktop\jtfbhokk.exe[492] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Documents and Settings\Owner\Desktop\jtfbhokk.exe[492] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Documents and Settings\Owner\Desktop\jtfbhokk.exe[492] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[628] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[628] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[628] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe[628] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\ctfmon.exe[792] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\ctfmon.exe[792] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\ctfmon.exe[792] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\ctfmon.exe[792] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[812] user32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 00D5A1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[812] user32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 00D5A174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[812] user32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 00D5A1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe[812] user32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 00D5A224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\System32\winlogon.exe[900] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\System32\winlogon.exe[900] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\System32\winlogon.exe[900] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\System32\winlogon.exe[900] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\services.exe[952] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\services.exe[952] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\services.exe[952] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\services.exe[952] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1836] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1836] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1836] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe[1836] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1940] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1940] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1940] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashServ.exe[1940] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\Explorer.EXE[1956] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\Explorer.EXE[1956] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\Explorer.EXE[1956] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\Explorer.EXE[1956] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe[2016] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 00522570 C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe (Agnitum Outpost Service/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2172] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2172] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2172] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2172] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2244] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2244] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2244] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2244] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\wuauclt.exe[2496] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 100AA1F8 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\wuauclt.exe[2496] USER32.dll!SetForegroundWindow 7E4242ED 5 Bytes JMP 100AA174 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\wuauclt.exe[2496] USER32.dll!SetWindowPos 7E4299F3 5 Bytes JMP 100AA1A0 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)
    .text C:\WINDOWS\system32\wuauclt.exe[2496] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 100AA224 c:\progra~1\agnitum\outpos~1\wl_hook.dll (Outpost Hooking Module/Agnitum Ltd.)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F6A3C906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F6A3C906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F6A3C906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F6A3C906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F6A3C906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F6A3C906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F6A3C906] \SystemRoot\system32\drivers\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [AFCEC190] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)
    IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [AFCD9130] \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[952] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 006B0002
    IAT C:\WINDOWS\system32\services.exe[952] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 006B0000

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

    ---- EOF - GMER 1.0.15 ----



    ======================================================


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:13:06 AM, on 5/29/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://pbells.broadjump.com/wizlet/iw60/launch.htm
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:eek:s_startup
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228958232656
    O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 4337 bytes



    ====================================================


    Need more just let me know. Thanks.
     
    DugE,
    #3
  5. 2009/05/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Malware-wise, all looks clean, so...

    1. Please download [color= "#FF8C00"]JavaRa[/color] to your desktop and unzip it to its own folder
    • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we'll disable few unneeded startups (no actual programs will be removed)
    NOTE. I strongly advice against running Advanced SystemCare 3 as a startup, if at all. If you want to use it occasionally, at least leave registry part alone.

    Open HJT, and checkmark:
    - O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
    - O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    - O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
    Click "Fix checked" button.

    Restart computer.
    Post fresh HJT log.
     
    broni,
    #4
  6. 2009/05/30
    DugE

    DugE Well-Known Member Thread Starter

    Joined:
    2002/09/10
    Messages:
    726
    Likes Received:
    3
    I'm somewhat confused with the download page that JavaRa sent me to in
    order to download the newest version for my computer. The instructions
    say to scroll down until I reach the JRE portion of the webpage. No
    scrolling involved. The only JRE download is JRE 6 Update 14 which says
    it supports IE8, Windows Server 2008, and Windows Vista SP2. I'm using
    Xp SP3. Does this make a difference or will version 6.14 be the correct
    one for me?

    I usually go to this page to check for the newest version of java:

    http://www.java.com/en/download/index.jsp

    At the moment it offers JRE 6 update 13. I am unsure
    which version to download and install. Please advise. Thanks.
     
    DugE,
    #5
  7. 2009/05/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    JRE 6 Update 14 is the newest version, and it works on all Windows versions.
     
    broni,
    #6
  8. 2009/05/30
    DugE

    DugE Well-Known Member Thread Starter

    Joined:
    2002/09/10
    Messages:
    726
    Likes Received:
    3
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:11:38 PM, on 5/30/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://pbells.broadjump.com/wizlet/iw60/launch.htm
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:eek:s_startup
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228958232656
    O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 3650 bytes



    Got a few more tidbits that may or may not be related but are troublesome nevertheless.

    1. Lately I've had task manager minimized to tray so whenever the hard drive begins running for whatever reason I can bring up task manager to see the offender. Yesterday when I brought up the task manager no program or service was showing to be running, idle at 99%, but the hard drive was running like mad for close to 2 minutes.

    2. I can log on to sites, this one for example, do my business and leave. When I come back I have to log in again. I don't even have to close my browser. I can go to another page and come back and have to log on again. This even occurs when I check the 'remember me' option.

    3. Once a day I get the popup from Windows saying that my Virtual Memory minimum is too low and Windows will use a part of the hard drive as memory or something to that effect. Usually happens when I close my browser. Sometimes it will do it when I have too many tabs open.

    4. Sometimes when I am logged on for a while and decide to go to another site via bookmark on the links bar of my browser the hard drive will run like mad for a minute when I hover the mouse pointer over the link. I will have to wait for the hard drive to stop before I can click the link.

    5. Just today my folders in C: drive and inside other folders, such as Program Files, have been changed. Instead of the two to a row option it has been changed to a three to a row option. I didn't do it. Knowingly anyway.

    These are problems I am having in addition to java hogging the cpu. Don't know if they are related or if I need to post in another forum. Just thought I'd mention it to see what you think.

    P.S. I'm through typing now, where's the spell checker? :confused:
     
    DugE,
    #7
  9. 2009/05/30
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Screenshot ....
     

    Attached Files:

    PeteC,
    #8
  10. 2009/05/30
    DugE

    DugE Well-Known Member Thread Starter

    Joined:
    2002/09/10
    Messages:
    726
    Likes Received:
    3
    I don't have that option. :confused:

    I have the two beside the one you showed in the screenshot but not the one you pointed to.
     
    DugE,
    #9
  11. 2009/05/30
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Strange - anyway if you click on the symbol I indicated the dialogue in the screenshot pops up - I had forgotten that symbol was not an actual spellchecker. I have used the spellchecker in the Google Toolbar for many years.
     

    Attached Files:

    PeteC,
    #10
  12. 2009/05/30
    DugE

    DugE Well-Known Member Thread Starter

    Joined:
    2002/09/10
    Messages:
    726
    Likes Received:
    3
    Good enuf, Thanks PeteC.
     
    DugE,
    #11
  13. 2009/05/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We'll run one more scan. If nothing there, then you'll have to start new topic at Windows section.

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.
     
    broni,
    #12
  14. 2009/05/30
    DugE

    DugE Well-Known Member Thread Starter

    Joined:
    2002/09/10
    Messages:
    726
    Likes Received:
    3
    ComboFix 09-05-30.03 - Owner 05/30/2009 19:17.4 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.36 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
    .

    2009-05-30 16:35 . 2009-05-30 16:35 -------- d-----w c:\program files\Java
    2009-05-29 12:48 . 2009-05-29 12:48 3371383 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
    2009-05-28 16:08 . 2009-05-28 16:08 -------- d-----w c:\program files\CCleaner
    2009-05-28 01:01 . 2009-05-28 01:01 -------- d-----w c:\program files\Common Files\Java
    2009-05-27 16:11 . 2009-05-27 16:11 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Runscanner.net
    2009-05-27 15:08 . 2009-05-29 12:09 117760 ----a-w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-05-27 15:06 . 2009-05-27 15:06 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-05-27 15:06 . 2009-05-27 15:06 65024 ----a-r c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    2009-05-27 15:06 . 2009-05-27 15:06 18944 ----a-r c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    2009-05-27 15:06 . 2009-05-27 15:06 -------- d-----w c:\program files\SUPERAntiSpyware
    2009-05-27 15:06 . 2009-05-27 15:06 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2009-05-27 15:05 . 2009-05-27 15:05 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2009-05-24 20:28 . 2009-05-24 20:33 -------- d-----w c:\documents and settings\Owner\Application Data\WIPE
    2009-05-24 20:27 . 2009-05-24 20:27 -------- d-----w c:\program files\Wipe
    2009-05-24 20:27 . 2008-04-14 08:12 76288 ----a-w c:\windows\system32\taskkill.exe
    2009-05-24 20:22 . 2009-05-24 20:22 -------- d-sh--w c:\documents and settings\Owner\IECompatCache
    2009-05-24 20:12 . 2009-05-24 20:12 -------- d-sh--w c:\documents and settings\Owner\PrivacIE
    2009-05-24 18:46 . 2009-05-24 18:46 -------- d-sh--w c:\documents and settings\Owner\IETldCache
    2009-05-24 18:42 . 2009-05-24 18:42 -------- d-----w c:\windows\ie8updates
    2009-05-24 18:41 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
    2009-05-24 18:40 . 2009-05-24 18:41 -------- dc-h--w c:\windows\ie8
    2009-05-22 20:53 . 2009-05-22 20:53 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Screamer Radio
    2009-05-17 22:49 . 2007-06-22 07:08 139776 ----a-w c:\windows\system32\dhSQLite.dll
    2009-05-17 22:49 . 2007-06-18 22:57 219136 ----a-w c:\windows\sqlite3_engine.dll
    2009-05-17 22:04 . 2003-03-18 20:20 1060864 ----a-w c:\windows\system32\MFC71.dll
    2009-05-17 22:04 . 2003-03-18 19:14 499712 ----a-w c:\windows\system32\MSVCP71.dll
    2009-05-17 22:04 . 2003-02-21 02:42 348160 ----a-w c:\windows\system32\MSVCR71.dll
    2009-05-17 22:04 . 2009-05-17 22:04 -------- d-----w c:\program files\Alwil Software
    2009-05-17 20:10 . 2009-05-17 20:10 272 ----a-w c:\windows\system32\drivers\sfi.dat
    2009-05-06 00:07 . 2009-05-06 00:07 -------- d-----w c:\program files\IObit

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-30 20:43 . 2008-12-16 23:39 34 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
    2009-05-30 16:35 . 2008-11-01 15:19 410984 ----a-w c:\windows\system32\deploytk.dll
    2009-05-29 12:50 . 2009-04-16 00:44 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
    2009-05-27 15:47 . 2008-12-21 00:50 153104 ----a-w c:\windows\system32\drivers\tmcomm.sys
    2009-05-26 17:20 . 2009-04-16 00:44 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-05-26 17:19 . 2009-04-16 00:44 19096 ----a-w c:\windows\system32\drivers\mbam.sys
    2009-05-24 21:00 . 2008-11-01 17:53 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2009-05-24 21:00 . 2009-04-15 00:47 -------- d-----w c:\program files\SpywareBlaster
    2009-05-23 15:02 . 2003-08-23 14:12 24960 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-05-17 20:32 . 2009-03-18 18:23 -------- d-----w c:\program files\COMODO
    2009-04-16 01:05 . 2009-04-16 01:05 -------- d-----w c:\documents and settings\Owner\Application Data\SampleView
    2009-04-16 01:00 . 2009-04-16 01:00 -------- d-----w c:\program files\Secunia
    2009-04-16 00:44 . 2009-04-16 00:44 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-04-05 21:10 . 2008-11-01 17:45 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
    2009-03-24 11:03 . 2009-03-24 11:03 7808 ----a-w c:\windows\system32\drivers\psi_mf.sys
    2009-03-08 08:34 . 2008-04-30 18:53 914944 ----a-w c:\windows\system32\wininet.dll
    2009-03-08 08:34 . 2008-04-30 18:52 43008 ----a-w c:\windows\system32\licmgr10.dll
    2009-03-08 08:33 . 2008-04-30 18:51 18944 ----a-w c:\windows\system32\corpol.dll
    2009-03-08 08:33 . 2008-04-30 18:53 420352 ----a-w c:\windows\system32\vbscript.dll
    2009-03-08 08:32 . 2008-04-30 18:50 72704 ----a-w c:\windows\system32\admparse.dll
    2009-03-08 08:32 . 2008-04-30 18:51 71680 ----a-w c:\windows\system32\iesetup.dll
    2009-03-08 08:31 . 2008-04-30 18:51 34816 ----a-w c:\windows\system32\imgutil.dll
    2009-03-08 08:31 . 2008-04-30 18:52 48128 ----a-w c:\windows\system32\mshtmler.dll
    2009-03-08 08:31 . 2008-04-30 18:52 45568 ----a-w c:\windows\system32\mshta.exe
    2009-03-08 08:22 . 2008-04-30 18:52 156160 ----a-w c:\windows\system32\msls31.dll
    2009-03-06 14:22 . 2008-04-30 18:52 284160 ----a-w c:\windows\system32\pdh.dll
    2004-01-17 18:14 . 2008-10-31 03:53 0 --sha-w c:\windows\SMINST\HPCD.SYS
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
    "HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
    "PS2 "= "c:\windows\system32\ps2.exe" [2002-10-16 81920]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-05-30 148888]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001
    "UpdatesDisableNotify "=dword:00000001
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications "= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\sessmgr.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 7:03 AM 7808]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
    "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
    .
    - - - - ORPHANS REMOVED - - - -

    SafeBoot-procexp90.Sys


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = https://pbells.broadjump.com/wizlet/iw60/launch.htm
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\obnsslyn.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-30 19:20
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\EN]
    @DACL=(02 0000)

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\FR]
    @DACL=(02 0000)
    "OnLineServicesDirName "= "Services en ligne "

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\MX]
    @DACL=(02 0000)
    "OnLineServicesDirName "= "Servicios en línea "

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\NL]
    @DACL=(02 0000)

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\NW]
    @DACL=(02 0000)
    "OnLineServicesDirName "= "Online tjenster "

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\SP]
    @DACL=(02 0000)
    "OnLineServicesDirName "= "Servicios en línea "

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\SW]
    @DACL=(02 0000)
    "OnLineServicesDirName "= "Online tjänster "

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\UK]
    @DACL=(02 0000)

    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\HP\US]
    @DACL=(02 0000)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(632)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'explorer.exe'(988)
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\system32\OneX.DLL
    c:\windows\system32\eappprxy.dll
    .
    Completion time: 2009-05-30 19:21
    ComboFix-quarantined-files.txt 2009-05-30 23:21

    Pre-Run: 65,721,978,880 bytes free
    Post-Run: 65,712,033,792 bytes free

    166
     
    DugE,
    #13
  15. 2009/05/30
    DugE

    DugE Well-Known Member Thread Starter

    Joined:
    2002/09/10
    Messages:
    726
    Likes Received:
    3
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:50:38 PM, on 5/30/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\ps2.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://pbells.broadjump.com/wizlet/iw60/launch.htm
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
    O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:eek:s_startup
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1228958232656
    O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    --
    End of file - 3571 bytes
     
    DugE,
    #14
  16. 2009/05/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Totally nothing here.
    I'm gonna mark this one as resolved, and you need to go back to Windows forum.
     
    broni,
    #15
  17. 2009/05/30
    DugE

    DugE Well-Known Member Thread Starter

    Joined:
    2002/09/10
    Messages:
    726
    Likes Received:
    3
    Thanks Broni for all your help. I'm glad to know I'm clean tho. Hope I can stay that way. :)
     
    DugE,
    #16
  18. 2009/05/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're very welcome :)
     
    broni,
    #17

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...