TechSpot

[A] Firefox redirecting www.google.com to other site (not searches)

Inactive
By kruuth
Feb 26, 2012
Topic Status:
Not open for further replies.
  1. whenever I type www.google.com into the URL bar in firefox I am redirected to vtr.com. Searches using the search bar work fine, and going to https://www.google.com work fine as well. Using Chrome or IE also work fine. I've already scanned with MBAM but nothing popped up. Has anyone seen something like this before?
     
  2. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. kruuth

    kruuth TS Rookie Topic Starter

    Thanks. I ran malwarebytes, and avast and came up with nothing. Here are the logs from the other files.
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    [​IMG]
     
  5. kruuth

    kruuth TS Rookie Topic Starter

    My bad. Here we go
    DDS.txt:
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_27
    Run by xi at 6:07:26 on 2012-02-29
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.894.302 [GMT -5:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskhost.exe
    C:\Program Files\FileZilla Server\FileZilla Server.exe
    C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe
    C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\MediaMall\MediaMallServer.exe
    C:\Windows\VMSnap3.EXE
    C:\Windows\Domino.EXE
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\UI0Detect.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\conhost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [VMSnap3] c:\windows\VMSnap3.EXE
    mRun: [Domino] c:\windows\Domino.EXE
    mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [FileZilla Server Interface] "c:\program files\filezilla server\FileZilla Server Interface.exe"
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10w_ActiveX.exe -update activex
    StartupFolder: c:\users\xi\appdata\roaming\micros~1\windows\startm~1\programs\startup\utorre~1.lnk - c:\program files\utorrent\uTorrent.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: SoftwareSASGeneration = 1 (0x1)
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{517191E1-709C-49AA-BBD0-B90075BA6003} : DhcpNameServer = 192.168.1.254
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\xi\appdata\roaming\mozilla\firefox\profiles\f3ouooqd.default\
    FF - prefs.js: network.proxy.http - 210.101.131.232
    FF - prefs.js: network.proxy.http_port - 8080
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.50826.0\npctrlui.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 2310_00;2310_00;c:\windows\system32\drivers\2310_00.sys [2011-7-2 135200]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-2-26 610648]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-2-26 337112]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-2-26 20696]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-2-26 57688]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-2-26 44768]
    R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-9-13 21992]
    R2 hptsvr;HighPoint RAID Management Service;c:\program files\highpoint technologies, inc\highpoint raid management software\service\hptsvr.exe [2011-9-13 45056]
    R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2011-11-10 5106040]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-10-8 1153368]
    R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2012-1-7 2016504]
    R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-2-25 40776]
    R3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2012-1-7 12904]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
    R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2011-9-14 428160]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-2 136176]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-2 136176]
    S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2011.sp5\RpcAgentSrv.exe [2011-10-14 93848]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    .
    =============== Created Last 30 ================
    .
    2012-02-29 00:26:32 -------- d-----w- c:\users\xi\dwhelper
    2012-02-27 01:10:13 -------- d-----w- c:\users\xi\appdata\local\Google
    2012-02-27 01:10:05 44376 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-02-27 01:10:03 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-02-27 01:10:02 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-02-27 01:09:01 41184 ----a-w- c:\windows\avastSS.scr
    2012-02-27 01:08:48 -------- d-----w- c:\programdata\AVAST Software
    2012-02-27 01:08:48 -------- d-----w- c:\program files\AVAST Software
    2012-02-25 18:16:25 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-02-25 18:16:24 -------- d-----w- c:\users\xi\appdata\roaming\Malwarebytes
    2012-02-25 18:16:02 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-25 18:16:01 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-19 05:32:19 -------- d-----w- c:\users\xi\appdata\roaming\UltraVNC
    2012-02-08 16:32:45 -------- d-----w- c:\users\xi\appdata\roaming\Mobile Atlas Creator
    .
    ==================== Find3M ====================
    .
    2012-01-07 17:35:49 24680 ----a-w- c:\windows\system32\mv2.dll
    2012-01-07 17:35:49 12904 ----a-w- c:\windows\system32\drivers\mv2.sys
    2006-05-03 16:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
    2007-02-21 17:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
    2008-03-16 19:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
    2010-01-07 04:00:00 107520 --sha-r- c:\windows\system32\TAKDSDecoder.dll
    .
    ============= FINISH: 6:07:54.37 ===============
    Attach.txt:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume3
    Install Date: 9/13/2011 6:55:32 AM
    System Uptime: 2/28/2012 8:44:11 PM (10 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA78LM-S2H
    Processor: AMD Sempron(tm) 140 Processor | Socket M2 | 2712/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 86.669 GiB free.
    D: is FIXED (NTFS) - 2794 GiB total, 1599.478 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP28: 2/6/2012 12:00:08 AM - Scheduled Checkpoint
    RP29: 2/14/2012 12:00:07 AM - Scheduled Checkpoint
    RP30: 2/21/2012 10:55:36 PM - Scheduled Checkpoint
    RP31: 2/26/2012 8:08:36 PM - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 9.4.0
    avast! Free Antivirus
    AviSynth 2.5
    Batch Renamer 2.1.1 (uninstall)
    Better File Rename 5.09
    Chinese Simplified Fonts Support For Adobe Reader 9
    CPUID CPU-Z 1.58
    Everything 1.2.1.371
    ffdshow v1.1.3982 [2011-09-15]
    FileZilla Server
    Google Chrome
    Google Update Helper
    Haali Media Splitter
    HighPoint RAID Management Software
    Japanese Fonts Support For Adobe Reader 9
    Java Auto Updater
    Java(TM) 6 Update 27
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox 10.0.2 (x86 en-US)
    PlayOn
    Realtek HDMI Audio Driver for ATI
    Realtek High Definition Audio Driver
    SiSoftware Sandra Lite 2011.SP5
    Spybot - Search & Destroy
    SUPER © v2011.build.49 (July 1st, 2011) version v2011.build.49
    theRenamer 7.54
    TV Rename
    TV Show Renamer 2.7 Beta
    UltraVnc
    .
    ==== Event Viewer Messages From Past Week ========
    .
    2/28/2012 8:44:45 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdrom
    .
    ==== End Of File ===========================
    MBAM:
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.02.25.05

    Windows 7 x86 NTFS
    Internet Explorer 8.0.7600.16385
    xi :: VCR [administrator]

    2/29/2012 6:00:29 AM
    mbam-log-2012-02-29 (06-00-29).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 163399
    Time elapsed: 3 minute(s), 15 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  6. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    I still need GMER log.

    [​IMG]
     
  7. kruuth

    kruuth TS Rookie Topic Starter

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-02-28 07:04:57
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD161GJ rev.1AC01118
    Running: bfyckho4.exe; Driver: C:\Users\xi\AppData\Local\Temp\pxldypow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8CC28DC4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8CAF6904]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8CC29832]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8CC2E25C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8CC2E2A8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8CC2E39A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8CC2E1CA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8CC2E2EC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8CC2E212]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8CC2E354]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8CC28E10]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8CAF69DE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8CC28AA2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8CC28E5C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8CC2BC94]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8CC29AD6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8CC2E286]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8CC2E2CA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8CC2E3BE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8CC2E1F0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8CC2E326]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8CC2E23A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8CC2E378]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8CAF6B4A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8CC299A2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8CC28EA8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8CC28EF4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8CC28B12]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8CC28CB6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8CC28C5E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8CC28D26]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8CAF6C0A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8CC28F40]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8CAF6A8A]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8CB0CA72]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8305B579 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8307FF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!RtlSidHashLookup + 214 83087714 4 Bytes [C4, 8D, C2, 8C]
    .text ntkrnlpa.exe!RtlSidHashLookup + 23C 8308773C 4 Bytes [04, 69, AF, 8C]
    .text ntkrnlpa.exe!RtlSidHashLookup + 29C 8308779C 4 Bytes [32, 98, C2, 8C]
    .text ntkrnlpa.exe!RtlSidHashLookup + 2F0 830877F0 8 Bytes [5C, E2, C2, 8C, A8, E2, C2, ...]
    .text ntkrnlpa.exe!RtlSidHashLookup + 2FC 830877FC 4 Bytes [9A, E3, C2, 8C]
    .text ...
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83220F59 5 Bytes JMP 8CB0996C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject + 27 8323AC5F 5 Bytes JMP 8CB0B444 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 832850EA 4 Bytes CALL 8CC2A189 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 8328D1C5 4 Bytes CALL 8CC2A19F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 832F2E52 7 Bytes JMP 8CB0CA76 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    ? System32\Drivers\aswTdi.SYS The system cannot find the path specified. !
    .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8D82A000, 0x227A14, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\taskhost.exe[316] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\FileZilla Server\FileZilla Server.exe[404] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 001603FC
    .text C:\Program Files\FileZilla Server\FileZilla Server.exe[404] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 001601F8
    .text C:\Program Files\FileZilla Server\FileZilla Server.exe[404] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\FileZilla Server\FileZilla Server.exe[404] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 001F0A08
    .text C:\Program Files\FileZilla Server\FileZilla Server.exe[404] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001F03FC
    .text C:\Program Files\FileZilla Server\FileZilla Server.exe[404] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 001F0804
    .text C:\Program Files\FileZilla Server\FileZilla Server.exe[404] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001F01F8
    .text C:\Program Files\FileZilla Server\FileZilla Server.exe[404] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 001F0600
    .text C:\Windows\system32\csrss.exe[432] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[448] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[448] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[448] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[508] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000303FC
    .text C:\Windows\system32\wininit.exe[508] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000301F8
    .text C:\Windows\system32\wininit.exe[508] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\wininit.exe[508] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00050A08
    .text C:\Windows\system32\wininit.exe[508] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 000503FC
    .text C:\Windows\system32\wininit.exe[508] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00050804
    .text C:\Windows\system32\wininit.exe[508] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 000501F8
    .text C:\Windows\system32\wininit.exe[508] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00050600
    .text C:\Windows\system32\csrss.exe[520] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[556] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000303FC
    .text C:\Windows\system32\winlogon.exe[556] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000301F8
    .text C:\Windows\system32\winlogon.exe[556] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\winlogon.exe[556] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00050A08
    .text C:\Windows\system32\winlogon.exe[556] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 000503FC
    .text C:\Windows\system32\winlogon.exe[556] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00050804
    .text C:\Windows\system32\winlogon.exe[556] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 000501F8
    .text C:\Windows\system32\winlogon.exe[556] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00050600
    .text C:\Windows\system32\services.exe[612] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\services.exe[612] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\services.exe[612] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\lsass.exe[628] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\lsass.exe[628] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\lsass.exe[628] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\lsm.exe[636] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\lsm.exe[636] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\lsm.exe[636] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
     
  8. kruuth

    kruuth TS Rookie Topic Starter

    .text C:\Windows\system32\svchost.exe[744] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[744] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[744] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[816] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[816] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[864] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[864] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[864] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[864] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00140A08
    .text C:\Windows\System32\svchost.exe[864] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001403FC
    .text C:\Windows\System32\svchost.exe[864] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00140804
    .text C:\Windows\System32\svchost.exe[864] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001401F8
    .text C:\Windows\System32\svchost.exe[864] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00140600
    .text C:\Windows\System32\svchost.exe[964] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[964] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[964] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[964] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00560A08
    .text C:\Windows\System32\svchost.exe[964] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 005603FC
    .text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00560804
    .text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 005601F8
    .text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00560600
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe[1016] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 001503FC
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe[1016] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 001501F8
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe[1016] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1020] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1020] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1020] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1020] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00AB0A08
    .text C:\Windows\system32\svchost.exe[1020] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 00AB03FC
    .text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00AB0804
    .text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 00AB01F8
    .text C:\Windows\system32\svchost.exe[1020] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00AB0600
    .text C:\Windows\system32\svchost.exe[1164] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\svchost.exe[1164] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\svchost.exe[1164] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1164] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00450A08
    .text C:\Windows\system32\svchost.exe[1164] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 004503FC
    .text C:\Windows\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00450804
    .text C:\Windows\system32\svchost.exe[1164] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 004501F8
    .text C:\Windows\system32\svchost.exe[1164] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00450600
    .text C:\Windows\system32\svchost.exe[1280] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1280] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1280] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1396] kernel32.dll!SetUnhandledExceptionFilter 760D3142 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1396] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\MediaMall\MediaMallServer.exe[1408] KERNEL32.dll!GetFileAttributesExW 760C5F4D 6 Bytes JMP 71A90F5A
    .text C:\Program Files\MediaMall\MediaMallServer.exe[1408] KERNEL32.dll!GetModuleFileNameW 760D29F4 6 Bytes JMP 71AF0F5A
    .text C:\Program Files\MediaMall\MediaMallServer.exe[1408] KERNEL32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe[1420] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 001503FC
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe[1420] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 001501F8
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe[1420] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe[1420] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00220A08
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe[1420] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 002203FC
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe[1420] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00220804
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe[1420] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 002201F8
    .text C:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe[1420] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00220600
    .text C:\Windows\system32\Dwm.exe[1440] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\Dwm.exe[1440] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\Dwm.exe[1440] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\Dwm.exe[1440] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 000F0A08
    .text C:\Windows\system32\Dwm.exe[1440] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 000F03FC
    .text C:\Windows\system32\Dwm.exe[1440] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 000F0804
    .text C:\Windows\system32\Dwm.exe[1440] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 000F01F8
    .text C:\Windows\system32\Dwm.exe[1440] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 000F0600
    .text C:\Windows\Explorer.EXE[1452] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\Explorer.EXE[1452] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\Explorer.EXE[1452] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\Explorer.EXE[1452] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00110A08
    .text C:\Windows\Explorer.EXE[1452] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001103FC
    .text C:\Windows\Explorer.EXE[1452] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00110804
    .text C:\Windows\Explorer.EXE[1452] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001101F8
    .text C:\Windows\Explorer.EXE[1452] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00110600
    .text C:\Windows\system32\conhost.exe[1468] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000303FC
    .text C:\Windows\system32\conhost.exe[1468] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000301F8
    .text C:\Windows\system32\conhost.exe[1468] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\conhost.exe[1468] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 000C0A08
    .text C:\Windows\system32\conhost.exe[1468] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 000C03FC
    .text C:\Windows\system32\conhost.exe[1468] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 000C0804
    .text C:\Windows\system32\conhost.exe[1468] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 000C01F8
    .text C:\Windows\system32\conhost.exe[1468] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 000C0600
    .text C:\Windows\VMSnap3.EXE[1588] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 001503FC
    .text C:\Windows\VMSnap3.EXE[1588] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 001501F8
    .text C:\Windows\VMSnap3.EXE[1588] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\VMSnap3.EXE[1588] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 001E0A08
    .text C:\Windows\VMSnap3.EXE[1588] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001E03FC
    .text C:\Windows\VMSnap3.EXE[1588] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 001E0804
    .text C:\Windows\VMSnap3.EXE[1588] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001E01F8
    .text C:\Windows\VMSnap3.EXE[1588] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 001E0600
    .text C:\Windows\Domino.EXE[1604] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 001503FC
    .text C:\Windows\Domino.EXE[1604] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 001501F8
    .text C:\Windows\Domino.EXE[1604] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\Domino.EXE[1604] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 001E0A08
    .text C:\Windows\Domino.EXE[1604] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001E03FC
    .text C:\Windows\Domino.EXE[1604] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 001E0804
    .text C:\Windows\Domino.EXE[1604] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001E01F8
    .text C:\Windows\Domino.EXE[1604] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 001E0600
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1620] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1620] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1620] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1620] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00110A08
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1620] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001103FC
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1620] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00110804
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1620] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001101F8
    .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1620] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00110600
    .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1648] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1664] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 001603FC
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1664] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 001601F8
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1664] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1664] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00180A08
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1664] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001803FC
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1664] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00180804
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1664] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001801F8
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[1664] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00180600
    .text C:\Program Files\uTorrent\uTorrent.exe[1692] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 003403FC
    .text C:\Program Files\uTorrent\uTorrent.exe[1692] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 003401F8
    .text C:\Program Files\uTorrent\uTorrent.exe[1692] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\uTorrent\uTorrent.exe[1692] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 003E0A08
    .text C:\Program Files\uTorrent\uTorrent.exe[1692] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 003E03FC
    .text C:\Program Files\uTorrent\uTorrent.exe[1692] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 003E0804
    .text C:\Program Files\uTorrent\uTorrent.exe[1692] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 003E01F8
    .text C:\Program Files\uTorrent\uTorrent.exe[1692] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 003E0600
    .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\System32\spoolsv.exe[1928] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\System32\spoolsv.exe[1928] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\System32\spoolsv.exe[1928] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00090A08
    .text C:\Windows\System32\spoolsv.exe[1928] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 000903FC
    .text C:\Windows\System32\spoolsv.exe[1928] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00090804
    .text C:\Windows\System32\spoolsv.exe[1928] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 000901F8
    .text C:\Windows\System32\spoolsv.exe[1928] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00090600
    .text C:\Windows\system32\svchost.exe[1956] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[1956] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[1956] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[1956] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00140A08
    .text C:\Windows\system32\svchost.exe[1956] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001403FC
    .text C:\Windows\system32\svchost.exe[1956] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00140804
    .text C:\Windows\system32\svchost.exe[1956] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001401F8
    .text C:\Windows\system32\svchost.exe[1956] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00140600
    .text C:\Windows\system32\taskhost.exe[1992] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000503FC
    .text C:\Windows\system32\taskhost.exe[1992] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000501F8
    .text C:\Windows\system32\taskhost.exe[1992] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\taskhost.exe[1992] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00070A08
    .text C:\Windows\system32\taskhost.exe[1992] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 000703FC
    .text C:\Windows\system32\taskhost.exe[1992] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00070804
    .text C:\Windows\system32\taskhost.exe[1992] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 000701F8
    .text C:\Windows\system32\taskhost.exe[1992] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00070600
    .text C:\Program Files\UltraVNC\WinVNC.exe[2080] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 001603FC
    .text C:\Program Files\UltraVNC\WinVNC.exe[2080] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 001601F8
    .text C:\Program Files\UltraVNC\WinVNC.exe[2080] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\UltraVNC\WinVNC.exe[2080] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00200A08
    .text C:\Program Files\UltraVNC\WinVNC.exe[2080] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 002003FC
    .text C:\Program Files\UltraVNC\WinVNC.exe[2080] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00200804
    .text C:\Program Files\UltraVNC\WinVNC.exe[2080] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 002001F8
    .text C:\Program Files\UltraVNC\WinVNC.exe[2080] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00200600
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2184] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 001603FC
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2184] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 001601F8
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2184] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2184] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 001F0A08
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2184] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001F03FC
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2184] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 001F0804
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2184] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001F01F8
    .text C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe[2184] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 001F0600
    .text C:\Program Files\UltraVNC\WinVNC.exe[2664] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 001603FC
    .text C:\Program Files\UltraVNC\WinVNC.exe[2664] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 001601F8
    .text C:\Program Files\UltraVNC\WinVNC.exe[2664] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\UltraVNC\WinVNC.exe[2664] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 001F0A08
    .text C:\Program Files\UltraVNC\WinVNC.exe[2664] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001F03FC
    .text C:\Program Files\UltraVNC\WinVNC.exe[2664] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 001F0804
    .text C:\Program Files\UltraVNC\WinVNC.exe[2664] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001F01F8
    .text C:\Program Files\UltraVNC\WinVNC.exe[2664] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 001F0600
    .text C:\Windows\system32\wbem\wmiprvse.exe[2896] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000A03FC
    .text C:\Windows\system32\wbem\wmiprvse.exe[2896] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000A01F8
    .text C:\Windows\system32\wbem\wmiprvse.exe[2896] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\wbem\wmiprvse.exe[2896] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00150A08
    .text C:\Windows\system32\wbem\wmiprvse.exe[2896] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001503FC
    .text C:\Windows\system32\wbem\wmiprvse.exe[2896] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00150804
    .text C:\Windows\system32\wbem\wmiprvse.exe[2896] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001501F8
    .text C:\Windows\system32\wbem\wmiprvse.exe[2896] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00150600
    .text C:\Windows\system32\SearchIndexer.exe[3060] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\SearchIndexer.exe[3060] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\SearchIndexer.exe[3060] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\SearchIndexer.exe[3060] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00100A08
    .text C:\Windows\system32\SearchIndexer.exe[3060] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001003FC
    .text C:\Windows\system32\SearchIndexer.exe[3060] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00100804
    .text C:\Windows\system32\SearchIndexer.exe[3060] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001001F8
    .text C:\Windows\system32\SearchIndexer.exe[3060] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00100600
    .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[3328] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[3328] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\svchost.exe[3328] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 002A0A08
    .text C:\Windows\system32\svchost.exe[3328] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 002A03FC
    .text C:\Windows\system32\svchost.exe[3328] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 002A0804
    .text C:\Windows\system32\svchost.exe[3328] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 002A01F8
    .text C:\Windows\system32\svchost.exe[3328] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 002A0600
    .text C:\Windows\system32\svchost.exe[3388] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\svchost.exe[3388] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\svchost.exe[3388] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3540] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3540] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3540] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3540] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00240A08
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3540] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 002403FC
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3540] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00240804
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3540] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 002401F8
    .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3540] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00240600
    .text C:\Windows\system32\UI0Detect.exe[3640] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\system32\UI0Detect.exe[3640] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\system32\UI0Detect.exe[3640] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\UI0Detect.exe[3640] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00090A08
    .text C:\Windows\system32\UI0Detect.exe[3640] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 000903FC
    .text C:\Windows\system32\UI0Detect.exe[3640] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00090804
    .text C:\Windows\system32\UI0Detect.exe[3640] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 000901F8
    .text C:\Windows\system32\UI0Detect.exe[3640] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00090600
    .text C:\Users\xi\Downloads\bfyckho4.exe[3820] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\system32\AUDIODG.EXE[4380] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4456] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4456] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 64EB5B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4456] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4456] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00080A08
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4456] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 000803FC
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4456] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00080804
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4456] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 000801F8
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4456] USER32.dll!GetWindowInfo 75EF6A82 5 Bytes JMP 6503802D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4456] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00080600
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] USER32.dll!SetWindowLongA 75EEB1E3 5 Bytes JMP 652A01A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00300A08
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 003003FC
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00300804
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 003001F8
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] USER32.dll!SetWindowLongW 75EF6614 5 Bytes JMP 652A0135 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] USER32.dll!GetWindowInfo 75EF6A82 5 Bytes JMP 65030924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] USER32.dll!TrackPopupMenu 75F14B3B 5 Bytes JMP 65030ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4808] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00300600
    .text C:\Windows\System32\svchost.exe[5140] ntdll.dll!LdrUnloadDll 7780BE7F 5 Bytes JMP 000603FC
    .text C:\Windows\System32\svchost.exe[5140] ntdll.dll!LdrLoadDll 7780F585 5 Bytes JMP 000601F8
    .text C:\Windows\System32\svchost.exe[5140] kernel32.dll!GetBinaryTypeW + 70 760E7964 1 Byte [62]
    .text C:\Windows\System32\svchost.exe[5140] USER32.dll!UnhookWindowsHookEx 75EECC7B 5 Bytes JMP 00180A08
    .text C:\Windows\System32\svchost.exe[5140] USER32.dll!UnhookWinEvent 75EED924 5 Bytes JMP 001803FC
    .text C:\Windows\System32\svchost.exe[5140] USER32.dll!SetWindowsHookExW 75EF210A 5 Bytes JMP 00180804
    .text C:\Windows\System32\svchost.exe[5140] USER32.dll!SetWinEventHook 75EF507E 5 Bytes JMP 001801F8
    .text C:\Windows\System32\svchost.exe[5140] USER32.dll!SetWindowsHookExA 75F16DFA 5 Bytes JMP 00180600

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1396] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [725FF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
    IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[1648] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [725FF6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS

    ---- EOF - GMER 1.0.15 ----
     
  9. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ======================================================================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Click on SCAN.
      [/b]
    • A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
     
  10. kruuth

    kruuth TS Rookie Topic Starter

    Ran both. Roguekiller came up with 6 issues.
     
  11. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    I need to see both logs.

    [​IMG]
     
     
  12. kruuth

    kruuth TS Rookie Topic Starter

    RogueKiller V7.2.1 [02/29/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7600 ) 32 bits version
    Started in : Normal mode
    User: xi [Admin rights]
    Mode: Scan -- Date: 02/29/2012 14:17:15

    ¤¤¤ Bad processes: 2 ¤¤¤
    [SUSP PATH] VMSnap3.EXE -- C:\Windows\VMSnap3.EXE -> KILLED [TermProc]
    [SUSP PATH] aswMBR.exe -- C:\Users\xi\Desktop\aswMBR.exe -> KILLED [TermProc]

    ¤¤¤ Registry Entries: 6 ¤¤¤
    [SUSP PATH] HKLM\[...]\Run : VMSnap3 (C:\Windows\VMSnap3.EXE) -> FOUND
    [SUSP PATH] HKLM\[...]\Run : BigDog303 (C:\Windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)) -> FOUND
    [SCRSV] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\Users\xi\Desktop\dds.scr) -> FOUND
    [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver: [LOADED] ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤


    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: SAMSUNG HD161GJ ATA Device +++++
    --- User ---
    [MBR] 7f2672c798ac8ceaba212c15a58d9279
    [BSP] 7172aa94805bfcf4939fb9e9535dc32a : Windows 7 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 152617 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: HPT DISK 0_0 SCSI Disk Device +++++
    --- User ---
    [MBR] 188852115ce2c742dcaaf13c948baa63
    [BSP] 139686caf6a7e5df749da2334aa6edd5 : Windows 7 MBR Code
    Partition table:
    0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt



    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-29 14:11:52
    -----------------------------
    14:11:52.068 OS Version: Windows 6.1.7600
    14:11:52.069 Number of processors: 1 586 0x602
    14:11:52.070 ComputerName: VCR UserName: xi
    14:11:54.253 Initialize success
    14:11:55.011 AVAST engine defs: 12022900
    14:12:34.982 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    14:12:34.987 Disk 0 Vendor: SAMSUNG_HD161GJ 1AC01118 Size: 152627MB BusType: 3
    14:12:34.990 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\2310_001Port4Path0Target0Lun0
    14:12:34.994 Disk 1 Vendor: HPT_____ 4.00 Size: 2861376MB BusType: 1
    14:12:35.006 Disk 0 MBR read successfully
    14:12:35.009 Disk 0 MBR scan
    14:12:35.287 Disk 0 Windows 7 default MBR code
    14:12:35.304 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
    14:12:35.686 Disk 0 scanning sectors +312560640
    14:12:36.042 Disk 0 scanning C:\Windows\system32\drivers
    14:12:48.335 Service scanning
    14:13:06.759 Modules scanning
    14:13:12.797 Disk 0 trace - called modules:
    14:13:13.199 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
    14:13:13.208 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85930400]
    14:13:13.215 3 CLASSPNP.SYS[8760459e] -> nt!IofCallDriver -> [0x85580898]
    14:13:13.224 5 ACPI.sys[872253b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8556d908]
    14:13:13.484 AVAST engine scan C:\Windows
    14:13:15.259 AVAST engine scan C:\Windows\system32
    14:14:54.593 AVAST engine scan C:\Windows\system32\drivers
    14:15:03.426 AVAST engine scan C:\Users\xi
    14:16:10.320 Disk 0 MBR has been saved successfully to "C:\Users\xi\Desktop\MBR.dat"
    14:16:10.331 The log file has been saved successfully to "C:\Users\xi\Desktop\aswMBR.txt"
     
  13. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  14. kruuth

    kruuth TS Rookie Topic Starter

    Combofix runs fine. Here's the output:


    aswMBR version 0.9.9.1649 Copyright(c) 2011 AVAST Software
    Run date: 2012-02-29 14:11:52
    -----------------------------
    14:11:52.068 OS Version: Windows 6.1.7600
    14:11:52.069 Number of processors: 1 586 0x602
    14:11:52.070 ComputerName: VCR UserName: xi
    14:11:54.253 Initialize success
    14:11:55.011 AVAST engine defs: 12022900
    14:12:34.982 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    14:12:34.987 Disk 0 Vendor: SAMSUNG_HD161GJ 1AC01118 Size: 152627MB BusType: 3
    14:12:34.990 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\2310_001Port4Path0Target0Lun0
    14:12:34.994 Disk 1 Vendor: HPT_____ 4.00 Size: 2861376MB BusType: 1
    14:12:35.006 Disk 0 MBR read successfully
    14:12:35.009 Disk 0 MBR scan
    14:12:35.287 Disk 0 Windows 7 default MBR code
    14:12:35.304 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
    14:12:35.686 Disk 0 scanning sectors +312560640
    14:12:36.042 Disk 0 scanning C:\Windows\system32\drivers
    14:12:48.335 Service scanning
    14:13:06.759 Modules scanning
    14:13:12.797 Disk 0 trace - called modules:
    14:13:13.199 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
    14:13:13.208 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85930400]
    14:13:13.215 3 CLASSPNP.SYS[8760459e] -> nt!IofCallDriver -> [0x85580898]
    14:13:13.224 5 ACPI.sys[872253b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8556d908]
    14:13:13.484 AVAST engine scan C:\Windows
    14:13:15.259 AVAST engine scan C:\Windows\system32
    14:14:54.593 AVAST engine scan C:\Windows\system32\drivers
    14:15:03.426 AVAST engine scan C:\Users\xi
    14:16:10.320 Disk 0 MBR has been saved successfully to "C:\Users\xi\Desktop\MBR.dat"
    14:16:10.331 The log file has been saved successfully to "C:\Users\xi\Desktop\aswMBR.txt"
     
  15. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    You posted aswMBR log instead of Combofix log.

    [​IMG]
     
  16. kruuth

    kruuth TS Rookie Topic Starter

    ComboFix 12-02-29.01 - xi 02/29/2012 21:45:14.2.1 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.894.388 [GMT -5:00]
    Running from: c:\users\xi\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-01 to 2012-03-01 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-01 02:50 . 2012-03-01 02:50 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-02-29 00:26 . 2012-02-29 00:26 -------- d-----w- c:\users\xi\dwhelper
    2012-02-27 01:10 . 2012-02-27 01:17 -------- d-----w- c:\users\xi\AppData\Local\Google
    2012-02-27 01:10 . 2012-02-23 16:10 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-02-27 01:10 . 2012-02-23 16:12 337112 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-02-27 01:10 . 2012-02-23 16:10 44376 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2012-02-27 01:10 . 2012-02-23 16:12 610648 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-02-27 01:10 . 2012-02-23 16:10 57688 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-02-27 01:09 . 2012-02-23 16:23 41184 ----a-w- c:\windows\avastSS.scr
    2012-02-27 01:09 . 2012-02-23 16:23 201352 ----a-w- c:\windows\system32\aswBoot.exe
    2012-02-27 01:08 . 2012-02-27 01:08 -------- d-----w- c:\programdata\AVAST Software
    2012-02-27 01:08 . 2012-02-27 01:08 -------- d-----w- c:\program files\AVAST Software
    2012-02-25 18:16 . 2012-02-25 18:16 -------- d-----w- c:\users\xi\AppData\Roaming\Malwarebytes
    2012-02-25 18:16 . 2012-02-25 18:16 -------- d-----w- c:\programdata\Malwarebytes
    2012-02-25 18:16 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-02-19 05:32 . 2012-02-19 05:32 -------- d-----w- c:\users\xi\AppData\Roaming\UltraVNC
    2012-02-08 16:32 . 2012-02-08 16:32 -------- d-----w- c:\users\xi\AppData\Roaming\Mobile Atlas Creator
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-07 17:35 . 2012-01-07 17:35 24680 ----a-w- c:\windows\system32\mv2.dll
    2012-01-07 17:35 . 2012-01-07 17:35 12904 ----a-w- c:\windows\system32\drivers\mv2.sys
    2012-02-18 03:23 . 2011-09-14 01:41 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2006-05-03 16:06 163328 --sha-r- c:\windows\System32\flvDX.dll
    2007-02-21 17:47 31232 --sha-r- c:\windows\System32\msfDX.dll
    2008-03-16 19:30 216064 --sha-r- c:\windows\System32\nbDX.dll
    2010-01-07 04:00 107520 --sha-r- c:\windows\System32\TAKDSDecoder.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-02-23 16:23 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 49152]
    "Domino"="c:\windows\Domino.EXE" [2006-06-28 49152]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "FileZilla Server Interface"="c:\program files\FileZilla Server\FileZilla Server Interface.exe" [2011-10-23 1044992]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-02-23 4031368]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe" [2011-11-13 243360]
    .
    c:\users\xi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    uTorrent - Shortcut.lnk - c:\program files\uTorrent\uTorrent.exe [2011-6-22 740216]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "SoftwareSASGeneration"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino]
    2006-06-28 09:54 49152 ----a-w- c:\windows\Domino.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Everything]
    2009-03-13 01:18 602624 ----a-w- c:\program files\Everything\Everything.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2011-06-09 05:08 10082920 ------w- c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2011-06-09 17:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
    2012-02-24 02:47 740216 ----a-w- c:\program files\uTorrent\uTorrent.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMSnap3]
    2006-08-30 02:58 49152 ----a-w- c:\windows\VMSnap3.EXE
    .
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-02 136176]
    R2 hptsvr;HighPoint RAID Management Service;c:\program files\HighPoint Technologies, Inc.\HighPoint RAID Management Software\service\hptsvr.exe [2006-09-13 45056]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-07-02 136176]
    R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2011.SP5\RpcAgentSrv.exe [2008-09-19 93848]
    S0 2310_00;2310_00;c:\windows\system32\DRIVERS\2310_00.sys [2009-06-12 135200]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-02-23 57688]
    S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2010-11-09 21992]
    S2 MediaMall Server;MediaMall Server;c:\program files\MediaMall\MediaMallServer.exe [2012-02-10 5106040]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 uvnc_service;uvnc_service;c:\program files\UltraVNC\WinVNC.exe [2011-05-19 2016504]
    S3 mv2;mv2;c:\windows\system32\DRIVERS\mv2.sys [2012-01-07 12904]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
    S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2006-04-25 428160]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ASWMBR
    *NewlyCreated* - TRUESIGHT
    *Deregistered* - aswMBR
    *Deregistered* - MBAMSwissArmy
    *Deregistered* - TrueSight
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-02 13:40]
    .
    2012-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-07-02 13:40]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\xi\AppData\Roaming\Mozilla\Firefox\Profiles\f3ouooqd.default\
    FF - prefs.js: network.proxy.http - 210.101.131.232
    FF - prefs.js: network.proxy.http_port - 8080
    FF - prefs.js: network.proxy.type - 0
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-02-29 21:53:12
    ComboFix-quarantined-files.txt 2012-03-01 02:53
    ComboFix2.txt 2012-03-01 01:09
    .
    Pre-Run: 97,244,176,384 bytes free
    Post-Run: 97,054,826,496 bytes free
    .
    - - End Of File - - 09A14D32C24E6DD909D065E3C8BA0D4B
     
  17. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Looks good.

    How is redirection?
     
  18. kruuth

    kruuth TS Rookie Topic Starter

    Seems to be fixed now. Any idea as to what it was?
     
  19. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    It looks like Combofix fixed something but it didn't say what.
    Good news anyway :)

    Let's run some more checks....

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\tasks\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.