TechSpot

Beat Window Repair! Stuck with Random Sound, Google Redirect virus & script errors

Solved
By carlsbad
Apr 13, 2011
Topic Status:
Not open for further replies.
  1. Computer running xp was able to shut down Windows Repair Virus, but was let with several other problems. Now I have a Random Sound Virus, a Google Redirect Virus and Internet Explorer script errors. Malwarebites shut down the Windows Repair Virus, but doesn't stop the others. Also tried Ad Adware and Microsoft Security Essentials. Looks like it keeps disabling MS Essesntials. Hijack this sees nothing. What can I do?
  2. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    Patience please...

    This may take me a few days..thank you for your quick response.
    Carl
  4. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Take your time....
  5. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    requested logs...

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6364

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    4/14/2011 4:53:02 PM
    mbam-log-2011-04-14 (16-53-02).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 204851
    Time elapsed: 29 minute(s), 12 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  6. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    logs

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-04-14 21:18:19
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800AAJS-60WAA0 rev.58.01D58
    Running: 3235yf8f.exe; Driver: C:\DOCUME~1\Parent\LOCALS~1\Temp\awkyykoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xEEC4E9CA]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xEECA3A68]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xEEC6EAF5]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xEEC50EAC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xEEC50F04]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xEEC5101A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xEEC6E4A9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xEEC50E02]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xEEC50F54]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xEEC50E56]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xEEC50FC8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xEEC4E9EE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xEEC6F1BB]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xEEC6F471]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xEEC5129E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xEEC6F026]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xEEC6EE91]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xEECA3B18]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xEEC4E7B8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xEEC4EA12]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xEEC51412]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xEEC4F4AA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xEEC50EDC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xEEC50F2C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xEEC51044]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xEEC6E805]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xEEC50E2E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xEEC510D6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xEEC50F94]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xEEC50E84]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xEEC511BA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xEEC50FF2]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xEECA3BB0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xEEC6ED0C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xEEC4F370]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xEEC6EB5E]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xEECABE26]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xEEC6DB1C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xEEC4EA36]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xEEC4EA5A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xEEC4E812]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xEEC4E94E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xEEC6F2C2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xEEC4E92A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xEEC4E972]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xEEC4EA7E]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xEECB88DE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2390 80501BC8 4 Bytes JMP A2850A91
    .text ntkrnlpa.exe!ZwCallbackReturn + 23D0 80501C08 4 Bytes JMP ABCEEEC6
    .text ntkrnlpa.exe!ZwCallbackReturn + 2460 80501C98 4 Bytes JMP 3EDF0B61
    .text ntkrnlpa.exe!ZwCallbackReturn + 2520 80501D58 4 Bytes JMP F14CEEC4
    .text ntkrnlpa.exe!ZwCallbackReturn + 2548 80501D80 8 Bytes CALL 8E7F0C4B
    .text ...
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059B832 4 Bytes CALL EEC4FE25 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1CE0 5 Bytes JMP EECB429E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 805B8B58 5 Bytes JMP EECB5D38 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP EECB88E2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    INITc VolSnap.sys F7689BD1 3 Bytes [69, 53, 80]
    INITc VolSnap.sys F7689BF8 4 Bytes [32, 8F, 4F, 80]
    INITc VolSnap.sys F7689C20 4 Bytes [B0, 9B, 4F, 80]
    INITc VolSnap.sys F7689C48 4 Bytes [9C, DF, 4F, 80] {PUSHF ; FISTTP WORD [EDI-0x80]}
    INITc VolSnap.sys F7689C70 4 Bytes [E6, 95, 4F, 80]
    INITc ...
    ? c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{807DAD6B-20F4-490D-8D24-D045AC1C9AC8}\MpKsla456af21.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[272] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002D01D4
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002D00E4
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002D0120
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002D015C
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002D0198
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002D0030
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002D006C
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002D00A8
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E00E4
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0120
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E00A8
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E0030
    .text C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe[492] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E006C
    .text C:\WINDOWS\system32\winlogon.exe[976] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00070030
    .text C:\WINDOWS\system32\winlogon.exe[976] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0007006C
    .text C:\WINDOWS\system32\winlogon.exe[976] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\winlogon.exe[976] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\winlogon.exe[976] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\winlogon.exe[976] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\winlogon.exe[976] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\winlogon.exe[976] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\winlogon.exe[976] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\winlogon.exe[976] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\winlogon.exe[976] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\winlogon.exe[976] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\winlogon.exe[976] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\winlogon.exe[976] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\winlogon.exe[976] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\services.exe[1020] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\services.exe[1020] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003201D4
    .text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003200E4
    .text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00320120
    .text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0032015C
    .text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00320198
    .text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00320030
    .text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0032006C
    .text C:\WINDOWS\system32\services.exe[1020] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003200A8
    .text C:\WINDOWS\system32\services.exe[1020] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003300E4
    .text C:\WINDOWS\system32\services.exe[1020] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00330120
    .text C:\WINDOWS\system32\services.exe[1020] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003300A8
    .text C:\WINDOWS\system32\services.exe[1020] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00330030
    .text C:\WINDOWS\system32\services.exe[1020] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0033006C
    .text C:\WINDOWS\system32\lsass.exe[1032] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\lsass.exe[1032] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\lsass.exe[1032] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\lsass.exe[1032] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\lsass.exe[1032] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\lsass.exe[1032] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\lsass.exe[1032] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\lsass.exe[1032] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\spoolsv.exe[1096] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\spoolsv.exe[1096] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\spoolsv.exe[1096] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\spoolsv.exe[1096] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\spoolsv.exe[1096] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\spoolsv.exe[1096] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\spoolsv.exe[1096] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\spoolsv.exe[1096] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\spoolsv.exe[1096] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\spoolsv.exe[1096] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\spoolsv.exe[1096] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\spoolsv.exe[1096] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\spoolsv.exe[1096] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\spoolsv.exe[1096] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003800E4
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380120
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003800A8
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00380030
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0038006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1200] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
    .text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[1224] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[1224] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[1224] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[1224] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[1224] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[1224] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[1272] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003600E4
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00360120
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003600A8
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00360030
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0036006C
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003701D4
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003700E4
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00370120
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0037015C
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00370198
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00370030
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0037006C
    .text c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe[1308] ADVAPI32.dll!DeleteService
  7. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    log continued

    77E374B1 5 Bytes JMP 003700A8
    .text C:\WINDOWS\System32\svchost.exe[1348] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\System32\svchost.exe[1348] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\System32\svchost.exe[1348] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\System32\svchost.exe[1348] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\System32\svchost.exe[1348] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\System32\svchost.exe[1348] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\System32\svchost.exe[1348] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\System32\svchost.exe[1348] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[1468] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[1468] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[1468] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[1468] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[1468] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[1468] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[1468] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[1592] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[1592] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00140030
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0014006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003800E4
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 00380120
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003800A8
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 00380030
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 0038006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
    .text C:\WINDOWS\system32\Ati2evxx.exe[1696] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
    .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\Explorer.EXE[1816] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003B01D4
    .text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003B00E4
    .text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 003B0120
    .text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 003B015C
    .text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 003B0198
    .text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 003B0030
    .text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 003B006C
    .text C:\WINDOWS\Explorer.EXE[1816] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003B00A8
    .text C:\WINDOWS\Explorer.EXE[1816] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003C00E4
    .text C:\WINDOWS\Explorer.EXE[1816] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003C0120
    .text C:\WINDOWS\Explorer.EXE[1816] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003C00A8
    .text C:\WINDOWS\Explorer.EXE[1816] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003C0030
    .text C:\WINDOWS\Explorer.EXE[1816] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003C006C
    .text C:\WINDOWS\Explorer.EXE[1816] WININET.dll!HttpAddRequestHeadersA 3D94CF46 5 Bytes JMP 009D164F
    .text C:\WINDOWS\Explorer.EXE[1816] WININET.dll!HttpAddRequestHeadersW 3D94FE49 5 Bytes JMP 009D1817
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2164] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2164] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2164] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2164] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2164] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2164] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2164] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2164] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2164] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
    .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[2164] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
    .text C:\WINDOWS\system32\svchost.exe[2180] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[2180] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[2180] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[2180] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[2180] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[2180] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[2180] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[2180] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[2180] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[2180] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[2180] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[2180] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[2180] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[2180] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[2180] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\svchost.exe[2340] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[2340] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[2340] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[2340] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[2340] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[2340] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[2340] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[2340] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00150030
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0015006C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 003901D4
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 003900E4
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 00390120
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 0039015C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 00390198
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 00390030
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 0039006C
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 003900A8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 003A00E4
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 003A0120
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 003A00A8
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 003A0030
    .text C:\Program Files\Java\jre6\bin\jqs.exe[2384] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 003A006C
    .text C:\WINDOWS\system32\wuauclt.exe[2468] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 000A0030
    .text C:\WINDOWS\system32\wuauclt.exe[2468] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 000A006C
    .text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C01D4
    .text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C015C
    .text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0198
    .text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C006C
    .text C:\WINDOWS\system32\wuauclt.exe[2468] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\wuauclt.exe[2468] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D00E4
    .text C:\WINDOWS\system32\wuauclt.exe[2468] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0120
    .text C:\WINDOWS\system32\wuauclt.exe[2468] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D00A8
    .text C:\WINDOWS\system32\wuauclt.exe[2468] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D0030
    .text C:\WINDOWS\system32\wuauclt.exe[2468] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D006C
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002D01D4
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002D00E4
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002D0120
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002D015C
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002D0198
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002D0030
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002D006C
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002D00A8
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002E00E4
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002E0120
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002E00A8
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002E0030
    .text C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe[2504] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002E006C
    .text C:\WINDOWS\system32\svchost.exe[2692] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\system32\svchost.exe[2692] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002B01D4
    .text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002B0120
    .text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002B015C
    .text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002B0198
    .text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002B0030
    .text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002B006C
    .text C:\WINDOWS\system32\svchost.exe[2692] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\system32\svchost.exe[2692] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\system32\svchost.exe[2692] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0120
    .text C:\WINDOWS\system32\svchost.exe[2692] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C00A8
    .text C:\WINDOWS\system32\svchost.exe[2692] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C0030
    .text C:\WINDOWS\system32\svchost.exe[2692] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C006C
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00080030
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0008006C
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C01D4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C00E4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0120
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C015C
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0198
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C0030
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C006C
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C00A8
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D00E4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0120
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D00A8
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D0030
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2720] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D006C
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00080030
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0008006C
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C01D4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C00E4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0120
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C015C
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0198
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C0030
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C006C
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C00A8
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002D00E4
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002D0120
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002D00A8
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002D0030
    .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3204] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002D006C
    .text C:\WINDOWS\System32\alg.exe[3468] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00090030
    .text C:\WINDOWS\System32\alg.exe[3468] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 0009006C
    .text C:\WINDOWS\System32\alg.exe[3468] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002B00E4
    .text C:\WINDOWS\System32\alg.exe[3468] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002B0120
    .text C:\WINDOWS\System32\alg.exe[3468] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002B00A8
    .text C:\WINDOWS\System32\alg.exe[3468] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002B0030
    .text C:\WINDOWS\System32\alg.exe[3468] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002B006C
    .text C:\WINDOWS\System32\alg.exe[3468] ADVAPI32.dll!SetServiceObjectSecurity 77E36D81 5 Bytes JMP 002C01D4
    .text C:\WINDOWS\System32\alg.exe[3468] ADVAPI32.dll!ChangeServiceConfigA 77E36E69 5 Bytes JMP 002C00E4
    .text C:\WINDOWS\System32\alg.exe[3468] ADVAPI32.dll!ChangeServiceConfigW 77E37001 5 Bytes JMP 002C0120
    .text C:\WINDOWS\System32\alg.exe[3468] ADVAPI32.dll!ChangeServiceConfig2A 77E37101 5 Bytes JMP 002C015C
    .text C:\WINDOWS\System32\alg.exe[3468] ADVAPI32.dll!ChangeServiceConfig2W 77E37189 5 Bytes JMP 002C0198
    .text C:\WINDOWS\System32\alg.exe[3468] ADVAPI32.dll!CreateServiceA 77E37211 5 Bytes JMP 002C0030
    .text C:\WINDOWS\System32\alg.exe[3468] ADVAPI32.dll!CreateServiceW 77E373A9 5 Bytes JMP 002C006C
    .text C:\WINDOWS\System32\alg.exe[3468] ADVAPI32.dll!DeleteService 77E374B1 5 Bytes JMP 002C00A8

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[1020] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00650002
    IAT C:\WINDOWS\system32\services.exe[1020] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00650000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:128] 84CFCE84
    Thread System [4:132] 84CFF084

    ---- EOF - GMER 1.0.15 ----
  8. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    log

    .
    ==== Installed Programs ======================
    .
    Ad-Aware
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player Plugin
    Adobe Reader 8.2.6
    Adobe Shockwave Player 11.5
    Agere Systems PCI-SV92PP Soft Modem
    ALT Access
    Apple Software Update
    Arthur's 1st Grade
    Arthur's Camping Adventure
    Arthur's Kindergarten
    Arthur's Math Games
    Arthur's Reading Games
    Arthur's Reading Race
    Arthur's Thinking Games
    ATI Display Driver
    avast! Free Antivirus
    Bots of Fun - 10 Great Robots Games!
    BufferChm
    CustomerResearchQFolder
    D4200
    D4200_Help
    DeviceDiscovery
    DeviceManagementQFolder
    dj_sf_ProductContext
    dj_sf_software
    dj_sf_software_req
    Dora's World Adventure
    Dora Backpack
    eSupportQFolder
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    High Definition Audio Driver Package - KB888111
    HiJackThis
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB981793)
    HP Customer Participation Program 9.0
    HP Deskjet Printer Driver Software 9.0
    HP Imaging Device Functions 9.0
    HP Photosmart Essential 2.01
    HP Photosmart Essential2.01
    HP Smart Web Printing
    HP Solution Center 9.0
    HP Update
    HPProductAssistant
    HPSSupply
    Instant Wireless Compact USB Adapter Configuration Utility
    J2SE Runtime Environment 5.0 Update 12
    Java 2 Runtime Environment, SE v1.4.2_07
    Java Auto Updater
    Java(TM) 6 Update 2
    Java(TM) 6 Update 23
    Julie Saves the Eagles (remove only)
    JumpStart Advanced Kindergarten
    Local Website Archive 3.1.1
    Macromedia Shockwave Player
    Malwarebytes' Anti-Malware
    MarketResearch
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Default Manager
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Search Enhancement Pack
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSN Toolbar
    MSN Toolbar Platform
    MyDSC2
    Norton Security Scan
    PanoStandAlone
    PSSWCORE
    QuickTime
    Rainbow Fish
    Reader Rabbit Personalized 2nd Grade
    RealPlayer
    Realtek High Definition Audio Driver
    Scooby-Doo(TM), Jinx At The Sphinx(TM)
    Scooby-Doo(TM), Phantom of the Knight(TM)
    Scooby-Doo(TM), Showdown in Ghost Town(TM)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    Slot Car Racing
    SolutionCenter
    Status
    Toolbox
    Toy Story 2 Activity Center
    TrayApp
    Unity Web Player
    UnloadSupport
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VideoToolkit01
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Visual C++ 8.0 x86 Runtime Setup Package
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live ID Sign-in Assistant
    Windows Live installer
    Windows Live Mail
    Windows Live OneCare safety scanner
    Windows XP Service Pack 3
    .
    ==== End Of File ===========================
  9. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    log

    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Parent at 21:26:13.90 on Thu 04/14/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_12
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Parent\My Documents\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
    BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0417.0\mswinext.exe"
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
    IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179847293578
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    Notify: AtiExtEvent - Ati2evxx.dll
    LSA: Notification Packages = :\WINDOW scecli
    .
    ============= SERVICES / DRIVERS ===============
    .
    R? gupdate;Google Update Service (gupdate)
    R? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
    R? Lavasoft Kernexplorer;Lavasoft helper driver
    R? MfeRKDK;McAfee Inc. MfeRKDK
    R? MpKsl0880951c;MpKsl0880951c
    R? MpKsl220bf6b1;MpKsl220bf6b1
    R? MpKsl410b4a1e;MpKsl410b4a1e
    R? MpKsl4ad2c2ce;MpKsl4ad2c2ce
    R? MpKsl60c5c3e1;MpKsl60c5c3e1
    R? MpKsl8efd0456;MpKsl8efd0456
    R? MpKsld1cd1d70;MpKsld1cd1d70
    R? WUSB12;Instant Wireless Compact USB Adapter Driver
    R? ZULNDSHL;ZULNDSHL
    S? aswFsBlk;aswFsBlk
    S? aswSnx;aswSnx
    S? aswSP;aswSP
    S? avast! Antivirus;avast! Antivirus
    S? Lbd;Lbd
    S? MpFilter;Microsoft Malware Protection Driver
    S? MpKsla456af21;MpKsla456af21
    S? MpKsle4db42a4;MpKsle4db42a4
    .
    =============== Created Last 30 ================
    .
    2011-04-14 23:18:16 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{207f9b5b-0264-4697-9f6a-0ca78606f33a}\MpKsle4db42a4.sys
    2011-04-14 23:17:51 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{207f9b5b-0264-4697-9f6a-0ca78606f33a}\mpengine.dll
    2011-04-14 18:52:50 -------- d-----w- c:\program files\common files\Symantec Shared
    2011-04-14 16:51:24 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-04-14 16:50:38 40648 ----a-w- c:\windows\avastSS.scr
    2011-04-14 16:50:18 -------- d-----w- c:\program files\AVAST Software
    2011-04-14 16:50:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software
    2011-04-12 21:15:31 388096 ----a-r- c:\docume~1\parent\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-04-04 11:17:25 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-04-04 04:06:55 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-04-04 04:06:42 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-04-04 04:00:07 -------- d-----w- c:\docume~1\parent\locals~1\applic~1\Sunbelt Software
    2011-04-04 03:44:38 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{6A395471-4AA3-4072-AE1B-9B69A97AD164}
    2011-04-04 03:42:39 -------- d-----w- c:\program files\Lavasoft
    2011-04-03 22:10:54 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2011-04-03 22:04:29 -------- d-----w- c:\program files\Microsoft Security Client
    2011-04-03 03:13:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-03 03:13:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-03 03:05:16 -------- d-----w- c:\documents and settings\all users\Uniblue
    2011-04-02 22:03:52 -------- d--h--w- c:\docume~1\parent\locals~1\applic~1\PackageAware
    2011-04-01 16:18:12 4224 ---ha-w- c:\windows\system32\beep.sys
    2011-04-01 01:30:43 -------- d--h--w- C:\ca7a77c2a8b4afc14cc4c4
    2011-04-01 01:19:36 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-03-31 23:34:10 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-03-21 18:49:54 -------- d--h--w- c:\docume~1\parent\applic~1\Unity
    2011-03-21 18:39:31 -------- d--h--w- c:\docume~1\parent\locals~1\applic~1\Unity
    2011-03-21 18:32:49 1409 ---ha-w- c:\windows\QTFont.for
    2011-03-21 18:32:04 -------- d--h--w- c:\program files\Blaster
    2011-03-18 17:17:48 -------- d--h--w- c:\program files\Infogrames Interactive
    .
    ==================== Find3M ====================
    .
    2011-01-23 20:15:47 73728 ---ha-w- c:\windows\system32\javacpl.cpl
    2011-01-23 20:15:46 472808 ---ha-w- c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 21:27:31.28 ===============
  10. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    I can see two AV programs installed, Avast and Microsoft Security Essentials.
    One of them has to go.
    Your choice.

    =================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  11. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    Script blocking

    How do you disable script blocking?
    Thank you for your time on this!
     
  12. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Judging from your logs, you don't have any script blocking programs.
  13. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    more logs

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000000c

    Kernel Drivers (total 120):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF7B5E000 \WINDOWS\system32\KDCOM.DLL
    0xF7A6E000 \WINDOWS\system32\BOOTVID.dll
    0xF752F000 ACPI.sys
    0xF7B60000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF751E000 pci.sys
    0xF765E000 isapnp.sys
    0xF7C26000 pciide.sys
    0xF78DE000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF766E000 MountMgr.sys
    0xF74FF000 ftdisk.sys
    0xF7B62000 dmload.sys
    0xF74D9000 dmio.sys
    0xF78E6000 PartMgr.sys
    0xF767E000 VolSnap.sys
    0xF74C1000 atapi.sys
    0xF768E000 disk.sys
    0xF769E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF74A1000 fltmgr.sys
    0xF748F000 sr.sys
    0xF76AE000 Lbd.sys
    0xF7478000 KSecDD.sys
    0xF73EB000 Ntfs.sys
    0xF73BE000 NDIS.sys
    0xF73A4000 Mup.sys
    0xF6E73000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF6E5F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF6E35000 \SystemRoot\system32\DRIVERS\b57xp32.sys
    0xF775E000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF776E000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6E12000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7946000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF6DEE000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF794E000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF6DC6000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF777E000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7956000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF795E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF6DB2000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF778E000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF7B12000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7966000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF6C99000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF7BB6000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF796E000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF779E000 \SystemRoot\system32\DRIVERS\processr.sys
    0xF7B1A000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF7D83000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF77AE000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7B2E000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6C82000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF77BE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF77CE000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7976000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6C71000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF77DE000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF797E000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7986000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF6C41000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF77EE000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7BC2000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6BE3000 \SystemRoot\system32\DRIVERS\update.sys
    0xF6FE7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF781E000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF783E000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF1B54000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xF1A1A000 \SystemRoot\system32\drivers\portcls.sys
    0xF774E000 \SystemRoot\system32\drivers\drmk.sys
    0xED7FD000 \SystemRoot\system32\DRIVERS\LSWLUSB.sys
    0xF7B94000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7CA6000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7B96000 \SystemRoot\System32\Drivers\Beep.SYS
    0xEE2FE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xEE2F6000 \SystemRoot\System32\drivers\vga.sys
    0xED023000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xED021000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xEE2EE000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xEE2E6000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF0D4F000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xEC9E4000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xEC98B000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xED7ED000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xEE629000 \SystemRoot\system32\drivers\mfetdik.sys
    0xEC965000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xEC93D000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xEE2DE000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xEC91B000 \SystemRoot\System32\drivers\afd.sys
    0xEE619000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xEC8F0000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xEC880000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xEE31E000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{207F9B5B-0264-4697-9F6A-0CA78606F33A}\MpKsle4db42a4.sys
    0xEE699000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xEE689000 \SystemRoot\System32\Drivers\Fips.SYS
    0xEF9E3000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xEF985000 \SystemRoot\System32\Drivers\aswSnx.SYS
    0xEE41E000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xEF178000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xEC868000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xEED9C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xECDD2000 \SystemRoot\System32\drivers\Dxapi.sys
    0xEEA17000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7D60000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF054000 \SystemRoot\System32\ati2cqag.dll
    0xBF08E000 \SystemRoot\System32\atikvmag.dll
    0xBF0C4000 \SystemRoot\System32\ati3duag.dll
    0xBF32B000 \SystemRoot\System32\ativvaxx.dll
    0xECA23000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xEE470000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB8799000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB857C000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF76EE000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB83BF000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xEF21C000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xB8228000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB7915000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 32):
    0 System Idle Process
    4 System
    892 C:\WINDOWS\system32\smss.exe
    948 csrss.exe
    976 C:\WINDOWS\system32\winlogon.exe
    1020 C:\WINDOWS\system32\services.exe
    1032 C:\WINDOWS\system32\lsass.exe
    1200 C:\WINDOWS\system32\ati2evxx.exe
    1224 C:\WINDOWS\system32\svchost.exe
    1272 svchost.exe
    1348 C:\WINDOWS\system32\svchost.exe
    1484 svchost.exe
    1580 svchost.exe
    1872 C:\WINDOWS\system32\ati2evxx.exe
    2000 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    256 C:\WINDOWS\explorer.exe
    684 C:\Program Files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe
    772 C:\Program Files\AVAST Software\Avast\AvastUI.exe
    796 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    328 C:\WINDOWS\system32\spoolsv.exe
    1164 svchost.exe
    1656 C:\WINDOWS\system32\svchost.exe
    1780 C:\Program Files\Java\jre6\bin\jqs.exe
    2124 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    2400 C:\WINDOWS\system32\svchost.exe
    2516 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    2828 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    3368 alg.exe
    3736 C:\WINDOWS\system32\wuauclt.exe
    1588 C:\Program Files\Internet Explorer\iexplore.exe
    2660 C:\Program Files\Internet Explorer\iexplore.exe
    1036 C:\Documents and Settings\Parent\My Documents\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800AAJS-60WAA0, Rev: 58.01D58

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
  14. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    more logs

    ComboFix 11-04-14.03 - Parent 04/15/2011 12:14:26.1.1 - x86
    Running from: c:\documents and settings\Parent\My Documents\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Parent\Start Menu\Programs\Windows Repair
    c:\documents and settings\Parent\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
    c:\documents and settings\Parent\Start Menu\Programs\Windows Repair\Windows Repair.lnk
    c:\documents and settings\Parent\WINDOWS
    c:\hijackthis\HIJACKTHIS.exe
    .
    Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-14 18:52 . 2011-04-14 19:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2011-04-14 16:51 . 2011-02-23 13:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-04-14 16:51 . 2011-02-23 13:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-04-14 16:51 . 2011-02-23 13:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-04-14 16:51 . 2011-02-23 13:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-04-14 16:51 . 2011-02-23 13:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-04-14 16:51 . 2011-02-23 13:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-04-14 16:51 . 2011-02-23 13:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-04-14 16:51 . 2011-02-23 13:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-04-14 16:50 . 2011-02-23 14:04 40648 ----a-w- c:\windows\avastSS.scr
    2011-04-14 16:50 . 2011-02-23 14:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
    2011-04-14 16:50 . 2011-04-14 16:50 -------- d-----w- c:\program files\AVAST Software
    2011-04-14 16:50 . 2011-04-14 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-04-12 21:15 . 2011-04-12 21:15 388096 ----a-r- c:\documents and settings\Parent\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-04-04 11:17 . 2011-04-07 07:59 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-04-04 04:06 . 2011-04-01 07:22 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2011-04-04 04:06 . 2011-04-04 04:06 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-04-04 04:00 . 2011-04-04 04:00 -------- d-----w- c:\documents and settings\Parent\Local Settings\Application Data\Sunbelt Software
    2011-04-04 03:44 . 2011-04-04 03:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}
    2011-04-04 03:42 . 2011-04-04 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2011-04-04 03:42 . 2011-04-04 03:42 -------- d-----w- c:\program files\Lavasoft
    2011-04-03 03:13 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-03 03:13 . 2011-04-03 03:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-03 03:05 . 2011-04-03 03:05 -------- d-----w- c:\documents and settings\All Users\Uniblue
    2011-04-02 22:03 . 2011-04-02 22:03 -------- d--h--w- c:\documents and settings\Parent\Local Settings\Application Data\PackageAware
    2011-04-01 16:37 . 2011-04-04 16:49 -------- d--h--w- c:\program files\Windows Live Safety Center
    2011-04-01 16:18 . 2002-12-31 12:00 4224 ---ha-w- c:\windows\system32\beep.sys
    2011-04-01 01:30 . 2011-04-01 01:31 -------- d--h--w- C:\ca7a77c2a8b4afc14cc4c4
    2011-04-01 01:19 . 2011-04-01 01:19 -------- d--h--w- c:\windows\system32\GroupPolicy
    2011-03-31 23:34 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-03-21 18:49 . 2011-03-21 18:49 -------- d--h--w- c:\documents and settings\Parent\Application Data\Unity
    2011-03-21 18:39 . 2011-03-21 18:39 -------- d--h--w- c:\documents and settings\Parent\Local Settings\Application Data\Unity
    2011-03-21 18:32 . 2011-03-21 18:32 1409 ---ha-w- c:\windows\QTFont.for
    2011-03-21 18:32 . 2011-03-21 18:32 -------- d--h--w- c:\program files\Blaster
    2011-03-18 17:17 . 2011-03-18 17:17 -------- d--h--w- c:\program files\Infogrames Interactive
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-23 20:15 . 2008-08-30 15:09 73728 ---ha-w- c:\windows\system32\javacpl.cpl
    2011-01-23 20:15 . 2011-01-23 20:16 472808 ---ha-w- c:\windows\system32\deployJava1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 14:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-12 68856]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-25 180269]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
    "MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0417.0\mswinext.exe" [2010-07-06 240480]
    "Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1723:TCP"= 1723:TCP:mad:xpsp2res.dll,-22015
    "1701:UDP"= 1701:UDP:mad:xpsp2res.dll,-22016
    "500:UDP"= 500:UDP:mad:xpsp2res.dll,-22017
    .
    3;2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
    R1 MpKsl0880951c;MpKsl0880951c;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DCF2D3AA-02E6-4C66-A278-535556FCAB15}\MpKsl0880951c.sys [x]
    R1 MpKsl220bf6b1;MpKsl220bf6b1;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12E0912F-7805-4375-9D63-66459C119050}\MpKsl220bf6b1.sys [x]
    R1 MpKsl410b4a1e;MpKsl410b4a1e;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12E0912F-7805-4375-9D63-66459C119050}\MpKsl410b4a1e.sys [x]
    R1 MpKsl4ad2c2ce;MpKsl4ad2c2ce;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{0B11DBB3-7A29-4226-9ACF-0AA015CCE8D3}\MpKsl4ad2c2ce.sys [x]
    R1 MpKsl60c5c3e1;MpKsl60c5c3e1;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DCF2D3AA-02E6-4C66-A278-535556FCAB15}\MpKsl60c5c3e1.sys [x]
    R1 MpKsl8efd0456;MpKsl8efd0456;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E652C3C9-B2F7-499E-853B-071F3CEAFE66}\MpKsl8efd0456.sys [x]
    R1 MpKsla456af21;MpKsla456af21;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{807DAD6B-20F4-490D-8D24-D045AC1C9AC8}\MpKsla456af21.sys [x]
    R1 MpKsld1cd1d70;MpKsld1cd1d70;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12E0912F-7805-4375-9D63-66459C119050}\MpKsld1cd1d70.sys [x]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [2011-04-01 15232]
    R4 ZULNDSHL;ZULNDSHL;c:\docume~1\Parent\LOCALS~1\Temp\ZULNDSHL.exe [x]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-04-01 64512]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S3 WUSB12;Instant Wireless Compact USB Adapter Driver;c:\windows\system32\DRIVERS\LSWLUSB.sys [2002-06-07 54083]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-04-01 13:34]
    .
    2011-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]
    .
    2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 20:45]
    .
    2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 20:45]
    .
    2011-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322712386-359561344-2389969595-1003Core.job
    - c:\documents and settings\Parent\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-19 20:45]
    .
    2011-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2322712386-359561344-2389969595-1003UA.job
    - c:\documents and settings\Parent\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-19 20:45]
    .
    2011-04-14 c:\windows\Tasks\Norton Security Scan for Parent.job
    - c:\program files\Norton Security Scan\Norton Security Scan\Engine\3.0.1.8\Nss.exe [2011-01-30 14:06]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    AddRemove-Scooby-Doo(TM), Jinx At The Sphinx(TM) - c:\program files\The Learning Company\Scooby-Doo(TM)
    AddRemove-Scooby-Doo(TM), Phantom of the Knight(TM) - c:\program files\The Learning Company\Scooby-Doo(TM)
    AddRemove-Scooby-Doo(TM), Showdown in Ghost Town(TM) - c:\program files\The Learning Company\Scooby-Doo(TM)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-15 12:35
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(940)
    c:\windows\system32\Ati2evxx.dll
    .
    - - - - - - - > 'explorer.exe'(3484)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2011-04-15 12:40:58 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-04-15 16:40
    .
    Pre-Run: 62,721,605,632 bytes free
    Post-Run: 62,667,304,960 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 6B121613F47997232D0963455983E512
  15. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    I can see two AV programs installed, Microsoft Security Essentials and Avast.
    One of them has to go.
    Your choice.

    ====================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\docume~1\Parent\LOCALS~1\Temp\ZULNDSHL.exe
    
    Driver::
    ZULNDSHL
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  16. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    New Combofix log...You are awesome!

    ComboFix 11-04-14.03 - Parent 04/15/2011 16:04:14.2.1 - x86
    Running from: C:\Documents and Settings\Parent\My Documents\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Parent\Desktop\CFScript.txt

    FILE ::
    "c:\docume~1\Parent\LOCALS~1\Temp\ZULNDSHL.exe"


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system\oeminfo.ini
    C:\WINDOWS\system32\AutoRun.inf


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ZULNDSHL
    -------\Service_ZULNDSHL
  17. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    It's incomplete.
  18. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    What do I do?

    I don't see any other info on the log. There is a Combofix.txt and a Combofix2.txt. I posted all the info on Combofix.txt. "/
  19. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    Please, re-run it.
  20. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    Do I run it using the CFScript.txt
    above or just normally?
  21. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    With the script.
  22. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    I am getting an error message. It reads:
    NirCmd.cfxxe - Unable to Locate Compound
    This application has failed to start because ScrRun.dll was not found. Re-installing the application may fix this problem.
    I clicked okay and program appears to be running. Creating a restore point.

    I'll post log when it is finished. Thank you.
  23. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    OK :).............
  24. carlsbad

    carlsbad TS Rookie Topic Starter Posts: 24

    The program seemed to run, then the same error message popped up three times..it said, "unable ot locate Component" not Compound. This time the it came up while the program was Preparing Log Report.
  25. Broni

    Broni Malware Annihilator Posts: 46,797   +254

    That's fine....
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.