Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Bot infection, multiple viruses

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 18th, 2010, 2:35 am

Hi

Leave it for a bit longer. That file you mentioned is rootkit related, so could be causing the problem.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 18th, 2010, 8:30 pm

By "a bit" I assumed you meant 16 hrs. Still black screen, nothing displaying, monitor and hdd lights are green and functioning normally.
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 18th, 2010, 8:33 pm

OK, reboot your computer, back to Normal Mode. Once that's done could you run Gmer again & post it's log please.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 19th, 2010, 1:21 am

I rebooted back to normal mode, where Combofix decided to prepare it's log (finally). Here it is.

ComboFix 10-08-16.04 - Adam 08/18/2010 0:05.3.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1427 [GMT -6:00]
Running from: c:\users\Adam\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\driVERs\jcbggfvh.sys . . . . failed to delete

Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Legacy_jcbggfvh
-------\Service_jcbggfvh


((((((((((((((((((((((((( Files Created from 2010-07-19 to 2010-08-19 )))))))))))))))))))))))))))))))
.

2010-08-18 06:16 . 2010-08-19 03:06 -------- d-----w- c:\users\Adam\AppData\Local\temp
2010-08-18 06:16 . 2010-08-18 06:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-18 06:04 . 2010-08-18 06:04 -------- d-----w- C:\32788R22FWJFW
2010-08-15 19:24 . 2010-08-15 19:24 -------- d-----w- C:\rsit
2010-07-31 21:55 . 2006-11-02 09:39 15821312 ----a-w- c:\windows\system32\imageres.dll
2010-07-31 21:49 . 2010-07-31 21:49 -------- dc----w- c:\programdata\{CFA6F4AE-B6D4-4F71-BBA4-ACFE805E7214}
2010-07-30 03:12 . 2010-07-30 03:20 -------- d-----w- C:\AdobeTemp
2010-07-29 18:17 . 2010-07-29 18:17 -------- d-----w- c:\users\Adam\AppData\Local\VS Revo Group
2010-07-29 18:17 . 2009-12-30 18:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-07-29 18:17 . 2010-07-29 18:17 -------- d-----w- c:\program files\VS Revo Group
2010-07-28 23:50 . 2010-07-28 23:50 -------- d-----w- c:\program files\Sophos
2010-07-28 00:21 . 2010-07-28 00:21 -------- d-----w- c:\users\Adam\AppData\Local\Mozilla
2010-07-27 19:36 . 2010-07-28 23:39 -------- d-----w- C:\TDSSKiller_Quarantine
2010-07-27 19:05 . 2008-03-02 09:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-07-27 19:03 . 2010-07-27 19:04 -------- d-----w- c:\program files\Trend Micro
2010-07-27 05:08 . 2010-07-27 05:08 -------- d-----w- c:\users\Adam\AppData\Roaming\Malwarebytes
2010-07-27 05:08 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-27 05:08 . 2010-07-27 05:08 -------- d-----w- c:\programdata\Malwarebytes
2010-07-27 05:08 . 2010-07-27 05:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 05:08 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-25 17:45 . 2010-06-17 20:49 45072 ----a-w- c:\windows\system32\drivers\ssfmonm.sys
2010-07-25 17:36 . 2010-07-25 17:36 -------- dc-h--w- c:\programdata\{9A82E8DE-6B96-49B5-BA94-0EF3E3DE16D3}
2010-07-25 17:35 . 2010-07-31 01:23 -------- d-----w- c:\programdata\webroot
2010-07-22 18:00 . 2010-07-27 07:30 -------- d-----w- c:\programdata\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-19 03:04 . 2010-05-30 16:47 34805 ----a-w- c:\programdata\nvModes.dat
2010-08-17 04:19 . 2008-11-28 02:22 -------- d-----w- c:\users\Adam\AppData\Roaming\uTorrent
2010-08-17 04:18 . 2009-01-05 01:05 -------- d-----w- c:\users\Adam\AppData\Roaming\Skype
2010-08-17 04:17 . 2009-01-05 01:06 -------- d-----w- c:\users\Adam\AppData\Roaming\skypePM
2010-08-14 01:10 . 2008-11-28 01:43 118064 ----a-w- c:\users\Adam\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-13 00:37 . 2009-10-03 20:41 -------- d-----w- c:\program files\Microsoft
2010-08-12 23:17 . 2008-12-08 22:37 -------- d-----w- c:\programdata\Microsoft Help
2010-08-12 23:17 . 2008-12-09 03:30 -------- d-----w- c:\program files\Microsoft.NET
2010-08-12 23:16 . 2006-11-02 12:37 -------- d-----w- c:\program files\MSBuild
2010-08-10 02:09 . 2010-04-11 22:20 -------- d--h--w- c:\programdata\{358E2726-5129-4614-9175-3CAA96153DFA}
2010-08-10 02:09 . 2010-03-29 03:51 -------- d-----w- c:\program files\Common Files\Stardock
2010-07-31 21:50 . 2010-03-29 03:38 -------- d-----w- c:\program files\Stardock
2010-07-30 03:36 . 2008-11-29 21:21 -------- d-----w- c:\program files\EA GAMES
2010-07-30 03:17 . 2008-03-20 07:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-29 00:05 . 2009-01-04 21:24 -------- d-----w- c:\program files\MagicDisc
2010-07-29 00:04 . 2008-03-20 07:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-28 23:59 . 2008-12-11 16:55 -------- d-----w- c:\program files\Common Files\Motorola Shared
2010-07-28 23:48 . 2009-02-24 07:20 -------- d-----w- c:\program files\Rising Research
2010-07-28 23:48 . 2009-07-16 00:37 -------- d-----w- c:\program files\Audiosurf
2010-07-28 01:40 . 2010-07-06 03:34 -------- d-----w- c:\program files\The Wonderful End of the World
2010-07-28 01:39 . 2009-02-22 02:20 -------- d-----w- c:\users\Adam\AppData\Roaming\Red Kawa
2010-07-28 01:38 . 2008-12-07 22:06 -------- d-----w- c:\program files\Xilisoft
2010-07-27 04:05 . 2008-12-07 03:55 -------- d-----w- c:\program files\Thoosje Vista Tweaker
2010-07-27 04:04 . 2009-01-16 02:14 -------- d-----w- c:\program files\NCH Swift Sound
2010-07-27 04:03 . 2009-06-23 01:42 -------- d-----w- c:\program files\MobMapUpdater
2010-07-27 04:03 . 2009-06-27 22:47 -------- d-----w- c:\program files\Graboid
2010-07-27 03:45 . 2008-01-21 02:23 34360 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-07-27 01:20 . 2009-01-16 02:19 -------- d-----w- c:\programdata\NCH Swift Sound
2010-07-27 01:20 . 2009-01-16 02:19 -------- d-----w- c:\users\Adam\AppData\Roaming\NCH Swift Sound
2010-07-26 18:40 . 2008-11-28 02:08 2708 ----a-w- c:\users\Adam\AppData\Local\d3d9caps.dat
2010-07-25 17:49 . 2009-02-08 22:23 -------- d-----w- c:\program files\Webroot
2010-07-25 17:17 . 2008-11-28 02:38 -------- d-----w- c:\programdata\Google Updater
2010-07-22 03:30 . 2008-11-28 02:38 -------- d-----w- c:\program files\Google
2010-07-15 09:15 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-12 05:58 . 2008-03-20 07:34 -------- d-----w- c:\programdata\WildTangent
2010-07-12 04:39 . 2008-11-28 07:42 -------- d-----w- c:\program files\WildGames
2010-07-11 01:11 . 2008-12-10 06:24 -------- d-----w- c:\program files\THQ
2010-07-11 01:08 . 2009-01-21 06:18 -------- d-----w- c:\users\Adam\AppData\Roaming\RiffTrax
2010-07-08 05:47 . 2010-07-08 05:47 -------- d-----w- c:\programdata\The Game Equation
2010-07-02 17:23 . 2008-11-28 07:06 -------- d-----w- c:\program files\iTunes
2010-07-02 17:21 . 2010-07-02 17:21 -------- d-----w- c:\program files\iPod
2010-07-02 17:21 . 2008-11-28 07:01 -------- d-----w- c:\program files\Common Files\Apple
2010-07-02 17:07 . 2010-07-02 17:07 -------- d-----w- c:\program files\Bonjour
2010-06-21 01:50 . 2010-03-22 00:14 -------- d-----w- c:\program files\Garmin GPS Plugin
2010-06-20 04:18 . 2010-06-20 04:18 -------- d-----w- c:\program files\Raven
2010-06-17 20:49 . 2009-11-06 19:00 24496 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2010-06-17 20:49 . 2009-11-06 19:00 182056 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2010-06-08 00:44 . 2010-06-08 00:44 92 ----a-w- c:\users\Adam\AppData\Local\fusioncache.dat
2010-05-26 17:06 . 2010-06-11 01:59 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 01:59 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 20:14 . 2009-10-02 21:37 221568 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-24 39408]
"Google Update"="c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-01-24 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"RunSpySweeperScheduleAtStartup"="c:\windows\system32\msfeedssync.exe" [2010-05-04 13312]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"EKIJ5000StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-07-31 1626112]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"MyGarminAgent"="c:\program files\Garmin\MyGarminAgent.exe" [2009-06-17 331776]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-23 30192]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2010-07-19 1266336]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-04 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-04 13683816]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

c:\users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Impulse Now.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2010-3-17 471040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{1984D045-52CF-49cd-DB77-08F378FEA4DB}"= "c:\program files\Stardock\ObjectDockPlus2\ODMenu.dll" [2010-03-24 511344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GO333C~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\F:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):e7,fc,7b,ce,88,34,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 133104]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-07-23 30192]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\EDA5.tmp [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-11 42112]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-19 23680]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [2009-12-30 27192]
R3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2008-11-30 685816]
S2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\printer\center\KodakSvc.exe [2008-02-29 18944]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [2008-11-06 582992]
S2 ssfmonm;ssfmonm;c:\windows\system32\DRIVERS\ssfmonm.sys [2010-06-17 45072]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [2010-07-19 3019672]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [2008-03-02 206608]


--- Other Services/Drivers In Memory ---

*Deregistered* - jcbggfvh

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-24 13:57]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 02:38]

2010-08-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-21 02:38]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1685170627-3577132848-81057928-1000Core.job
- c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-24 18:13]

2010-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1685170627-3577132848-81057928-1000UA.job
- c:\users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe [2009-01-24 18:13]

2010-07-21 c:\windows\Tasks\HPCeeScheduleForAdam.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-03-20 19:10]

2010-08-18 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\Printer\Center\Kodak.Statistics.exe [2008-02-29 00:57]

2010-08-19 c:\windows\Tasks\User_Feed_Synchronization-{BF955419-3C2E-4DC3-86C2-CE8E1953218C}.job
- c:\windows\system32\msfeedssync.exe [2010-06-11 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = <local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
TCP: {51528C4F-16C1-4022-82DB-286A6F480975} = 205.171.3.65,205.171.2.65
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9 ... ontrol.CAB
FF - ProfilePath - c:\users\Adam\AppData\Roaming\Mozilla\Firefox\Profiles\o02pp7t1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Adam\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SpySweeper - c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
HKLM-Run-GrooveMonitor - c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
HKLM-Run-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
HKLM-Run-Acrobat Assistant 8.0 - c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
SafeBoot-klmdb.sys
AddRemove-Right of Way - c:\program files\DejaVu Software
AddRemove-Adobe Digital Editions - c:\users\adam\appdata\roaming\macromedia\flash player\www.macromedia.com\bin\digitaleditions1x5\digitaleditions1x5.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-18 21:04
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\EDA5.tmp"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\jcbggfvh]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1685170627-3577132848-81057928-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CB32676-1BF9-C844-3D10-275E46703089}*]
"abcoiafodchjifjihbmjngibjdehpjogpk"=hex:61,62,65,70,6d,66,65,68,67,67,62,66,
64,6f,6b,62,6a,70,67,6b,6f,69,6c,61,61,6f,64,67,64,61,69,66,6b,63,00,76
"bbcoiafodchjifjihbpjagfoecfbfogfmhlj"=hex:61,62,6a,70,6f,67,70,65,6c,61,62,6d,
67,61,66,6a,6d,62,70,68,63,6e,67,69,6c,64,70,6f,6f,66,63,6a,6c,64,00,76

[HKEY_USERS\S-1-5-21-1685170627-3577132848-81057928-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BE72919B-4354-D8B2-1A22-E7CD6449212D}*]
"hageggimffbflelf"=hex:69,61,6d,6a,62,6f,6f,68,6b,6d,62,6b,64,67,6c,61,6e,66,
00,76
"iaafaggiffhehldjal"=hex:69,61,6e,6a,6d,70,6d,66,64,6c,69,61,6e,69,6b,6b,61,62,
00,76

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3068)
c:\windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
c:\program files\Stardock\ObjectDockPlus2\ODMenu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Stardock\MyColors\VistaSrv.exe
c:\program files\Stardock\MyColors\WBVista.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-08-18 21:20:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-19 03:20

Pre-Run: 91,183,329,280 bytes free
Post-Run: 88,567,332,864 bytes free

- - End Of File - - 33F7C3732459299D8156FEAB21226533
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 19th, 2010, 1:23 am

Do you still want me to print another Gmer?
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 19th, 2010, 1:25 am

Yes please :)
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 19th, 2010, 1:38 am

Oh & one more thing now that we have that log.... We need to talk about Anti-virus protection as it appears you don't have any. Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Download a free anti-virus software from one these excellent vendors NOW:

1) Microsoft Security Essentials - Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
2) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
3) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.

Your computer must have only ONE anti-virus program installed at any time. Having more than one anti-virus program installed & active will cause program conflicts, false virus alerts, and system crashes.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 19th, 2010, 3:10 pm

Running Gmer now, will post when complete. I'm doing all my replying on my wife's computer so nothing interrupts the scans. My Antivirus is Webroot Antivirus with Antispyware.
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 19th, 2010, 4:58 pm

Hi

OK.
My Antivirus is Webroot Antivirus with Antispyware.
Ah, I see. I thought it was just the Webroot Antispyware.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 19th, 2010, 8:31 pm

Done.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-19 17:24:20
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Adam\AppData\Local\Temp\kwldrpoc.sys


---- System - GMER 1.0.15 ----

SSDT 85217AF8 ZwAllocateVirtualMemory
SSDT 85219690 ZwCreateProcess
SSDT 85217FA8 ZwCreateProcessEx
SSDT 85217DC8 ZwCreateThread
SSDT 85217B70 ZwQueueApcThread
SSDT 85217A08 ZwReadVirtualMemory
SSDT 85217C60 ZwSetContextThread
SSDT 85217EB8 ZwSetInformationProcess
SSDT 85217CD8 ZwSetInformationThread
SSDT 85217E40 ZwSuspendProcess
SSDT 85217BE8 ZwSuspendThread
SSDT 85217F30 ZwTerminateProcess
SSDT 85217D50 ZwTerminateThread
SSDT 85217A80 ZwWriteVirtualMemory
SSDT 85217918 ZwCreateThreadEx
SSDT 85217990 ZwCreateUserProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 131 822AF894 4 Bytes [F8, 7A, 21, 85]
.text ntkrnlpa.exe!KeSetEvent + 209 822AF96C 8 Bytes [90, 96, 21, 85, A8, 7F, 21, ...] {NOP ; XCHG ESI, EAX; AND [EBP-0x7ade8058], EAX}
.text ntkrnlpa.exe!KeSetEvent + 221 822AF984 4 Bytes [C8, 7D, 21, 85] {ENTER 0x217d, 0x85}
.text ntkrnlpa.exe!KeSetEvent + 4E5 822AFC48 4 Bytes [70, 7B, 21, 85]
.text ntkrnlpa.exe!KeSetEvent + 4FD 822AFC60 4 Bytes [08, 7A, 21, 85]
.text ...
? System32\Drivers\jcbggfvh.sys A device attached to the system is not functioning. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[268] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[268] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[268] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[268] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[268] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[268] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[268] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[268] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[268] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe[268] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[1080] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[1080] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[1080] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[1080] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[1080] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[1080] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[1080] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[1080] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[1080] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe[1080] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\RtHDVCpl.exe[1156] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\RtHDVCpl.exe[1156] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\RtHDVCpl.exe[1156] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\RtHDVCpl.exe[1156] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\RtHDVCpl.exe[1156] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Windows\RtHDVCpl.exe[1156] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\RtHDVCpl.exe[1156] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\RtHDVCpl.exe[1156] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\RtHDVCpl.exe[1156] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\RtHDVCpl.exe[1156] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1320] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1320] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1320] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1320] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1320] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1320] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1320] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1320] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1320] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe[1320] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[1676] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[1676] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[1676] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[1676] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[1676] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[1676] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[1676] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[1676] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[1676] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[1676] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1836] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1836] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1836] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1836] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1836] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1836] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1836] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1836] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1836] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1836] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2188] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2188] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2188] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2188] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2188] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2188] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2188] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2188] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2188] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe[2188] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2228] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2228] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2228] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2228] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2228] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2228] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2228] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2228] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2228] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2228] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\Explorer.EXE[2452] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\Explorer.EXE[2452] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\Explorer.EXE[2452] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\Explorer.EXE[2452] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\Explorer.EXE[2452] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Windows\Explorer.EXE[2452] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\Explorer.EXE[2452] USER32.dll!DrawTextW 774D97D3 5 Bytes JMP 6605C0F9 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\Explorer.EXE[2452] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\Explorer.EXE[2452] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\Explorer.EXE[2452] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\Explorer.EXE[2452] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[3020] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[3020] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[3020] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[3020] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[3020] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[3020] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[3020] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[3020] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[3020] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe[3020] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Users\Adam\Desktop\gmer.exe[3044] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Users\Adam\Desktop\gmer.exe[3044] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Users\Adam\Desktop\gmer.exe[3044] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Users\Adam\Desktop\gmer.exe[3044] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Users\Adam\Desktop\gmer.exe[3044] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Users\Adam\Desktop\gmer.exe[3044] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Users\Adam\Desktop\gmer.exe[3044] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Users\Adam\Desktop\gmer.exe[3044] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Users\Adam\Desktop\gmer.exe[3044] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Users\Adam\Desktop\gmer.exe[3044] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3376] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3376] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3376] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3376] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3376] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3376] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3376] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3376] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3376] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3376] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\hp\support\hpsysdrv.exe[3416] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\hp\support\hpsysdrv.exe[3416] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\hp\support\hpsysdrv.exe[3416] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\hp\support\hpsysdrv.exe[3416] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\hp\support\hpsysdrv.exe[3416] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\hp\support\hpsysdrv.exe[3416] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\hp\support\hpsysdrv.exe[3416] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\hp\support\hpsysdrv.exe[3416] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\hp\support\hpsysdrv.exe[3416] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\hp\support\hpsysdrv.exe[3416] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3468] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3468] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3468] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3468] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3468] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3468] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3468] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3468] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3468] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac[3468] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe[3844] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe[3844] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe[3844] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe[3844] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe[3844] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe[3844] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe[3844] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe[3844] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe[3844] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe[3844] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[4004] ntdll.dll!KiUserExceptionDispatcher + A 77365DD2 5 Bytes JMP 000160C0 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (http://www.webroot.com))
.text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[4004] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 00015300 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (http://www.webroot.com))
.text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[4004] kernel32.dll!LoadLibraryExW 76669109 5 Bytes [33, C0, C2, 0C, 00] {XOR EAX, EAX; RET 0xc}
.text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[4004] kernel32.dll!VirtualFree 766840AA 5 Bytes JMP 000152E0 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (http://www.webroot.com))
.text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[4004] kernel32.dll!VirtualAlloc 7668AD55 5 Bytes JMP 000152B0 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (http://www.webroot.com))
.text C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE[4004] kernel32.dll!CreateFileA 7668CE5F 5 Bytes JMP 00014940 C:\Program Files\Webroot\Security\current\plugins\antimalware\SSU.EXE (Spy Sweeper SSU/Webroot Software, Inc. (http://www.webroot.com))
.text C:\Program Files\iTunes\iTunesHelper.exe[4056] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\iTunes\iTunesHelper.exe[4056] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\iTunes\iTunesHelper.exe[4056] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\iTunes\iTunesHelper.exe[4056] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\iTunes\iTunesHelper.exe[4056] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\iTunes\iTunesHelper.exe[4056] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\iTunes\iTunesHelper.exe[4056] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\iTunes\iTunesHelper.exe[4056] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\iTunes\iTunesHelper.exe[4056] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\iTunes\iTunesHelper.exe[4056] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\system32\taskeng.exe[4072] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\system32\taskeng.exe[4072] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\system32\taskeng.exe[4072] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\system32\taskeng.exe[4072] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\system32\taskeng.exe[4072] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Windows\system32\taskeng.exe[4072] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\system32\taskeng.exe[4072] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\system32\taskeng.exe[4072] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\system32\taskeng.exe[4072] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\system32\taskeng.exe[4072] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[4504] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[4504] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[4504] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[4504] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[4504] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[4504] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[4504] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[4504] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[4504] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe[4504] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Stardock\ObjectDockPlus2\ObjectDock.exe[4584] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Stardock\ObjectDockPlus2\ObjectDock.exe[4584] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Stardock\ObjectDockPlus2\ObjectDock.exe[4584] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Stardock\ObjectDockPlus2\ObjectDock.exe[4584] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Stardock\ObjectDockPlus2\ObjectDock.exe[4584] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Program Files\Stardock\ObjectDockPlus2\ObjectDock.exe[4584] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Stardock\ObjectDockPlus2\ObjectDock.exe[4584] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Stardock\ObjectDockPlus2\ObjectDock.exe[4584] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Stardock\ObjectDockPlus2\ObjectDock.exe[4584] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Program Files\Stardock\ObjectDockPlus2\ObjectDock.exe[4584] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\System32\mobsync.exe[5864] kernel32.dll!VirtualProtect 76641DC3 5 Bytes JMP 660047B5 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\System32\mobsync.exe[5864] USER32.dll!SetWindowPlacement 774C7963 5 Bytes JMP 660343DC C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\System32\mobsync.exe[5864] USER32.dll!MoveWindow 774C989F 5 Bytes JMP 660346D7 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\System32\mobsync.exe[5864] USER32.dll!SetWindowPos 774D35E3 2 Bytes JMP 66034826 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\System32\mobsync.exe[5864] USER32.dll!SetWindowPos + 3 774D35E6 2 Bytes [B6, EE] {MOV DH, 0xee}
.text C:\Windows\System32\mobsync.exe[5864] USER32.dll!DeferWindowPos 774D467F 5 Bytes JMP 66033D58 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\System32\mobsync.exe[5864] USER32.dll!EndPaint 774DA28F 5 Bytes JMP 66002C09 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\System32\mobsync.exe[5864] USER32.dll!BeginPaint 774DA2A3 5 Bytes JMP 66002C0E C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\System32\mobsync.exe[5864] USER32.dll!GetWindowRect 774E0E21 5 Bytes JMP 660349B2 C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)
.text C:\Windows\System32\mobsync.exe[5864] USER32.dll!GetWindowPlacement 774F38E3 5 Bytes JMP 6603452D C:\Program Files\Stardock\MyColors\WBLIND.dll (WindowBlinds/Stardock Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86563F48

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] jcbggfvh <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\jcbggfvh@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\jcbggfvh@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\jcbggfvh@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\jcbggfvh@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x48 0xFD 0x14 0x9B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x83 0xAA 0xCE 0xA7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8D 0xBE 0xE0 0xA2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x8E 0x64 0x92 0x5C ...
Reg HKLM\SYSTEM\ControlSet002\Services\jcbggfvh@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\jcbggfvh@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\jcbggfvh@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\jcbggfvh@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x48 0xFD 0x14 0x9B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x83 0xAA 0xCE 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8D 0xBE 0xE0 0xA2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x8E 0x64 0x92 0x5C ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CB32676-1BF9-C844-3D10-275E46703089}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CB32676-1BF9-C844-3D10-275E46703089}@abcoiafodchjifjihbmjngibjdehpjogpk 0x61 0x62 0x65 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CB32676-1BF9-C844-3D10-275E46703089}@bbcoiafodchjifjihbpjagfoecfbfogfmhlj 0x61 0x62 0x6A 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BE72919B-4354-D8B2-1A22-E7CD6449212D}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BE72919B-4354-D8B2-1A22-E7CD6449212D}@hageggimffbflelf 0x69 0x61 0x6D 0x6A ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BE72919B-4354-D8B2-1A22-E7CD6449212D}@iaafaggiffhehldjal 0x69 0x61 0x6E 0x6A ...
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Program Files\EA GAMES\The Sims 2 H&M\xae Fashion Stuff\EAUninstall.exe 32

---- EOF - GMER 1.0.15 ----
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 20th, 2010, 6:24 am

Hi
Apologies for the delay.... hectic work day.

Remove Programs
Click Start > Control Panel > Programs and Features
Remove these programs by clicking Remove

WinPcap 4.1 beta5

If some programs listed are not present, please do not panic

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
RootKit::
c:\windows\system32\driVERs\jcbggfvh.sys
File::
c:\windows\system32\drivers\npf.sys
Folder::
c:\users\Adam\AppData\Roaming\uTorrent
DirLook::
c:\programdata\{CFA6F4AE-B6D4-4F71-BBA4-ACFE805E7214}
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jcbggfvh]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\jcbggfvh]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\jcbggfvh]
Driver::
jcbggfvh
NPF
DDS::
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
RegNull::
[HKEY_USERS\S-1-5-21-1685170627-3577132848-81057928-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5CB32676-1BF9-C844-3D10-275E46703089}*]
[HKEY_USERS\S-1-5-21-1685170627-3577132848-81057928-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BE72919B-4354-D8B2-1A22-E7CD6449212D}*]
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Referring to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
ComboFix log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 20th, 2010, 8:42 pm

Combofix has finished running and computer rebooted, no log file on desktop or in c:\ drive
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 21st, 2010, 1:00 pm

Do you want me to re-run combofix?
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut

Re: Bot infection, multiple viruses

Unread postby jmw3 » August 21st, 2010, 4:42 pm

Hi
Apologies for the delay.

No don't run ComboFix again.

Malwarebytes' Anti-Malware
  • Open Malwarebytes Anti-Malware, click the Update tab then Check for Updates
  • If an update is found, it will download and install the latest version & data base version
  • Once the program has updated click the Scanner tab, select Perform full scan then click Scan
  • When the scan is complete, click OK, then Show Results to view the results
  • Check all items except items in the C:\System Volume Information folder... then click on Remove Selected
  • When completed, a log will open in Notepad. Please copy & paste the log back into your next reply
    Note:
  • The log is automatically saved by Malwarebytes' Anti-Malware & can be viewed by clicking the Logs tab
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either & let Malwarebytes' Anti-Malware proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.
If you receive an (Error Loading) error on reboot please reboot a second time . It is normal for this error to occur once & does not need to be reported unless it returns on future reboots.


OTL
Download OTL Here & save it to your desktop.
  • Right click on OTL.exe then choose Run as Administrator to run it. Make sure all other windows are closed and to let it run uninterrupted
  • Underneath Output at the top change it to Minimal Output
  • Under the Standard Registry box change it to All
  • Check the boxes beside LOP Check & Purity Check
  • Highlight the following text in the Code box with your mouse and press Ctrl + C on your keyboard:

    Code: Select all
    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click in the Custom Scan/Fixes box & press Ctrl + V on your keyboard to paste the above
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long
  • When the scan completes, it will open two notepad windows. OTL.Txt & Extras.Txt. These are saved in the same location as OTL
  • Copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time & post in your next reply
To post in next reply:
Malwarebytes log
Contents of OTL.txt
Contents of Extras.txt
These are large logs, so one log per post please
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Bot infection, multiple viruses

Unread postby ihisatsu » August 21st, 2010, 9:23 pm

MalwareBytes Log


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4459

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

8/21/2010 6:26:53 PM
mbam-log-2010-08-21 (18-26-53).txt

Scan type: Full scan (C:\|)
Objects scanned: 327519
Time elapsed: 2 hour(s), 0 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\WinServers (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
ihisatsu
Regular Member
 
Posts: 44
Joined: July 27th, 2010, 8:48 pm
Location: cedar city, ut
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 46 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware