Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Slow System Plus Multiple Program and System Crashes

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Slow System Plus Multiple Program and System Crashes

Unread postby Randal'Thor » April 29th, 2011, 12:22 am

Hi The Malware Removal Team. :)

I have had the following problems over the last few days:
- Mozilla Firefox, iTunes and Microsoft Office have been freezing and crashing with no error reports randomly.
- My computer has been rejecting my graphics and sound cards, often crashing and giving blue screens plus the computer's clock keeps resetting after each reboot. (Update: I rebooted this morning and the sound card was fine as was the clock). I have taken the graphics card out for the moment.
- Windows Update has struggled to update these last few days (it has managed to do it) but no errors were given.
- My computer has randomly restarted a couple of times.
- My Event Viewer doesn't show any of these issues.

I thought I'd get a quick checkup before I move forward and start looking at other possibilities like hardware etc.

Here is the DDS Log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Liam at 14:10:29.72 on Fri 29/04/2011
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.2022.1046 [GMT 10:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\IProsetMonitor.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Liam\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\liam\appdata\roaming\dvdvideosoftiehelpers\freeyoutubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\users\liam\appdata\roaming\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-be ... canner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\liam\appdata\roaming\mozilla\firefox\profiles\bo6hgl0j.default\
FF - prefs.js: browser.search.defaulturl -
FF - component: c:\users\liam\appdata\roaming\mozilla\firefox\profiles\bo6hgl0j.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCoreGecko19.dll
FF - component: c:\users\liam\appdata\roaming\mozilla\firefox\profiles\bo6hgl0j.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-12 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-7 307288]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-7 19544]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-6-7 53592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2006-1-1 42184]
R2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2006-1-1 109728]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-7 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [2010-7-29 25112]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2010-8-24 86824]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2010-8-24 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2010-8-24 114728]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2010-8-24 106208]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2010-8-24 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2010-8-24 104744]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2010-8-24 109864]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-2-28 52224]
.
=============== Created Last 30 ================
.
2011-04-28 13:01:22 -------- d-----w- c:\users\liam\appdata\local\{74987E43-1940-46AD-AF03-C585D57775D8}
2011-04-27 02:12:12 -------- d-----w- c:\program files\ESET
2011-04-26 08:21:07 -------- d-----w- c:\windows\system32\appmgmt
2011-04-22 00:07:34 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-04-21 06:54:07 -------- d-----w- c:\program files\Unlocker
2011-04-21 06:43:49 -------- d-----w- c:\program files\iTunes
2011-04-21 06:43:49 -------- d-----w- c:\program files\iPod
2011-04-21 06:42:13 -------- d-----w- c:\program files\Bonjour
2011-04-20 12:33:42 -------- d-----w- c:\program files\PowerISO
2011-04-17 01:44:06 -------- d-----w- c:\users\liam\appdata\local\Apps
2011-04-15 11:40:44 -------- d-----w- c:\users\liam\Pokemon Online
2011-04-14 08:58:36 -------- d-----w- c:\program files\common files\ResearchSoft
2011-04-14 08:47:59 -------- d-----w- c:\users\liam\appdata\roaming\EndNote
2011-04-14 08:47:20 -------- d-----w- c:\program files\common files\Risxtd
2011-04-14 08:46:55 -------- d-----w- c:\program files\EndNote X4
2011-04-14 08:46:28 -------- d-----w- c:\progra~2\Thomson.ResearchSoft.Installers
2011-04-13 05:02:36 40984 ----a-w- c:\windows\system32\drivers\point32.sys
2011-04-12 06:54:59 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-04-08 22:49:23 -------- d-----w- c:\program files\trend micro
2011-04-08 13:02:04 390656 ----a-w- c:\windows\system32\ipcoin815.dll
2011-04-06 06:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 06:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-02 11:29:08 -------- d-----w- c:\users\liam\appdata\local\{61DB7A2E-0CD2-49E6-BFF4-A316E316075E}
2011-04-01 02:06:02 185856 ----a-w- c:\windows\system32\Ncs2Setp.dll
2011-04-01 01:56:18 665720 ----a-w- c:\windows\system32\ncs2dmix.dll
2011-04-01 01:56:06 513144 ----a-w- c:\windows\system32\accesor.dll
2011-04-01 01:31:54 135800 ----a-w- c:\windows\system32\ncs2instutility.dll
2011-04-01 01:14:54 1966200 ----a-w- c:\windows\system32\ncscolib.dll
2011-03-31 13:23:01 1002008 ----a-w- c:\windows\system32\igxpun.exe
2011-03-31 13:23:01 -------- d-----w- c:\windows\system32\x64
.
==================== Find3M ====================
.
2011-04-18 16:25:12 40112 ----a-w- c:\windows\avastSS.scr
2011-03-18 00:20:32 266440 ----a-w- c:\windows\system32\PROUnstl.exe
2011-03-12 11:23:45 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:33:59 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:33:59 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 05:33:09 1699328 ----a-w- c:\windows\system32\esent.dll
2011-03-11 05:31:07 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-03-08 05:28:29 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 05:38:01 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:36:16 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:42:34 2333184 ----a-w- c:\windows\system32\win32k.sys
2011-02-28 06:05:51 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-28 03:19:34 109728 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2011-02-27 21:09:40 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-02-25 05:30:54 2616320 ----a-w- c:\windows\explorer.exe
2011-02-24 05:38:54 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 22:27:00 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-02-22 22:27:00 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-02-19 06:30:54 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:30:51 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:30:50 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 06:30:46 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-19 04:34:54 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-02-18 05:39:44 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-02-12 05:35:31 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-02-02 10:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 14:13:30.88 ===============

Here is the Attach Log:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/06/2010 2:29:48 PM
System Uptime: 29/04/2011 8:24:17 AM (6 hours ago)
.
Motherboard: Acer | | FQ965M
Processor: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2394/266mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 86.546 GiB free.
D: is FIXED (FAT32) - 141 GiB total, 100.8 GiB free.
E: is CDROM ()
F: is CDROM (CDFS)
G: is CDROM (UDF)
H: is FIXED (NTFS) - 297 GiB total, 28.615 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Atheros AR5005GS Wireless Network Adapter
Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_2051168C&REV_01\4&25C8C425&0&10F0
Manufacturer: Atheros Communications Inc.
Name: Atheros AR5005GS Wireless Network Adapter #2
PNP Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_2051168C&REV_01\4&25C8C425&0&10F0
Service: athr
.
Class GUID:
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_8086&DEV_2994&SUBSYS_0CEE105B&REV_02\3&2411E6FE&1&18
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_8086&DEV_2994&SUBSYS_0CEE105B&REV_02\3&2411E6FE&1&18
Service:
.
==== System Restore Points ===================
.
RP89: 1/01/2006 1:15:37 AM - Installed Intel(R) Network Connections.
RP91: 1/01/2006 1:29:01 AM - Installed NVIDIA 3D Vision Controller Driver
RP92: 1/04/2011 12:22:12 AM - Windows Update
RP94: 1/04/2011 10:29:20 AM - Windows Update
RP96: 1/04/2011 10:32:02 AM - Removed NVIDIA 3D Vision Controller Driver
RP87: 21/04/2011 11:28:13 PM - Windows Update
RP88: 22/04/2011 10:04:51 AM - Windows Update
RP93: 26/04/2011 6:20:42 PM - Removed Bonjour
RP97: 28/04/2011 10:27:03 PM - Installed Microsoft Fix it 50463
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Élysée 3.71
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
Age of Mythology
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Auslogics Disk Defrag
Auto Gordian Knot 2.55
avast! Free Antivirus
AviSynth 2.5
Bonjour
D3DX10
Data Lifeguard Diagnostic for Windows 1.21
DVD Decrypter (Remove Only)
EndNote X4
ESET Online Scanner v3
Google Update Helper
Intel(R) Active Management Technology Device Software
Intel(R) Graphics Media Accelerator Driver
Intel(R) Network Connections 16.2.49.0
iTunes
Java Auto Updater
Java(TM) 6 Update 24
Malwarebytes' Anti-Malware
Metal Slug Series with Enabled MAME 0.78
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft IntelliPoint 8.1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 4.0 (x86 en-US)
MSVCRT
MSXML4 Parser
OGA Notifier 2.0.0048.0
Opera 11.01
PeerGuardian 2.0
Pokemon Online 1.0.21
Polipo 1.0.4.1
PowerISO
PVSonyDll
Python 2.6 numpy-1.3.0
Python 2.6 PIL-1.1.7
Python 2.6 pywin32-214
Python 2.6 rpy-1.0.3
QuickTime
Red-R (remove only)
ResearchSoft Direct Export Helper
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
SpywareBlaster 4.4
System Requirements Lab
System Requirements Lab for Intel
The Battle for Middle-earth (tm) II
Tor 0.2.1.30
Trillian
Uninstall 1.0.0.1
Unlocker 1.9.1
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2522999)
Vidalia 0.2.10
VobSub v2.23 (Remove Only)
Windows Essentials Media Codec Pack 3.0
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinDS PRO 2010.10 (Liam)
WinZip 14.5
Xfire (remove only)
XviD MPEG4 Video Codec (remove only)
.
==== Event Viewer Messages From Past Week ========
.
25/04/2011 9:57:43 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x00000116 (0x86cfa008, 0x8f30d83c, 0x00000000, 0x00000002). A dump was saved in: C:\Windows\Minidump\042511-21886-01.dmp. Report Id: 042511-21886-01.
24/04/2011 1:21:55 AM, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
.
==== End Of File ===========================


Any help would be greatly appreciated. :)
Randal'Thor
Active Member
 
Posts: 14
Joined: September 13th, 2008, 7:21 am
Advertisement
Register to Remove

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Scolabar » May 3rd, 2011, 3:03 am

Hi Randal'Thor,

Firstly, welcome to the Malware Removal Forum. :)
My name is Scolabar, and I'll be helping you with your malware problems.
Logs can take a while to research, so please be patient.

I am currently working under the guidance of the MRU teachers, everything I post to you, will need to be reviewed by them.
This additional review process can add some extra time to my responses, but hopefully not too much.
;)

Please note the following important guidelines before proceeding:
  1. The instructions that will be provided are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable
    !
  2. If you have any questions or do not understand something, please do not hesitate to ask, don't guess or assume.
  3. Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  4. Only reply to this thread, do not start another. Please, continue responding, until I give you the All Clean.
    Absence of symptoms does not necessarily mean that everything is clear.
  5. DO NOT run any other fix or removal tools unless instructed to do so!
  6. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  7. Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
  8. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  9. Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Please Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this, it would be advisable for you to back up any important files and folders that you don't want to lose before we start.

If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with additional instructions.

Thank you for your patience.

Scolabar
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Scolabar » May 5th, 2011, 12:31 pm

Hi Randal'Thor,

Thank you again for your patience. :)

Please read these instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Business Use Computer?

Entries in your DDS log lead me to believe that this computer may be being used for business purposes.
Please could you confirm if this is the case? If the computer is not used for business purposes please proceed with Step 2.

Step 2:
TFC

Please download TFC.exe by Old Timer. Save it to your Desktop.

Print these instructions. Save any unsaved work. TFC will close ALL open programs including your browser!

  1. Double-click on TFC.exe to run it.
    Vista - W7 users: Right-click on TFC.exe and select "Run As Administrator..." to launch the program. If you receive a UAC prompt, please allow it.
  2. TFC will now begin cleaning up the "temp" files.
    Note: This process may take only a few seconds or it could take several minutes, depending on the amount of temp files found.
  3. If prompted to reboot, click on the Yes button to confirm.

! IMPORTANT ! If TFC prompts you to reboot, please do so immediately, before proceeding with any other steps or other use of your computer.

Step 3:
CKScanner

  1. Please download CKScanner and Save it to your Desktop.
    Make sure that CKScanner.exe is on your Desktop before running the application!
  2. Double-click on the CKScanner.exe icon to launch the program and then click on the Search For Files button.
    Vista - W7 users: Right-click on CKScanner.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  3. When the scan has finished (- the hourglass cursor will disappear when the scan has completed) click on the Save List To File button.
    A text file will be created on your desktop named ckfiles.txt.
  4. Click on the Exit button to close the program.
  5. Double-click on the ckfiles.txt file to open it.
  6. Then Copy and Paste the entire contents of the file into your next reply.

Step 4:
Security Check

  1. Please download Security Check by screen317 and Save it to your Desktop.
    Alternate download site: Link 2
  2. Double-click on the SecurityCheck.exe icon to run the program.
    Vista - W7 users: Right-click on SecurityCheck.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
    If you receive an Open file Security Warning click the Run button.
  3. Press the Space Bar when you see the Press any key to continue... message.
    Please Note: This scan will take a short while to complete, so please be patient.
  4. When the scan has completed, a Notepad file will automatically open called checkup.txt.
  5. Save the file checkup.txt to your Desktop.
    Please Note: This output file is NOT automatically saved!
  6. Then Copy and Paste the entire contents of the checkup.txt file into your next reply.

Step 5:
GMER

The downloaded file will have a random filename. This prevents malware from detecting and blocking it.

Please download GMER ... random named.exe by GMER. An alternative (zip file) download is available here.
IMPORTANT: Do not run any programs while GMER is running.
CAUTION: Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.

  1. Double click on the random named.exe to execute. If asked, allow the gmer.sys driver load.
    Vista - W7 users: Right-click on the random named.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  2. If it gives you a warning about rootkit activity and asks if you want to run a scan click on NO. <--- Important!
  3. On the right side panel, several boxes have been checked. Please UNCHECK the following: (See image below.)
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All <-- don't miss this one

    Image
    Click on image to enlarge

  4. If you don't get a warning, then click on the Rootkit/Malware tab at the top of the GMER window.
  5. Click on the Scan button.
  6. Once the scan has finished, click on Save. The Save window will open.
  7. Save the scan results as gmerroot.log to your Desktop.
  8. Double-click on the gmerroot.log file on the Desktop to open it in Notepad.
  9. Copy and Paste the entire contents of gmerroot.log into your next reply.

Step 6:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. ckfiles.txt.
  3. checkup.txt.
  4. gmerroot.log.
  5. Do you have the original Windows installation media for your PC?

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Randal'Thor » May 5th, 2011, 6:37 pm

Hi Scholabar.

Please could you confirm if this is the case? If the computer is not used for business purposes please proceed with Step 2.

Not a business computer. I am studying at university and primarily use this computer for research and assignments.

No problems running any of these tools. :)

I do not have the original Windows CD; only a repair disc.

Here is the log from the CKScanner:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.MN.11
----- EOF -----

Here is the log from Security Check:

Results of screen317's Security Check version 0.99.10
Windows 7 Service Pack 1 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 24
Adobe Flash Player 10.2.159.1
Adobe Reader X (10.0.1)
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
``````````End of Log````````````

Here is the log from GMER:

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-06 08:32:02
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-9 WDC_WD3200AAJS-22VWA0 rev.12.01B02
Running: 6j1422jm.exe; Driver: C:\Users\Liam\AppData\Local\Temp\kxlcyuob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8F622202]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8FB29C48]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8F6247F0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8F624848]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8F62495E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8F624746]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x8F624898]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8F62479A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8F62490C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8F622226]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8FB29CF8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x8F621FF0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8F62224A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8F624D56]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8F622CDA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8F624820]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8F624870]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8F624988]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8F624772]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8F6248D8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8F6247C8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8F624936]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8FB29D90]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8F622BA0]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8F62226E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8F622292]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8F62204A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8F622186]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8F622162]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8F6221AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8F6222B6]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8FB3F762]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 83C53339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83C8CD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 83C93DC0 4 Bytes [02, 22, 62, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 83C93DE8 4 Bytes [48, 9C, B2, 8F] {DEC EAX; PUSHF ; MOV DL, 0x8f}
.text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 83C93E9C 8 Bytes [F0, 47, 62, 8F, 48, 48, 62, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 83C93EA8 4 Bytes [5E, 49, 62, 8F]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 83C93EC4 4 Bytes [46, 47, 62, 8F]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83E21B6C 5 Bytes JMP 8FB3B11E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 83E3A16E 5 Bytes JMP 8FB3CBD4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 83E4F26D 4 Bytes CALL 8F62334B \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 83E6902C 4 Bytes CALL 8F623361 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 83EF2E44 7 Bytes JMP 8FB3F766 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
? System32\Drivers\splm.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 90C84CA0 5 Bytes JMP 8706D1D8

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\taskeng.exe[220] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000A03FC
.text C:\Windows\system32\taskeng.exe[220] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000A01F8
.text C:\Windows\system32\taskeng.exe[220] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\taskeng.exe[220] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00130A08
.text C:\Windows\system32\taskeng.exe[220] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001303FC
.text C:\Windows\system32\taskeng.exe[220] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00130804
.text C:\Windows\system32\taskeng.exe[220] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001301F8
.text C:\Windows\system32\taskeng.exe[220] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00130600
.text C:\Program Files\Bonjour\mDNSResponder.exe[264] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[264] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[264] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Bonjour\mDNSResponder.exe[264] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00200A08
.text C:\Program Files\Bonjour\mDNSResponder.exe[264] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 002003FC
.text C:\Program Files\Bonjour\mDNSResponder.exe[264] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00200804
.text C:\Program Files\Bonjour\mDNSResponder.exe[264] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 002001F8
.text C:\Program Files\Bonjour\mDNSResponder.exe[264] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00200600
.text C:\Windows\system32\Dwm.exe[456] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\Dwm.exe[456] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\Dwm.exe[456] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\Dwm.exe[456] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00080A08
.text C:\Windows\system32\Dwm.exe[456] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 000803FC
.text C:\Windows\system32\Dwm.exe[456] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00080804
.text C:\Windows\system32\Dwm.exe[456] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 000801F8
.text C:\Windows\system32\Dwm.exe[456] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00080600
.text C:\Windows\servicing\TrustedInstaller.exe[480] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000503FC
.text C:\Windows\servicing\TrustedInstaller.exe[480] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000501F8
.text C:\Windows\servicing\TrustedInstaller.exe[480] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\servicing\TrustedInstaller.exe[480] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00080A08
.text C:\Windows\servicing\TrustedInstaller.exe[480] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 000803FC
.text C:\Windows\servicing\TrustedInstaller.exe[480] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00080804
.text C:\Windows\servicing\TrustedInstaller.exe[480] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 000801F8
.text C:\Windows\servicing\TrustedInstaller.exe[480] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00080600
.text C:\Windows\system32\csrss.exe[516] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\svchost.exe[532] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[532] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[532] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\svchost.exe[532] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00A30A08
.text C:\Windows\system32\svchost.exe[532] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 00A303FC
.text C:\Windows\system32\svchost.exe[532] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00A30804
.text C:\Windows\system32\svchost.exe[532] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 00A301F8
.text C:\Windows\system32\svchost.exe[532] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00A30600
.text C:\Windows\system32\wininit.exe[568] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000303FC
.text C:\Windows\system32\wininit.exe[568] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000301F8
.text C:\Windows\system32\wininit.exe[568] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\wininit.exe[568] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 000C0A08
.text C:\Windows\system32\wininit.exe[568] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 000C03FC
.text C:\Windows\system32\wininit.exe[568] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 000C0804
.text C:\Windows\system32\wininit.exe[568] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 000C01F8
.text C:\Windows\system32\wininit.exe[568] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 000C0600
.text C:\Windows\system32\csrss.exe[576] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\services.exe[632] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\services.exe[632] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\services.exe[632] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\lsass.exe[656] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsass.exe[656] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Intel\AMT\LMS.exe[660] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 001503FC
.text C:\Program Files\Intel\AMT\LMS.exe[660] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 001501F8
.text C:\Program Files\Intel\AMT\LMS.exe[660] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Intel\AMT\LMS.exe[660] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 001F0A08
.text C:\Program Files\Intel\AMT\LMS.exe[660] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001F03FC
.text C:\Program Files\Intel\AMT\LMS.exe[660] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 001F0804
.text C:\Program Files\Intel\AMT\LMS.exe[660] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001F01F8
.text C:\Program Files\Intel\AMT\LMS.exe[660] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 001F0600
.text C:\Windows\system32\lsm.exe[668] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\lsm.exe[668] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\lsm.exe[668] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[680] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000303FC
.text C:\Windows\system32\winlogon.exe[680] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000301F8
.text C:\Windows\system32\winlogon.exe[680] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\winlogon.exe[680] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 000C0A08
.text C:\Windows\system32\winlogon.exe[680] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 000C03FC
.text C:\Windows\system32\winlogon.exe[680] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 000C0804
.text C:\Windows\system32\winlogon.exe[680] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 000C01F8
.text C:\Windows\system32\winlogon.exe[680] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 000C0600
.text C:\Windows\system32\IProsetMonitor.exe[712] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 001603FC
.text C:\Windows\system32\IProsetMonitor.exe[712] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 001601F8
.text C:\Windows\system32\IProsetMonitor.exe[712] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\IProsetMonitor.exe[712] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00200A08
.text C:\Windows\system32\IProsetMonitor.exe[712] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 002003FC
.text C:\Windows\system32\IProsetMonitor.exe[712] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00200804
.text C:\Windows\system32\IProsetMonitor.exe[712] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 002001F8
.text C:\Windows\system32\IProsetMonitor.exe[712] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00200600
.text C:\Windows\system32\svchost.exe[796] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[796] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[796] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\svchost.exe[884] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[884] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[884] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\System32\svchost.exe[964] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000A03FC
.text C:\Windows\System32\svchost.exe[964] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000A01F8
.text C:\Windows\System32\svchost.exe[964] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\System32\svchost.exe[964] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00900A08
.text C:\Windows\System32\svchost.exe[964] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 009003FC
.text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00900804
.text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 009001F8
.text C:\Windows\System32\svchost.exe[964] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00900600
.text C:\Windows\System32\svchost.exe[1020] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\svchost.exe[1020] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\svchost.exe[1020] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1020] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00970A08
.text C:\Windows\System32\svchost.exe[1020] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 009703FC
.text C:\Windows\System32\svchost.exe[1020] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00970804
.text C:\Windows\System32\svchost.exe[1020] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 009701F8
.text C:\Windows\System32\svchost.exe[1020] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00970600
.text C:\Windows\system32\svchost.exe[1052] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1052] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1052] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1052] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00FD0A08
.text C:\Windows\system32\svchost.exe[1052] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 00FD03FC
.text C:\Windows\system32\svchost.exe[1052] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00FD0804
.text C:\Windows\system32\svchost.exe[1052] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 00FD01F8
.text C:\Windows\system32\svchost.exe[1052] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00FD0600
.text C:\Windows\system32\AUDIODG.EXE[1128] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00960A08
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 009603FC
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00960804
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 009601F8
.text C:\Windows\system32\svchost.exe[1204] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00960600
.text C:\Windows\system32\svchost.exe[1396] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1396] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1396] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\wbem\wmiprvse.exe[1412] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\wbem\wmiprvse.exe[1412] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\wbem\wmiprvse.exe[1412] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\wbem\wmiprvse.exe[1412] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00100A08
.text C:\Windows\system32\wbem\wmiprvse.exe[1412] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001003FC
.text C:\Windows\system32\wbem\wmiprvse.exe[1412] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00100804
.text C:\Windows\system32\wbem\wmiprvse.exe[1412] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001001F8
.text C:\Windows\system32\wbem\wmiprvse.exe[1412] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00100600
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1528] kernel32.dll!SetUnhandledExceptionFilter 77363D01 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1528] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[1576] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000503FC
.text C:\Windows\system32\taskhost.exe[1576] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000501F8
.text C:\Windows\system32\taskhost.exe[1576] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[1576] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 000E0A08
.text C:\Windows\system32\taskhost.exe[1576] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 000E03FC
.text C:\Windows\system32\taskhost.exe[1576] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 000E0804
.text C:\Windows\system32\taskhost.exe[1576] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 000E01F8
.text C:\Windows\system32\taskhost.exe[1576] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 000E0600
.text C:\Windows\System32\spoolsv.exe[1880] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\spoolsv.exe[1880] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\spoolsv.exe[1880] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1880] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00140A08
.text C:\Windows\System32\spoolsv.exe[1880] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001403FC
.text C:\Windows\System32\spoolsv.exe[1880] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00140804
.text C:\Windows\System32\spoolsv.exe[1880] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001401F8
.text C:\Windows\System32\spoolsv.exe[1880] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00140600
.text C:\Windows\system32\svchost.exe[1908] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[1908] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[1908] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1908] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00360A08
.text C:\Windows\system32\svchost.exe[1908] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 003603FC
.text C:\Windows\system32\svchost.exe[1908] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00360804
.text C:\Windows\system32\svchost.exe[1908] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 003601F8
.text C:\Windows\system32\svchost.exe[1908] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00360600
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2016] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2016] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2016] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2016] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00090A08
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2016] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 000903FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2016] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00090804
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2016] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 000901F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[2016] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00090600
.text C:\Program Files\Intel\AMT\atchksrv.exe[2040] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 001603FC
.text C:\Program Files\Intel\AMT\atchksrv.exe[2040] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 001601F8
.text C:\Program Files\Intel\AMT\atchksrv.exe[2040] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Intel\AMT\atchksrv.exe[2040] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 001A0A08
.text C:\Program Files\Intel\AMT\atchksrv.exe[2040] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001A03FC
.text C:\Program Files\Intel\AMT\atchksrv.exe[2040] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 001A0804
.text C:\Program Files\Intel\AMT\atchksrv.exe[2040] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001A01F8
.text C:\Program Files\Intel\AMT\atchksrv.exe[2040] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 001A0600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2164] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000A03FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2164] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000A01F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2164] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2164] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00240A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2164] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 002403FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2164] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00240804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2164] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 002401F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2164] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00240600
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2316] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2316] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2316] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2316] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00110A08
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2316] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001103FC
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2316] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00110804
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2316] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001101F8
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2316] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00110600
.text C:\Windows\Explorer.EXE[2344] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\Explorer.EXE[2344] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\Explorer.EXE[2344] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\Explorer.EXE[2344] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00110A08
.text C:\Windows\Explorer.EXE[2344] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001103FC
.text C:\Windows\Explorer.EXE[2344] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00110804
.text C:\Windows\Explorer.EXE[2344] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001101F8
.text C:\Windows\Explorer.EXE[2344] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00110600
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2796] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2796] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2796] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2796] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00220A08
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2796] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 002203FC
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2796] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00220804
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2796] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 002201F8
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[2796] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00220600
.text C:\Windows\system32\svchost.exe[2848] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\svchost.exe[2848] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\svchost.exe[2848] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2848] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 002A0A08
.text C:\Windows\system32\svchost.exe[2848] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 002A03FC
.text C:\Windows\system32\svchost.exe[2848] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 002A0804
.text C:\Windows\system32\svchost.exe[2848] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 002A01F8
.text C:\Windows\system32\svchost.exe[2848] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 002A0600
.text C:\Windows\System32\svchost.exe[2932] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000A03FC
.text C:\Windows\System32\svchost.exe[2932] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000A01F8
.text C:\Windows\System32\svchost.exe[2932] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\iTunes\iTunesHelper.exe[3036] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\iTunes\iTunesHelper.exe[3036] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Program Files\iTunes\iTunesHelper.exe[3036] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\iTunes\iTunesHelper.exe[3036] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00100A08
.text C:\Program Files\iTunes\iTunesHelper.exe[3036] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001003FC
.text C:\Program Files\iTunes\iTunesHelper.exe[3036] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00100804
.text C:\Program Files\iTunes\iTunesHelper.exe[3036] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001001F8
.text C:\Program Files\iTunes\iTunesHelper.exe[3036] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00100600
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3052] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3052] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3052] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3052] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00100A08
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3052] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001003FC
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3052] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00100804
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3052] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001001F8
.text C:\Program Files\Microsoft IntelliPoint\ipoint.exe[3052] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00100600
.text C:\Windows\System32\hkcmd.exe[3100] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 001603FC
.text C:\Windows\System32\hkcmd.exe[3100] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 001601F8
.text C:\Windows\System32\hkcmd.exe[3100] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\System32\hkcmd.exe[3100] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00200A08
.text C:\Windows\System32\hkcmd.exe[3100] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 002003FC
.text C:\Windows\System32\hkcmd.exe[3100] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00200804
.text C:\Windows\System32\hkcmd.exe[3100] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 002001F8
.text C:\Windows\System32\hkcmd.exe[3100] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00200600
.text C:\Windows\system32\igfxsrvc.exe[3108] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 001603FC
.text C:\Windows\system32\igfxsrvc.exe[3108] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 001601F8
.text C:\Windows\system32\igfxsrvc.exe[3108] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\igfxsrvc.exe[3108] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 001F0A08
.text C:\Windows\system32\igfxsrvc.exe[3108] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001F03FC
.text C:\Windows\system32\igfxsrvc.exe[3108] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 001F0804
.text C:\Windows\system32\igfxsrvc.exe[3108] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001F01F8
.text C:\Windows\system32\igfxsrvc.exe[3108] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 001F0600
.text C:\Windows\System32\igfxpers.exe[3136] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 001603FC
.text C:\Windows\System32\igfxpers.exe[3136] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 001601F8
.text C:\Windows\System32\igfxpers.exe[3136] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\System32\igfxpers.exe[3136] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00300A08
.text C:\Windows\System32\igfxpers.exe[3136] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 003003FC
.text C:\Windows\System32\igfxpers.exe[3136] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00300804
.text C:\Windows\System32\igfxpers.exe[3136] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 003001F8
.text C:\Windows\System32\igfxpers.exe[3136] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00300600
.text C:\Windows\System32\StikyNot.exe[3160] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\System32\StikyNot.exe[3160] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\System32\StikyNot.exe[3160] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\System32\StikyNot.exe[3160] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00170A08
.text C:\Windows\System32\StikyNot.exe[3160] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001703FC
.text C:\Windows\System32\StikyNot.exe[3160] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00170804
.text C:\Windows\System32\StikyNot.exe[3160] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001701F8
.text C:\Windows\System32\StikyNot.exe[3160] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00170600
.text C:\Windows\system32\SearchIndexer.exe[3264] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Windows\system32\SearchIndexer.exe[3264] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Windows\system32\SearchIndexer.exe[3264] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Windows\system32\SearchIndexer.exe[3264] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00250A08
.text C:\Windows\system32\SearchIndexer.exe[3264] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 002503FC
.text C:\Windows\system32\SearchIndexer.exe[3264] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00250804
.text C:\Windows\system32\SearchIndexer.exe[3264] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 002501F8
.text C:\Windows\system32\SearchIndexer.exe[3264] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00250600
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[3304] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[3304] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[3304] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[3304] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00100A08
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[3304] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001003FC
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[3304] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00100804
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[3304] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001001F8
.text C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe[3304] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00100600
.text C:\Program Files\iPod\bin\iPodService.exe[3536] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\iPod\bin\iPodService.exe[3536] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Program Files\iPod\bin\iPodService.exe[3536] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\iPod\bin\iPodService.exe[3536] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00100A08
.text C:\Program Files\iPod\bin\iPodService.exe[3536] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001003FC
.text C:\Program Files\iPod\bin\iPodService.exe[3536] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00100804
.text C:\Program Files\iPod\bin\iPodService.exe[3536] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001001F8
.text C:\Program Files\iPod\bin\iPodService.exe[3536] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00100600
.text C:\Users\Liam\Desktop\6j1422jm.exe[3720] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 001603FC
.text C:\Users\Liam\Desktop\6j1422jm.exe[3720] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 001601F8
.text C:\Users\Liam\Desktop\6j1422jm.exe[3720] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Users\Liam\Desktop\6j1422jm.exe[3720] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00210A08
.text C:\Users\Liam\Desktop\6j1422jm.exe[3720] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 002103FC
.text C:\Users\Liam\Desktop\6j1422jm.exe[3720] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00210804
.text C:\Users\Liam\Desktop\6j1422jm.exe[3720] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 002101F8
.text C:\Users\Liam\Desktop\6j1422jm.exe[3720] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00210600
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] ntdll.dll!LdrUnloadDll 7784C8DE 5 Bytes JMP 000603FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] ntdll.dll!LdrLoadDll 778522B8 5 Bytes JMP 000601F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] kernel32.dll!GetBinaryTypeW + 70 77374F63 1 Byte [62]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] USER32.dll!UnhookWindowsHookEx 763DADF9 5 Bytes JMP 00140A08
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] USER32.dll!UnhookWinEvent 763DB750 5 Bytes JMP 001403FC
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] USER32.dll!SetWindowsHookExW 763DE30C 5 Bytes JMP 00140804
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] USER32.dll!SetWinEventHook 763E24DC 5 Bytes JMP 001401F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[3880] USER32.dll!SetWindowsHookExA 76406D0C 5 Bytes JMP 00140600

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85E6E1F8
Device \FileSystem\fastfat \FatCdrom 8706B500
Device \Driver\volmgr \Device\VolMgrControl 85E6A1F8
Device \Driver\usbuhci \Device\USBPDO-0 870831F8
Device \Driver\usbuhci \Device\USBPDO-1 870831F8
Device \Driver\usbehci \Device\USBPDO-2 870851F8
Device \Driver\usbuhci \Device\USBPDO-3 870831F8
Device \Driver\usbuhci \Device\USBPDO-4 870831F8

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbuhci \Device\USBPDO-5 870831F8
Device \Driver\usbehci \Device\USBPDO-6 870851F8
Device \Driver\volmgr \Device\HarddiskVolume1 85E6A1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 85E6A1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 86F271F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-2 85E6C1F8
Device \Driver\atapi \Device\Ide\IdePort0 85E6C1F8
Device \Driver\atapi \Device\Ide\IdePort1 85E6C1F8
Device \Driver\atapi \Device\Ide\IdePort2 85E6C1F8
Device \Driver\atapi \Device\Ide\IdePort3 85E6C1F8
Device \Driver\atapi \Device\Ide\IdePort4 85E6C1F8
Device \Driver\atapi \Device\Ide\IdePort5 85E6C1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-9 85E6C1F8
Device \Driver\volmgr \Device\HarddiskVolume3 85E6A1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBt_Wins_Export 86FFD1F8
Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\NetBT \Device\NetBT_Tcpip_{6AA141E0-4A77-40AC-A6BA-9B6F6F5EC199} 86FFD1F8

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

Device \Driver\usbuhci \Device\USBFDO-0 870831F8
Device \Driver\usbuhci \Device\USBFDO-1 870831F8
Device \Driver\usbehci \Device\USBFDO-2 870851F8
Device \Driver\usbuhci \Device\USBFDO-3 870831F8
Device \Driver\usbuhci \Device\USBFDO-4 870831F8
Device \Driver\usbuhci \Device\USBFDO-5 870831F8
Device \Driver\usbehci \Device\USBFDO-6 870851F8
Device \FileSystem\fastfat \Fat 8706B500

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:3656] 9A59DF2E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x30 0xBE 0x47 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x30 0xBE 0x47 ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x30 0xBE 0x47 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x30 0xBE 0x47 ...
Reg HKLM\SYSTEM\ControlSet005\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet005\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0E 0x30 0xBE 0x47 ...

---- Files - GMER 1.0.15 ----

File C:\## aswSnx private storage 0 bytes
File C:\## aswSnx private storage\snx_rhive 262144 bytes
File C:\## aswSnx private storage\snx_rhive.LOG1 5120 bytes
File C:\## aswSnx private storage\snx_rhive.LOG2 0 bytes
File C:\## aswSnx private storage\snx_rhive{add876bd-75ce-11e0-bfc8-001c255016fa}.TM.blf 65536 bytes
File C:\## aswSnx private storage\snx_rhive{add876bd-75ce-11e0-bfc8-001c255016fa}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File C:\## aswSnx private storage\snx_rhive{add876bd-75ce-11e0-bfc8-001c255016fa}.TMContainer00000000000000000002.regtrans-ms 524288 bytes
File C:\## aswSnx private storage\webStorage 0 bytes
File C:\## aswSnx private storage\webStorage\attrib 0 bytes
File C:\## aswSnx private storage\webStorage\image 0 bytes
File C:\## aswSnx private storage\webStorage\image\Windows 0 bytes
File C:\## aswSnx private storage\webStorage\image\Windows\Prefetch 0 bytes
File C:\## aswSnx private storage\webStorage\image\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf 14686 bytes
File C:\## aswSnx private storage\webStorage\image\Windows\Prefetch\IEXPLORE.EXE-8F1B6CBC.pf 12158 bytes
File C:\## aswSnx private storage\webStorage\snx_fs.dat 612 bytes

---- EOF - GMER 1.0.15 ----
Randal'Thor
Active Member
 
Posts: 14
Joined: September 13th, 2008, 7:21 am

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Scolabar » May 7th, 2011, 9:57 am

Hi Randal'Thor,

Firstly, please can you confirm whether or not you connect to the university network?

Secondly, can you also let me know the source of your "repair disc" (- was it provided by the computer manufacturer, for example)?

Please then read the following instructions carefully before executing and perform the steps, in the order given.
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Again, before we proceed please make sure any open programs are closed. ;)

Step 1:
ERUNT - Emergency Recovery Utility NT

First we will try to back up the Registry with ERUNT:

Modifying the Registry can create unforeseen problems, so it's always wise to create a backup before doing so.
ERUNT (Emergency Recovery Utility NT) by Lars Hederer is a free program that allows you to create a complete backup of your registry and restore it when needed.

  1. Please download ERUNT and save it to your Desktop.
  2. Double-click on erunt-setup-exe to run the installation process.
    Vista - W7 users: Right-click on erunt-setup-exe and select "Run As Administrator" to run the installation process.
    Note: If the Open File - Security Warning window pops up, click on the Run button.
  3. Install ERUNT by following the prompts using the default installation settings.
  4. Make sure the first two check boxes Create ERUNT desktop icon and Create NTREGOPT desktop icon are checked.
  5. When you reach the section that asks you to add ERUNT to the Start-Up folder click on the No button. This later can be enabled later, if required.
  6. In the final screen make sure the Show documentation option is unchecked. Then click on the Finish button.
  7. Click on the OK button in the Welcome! screen.
  8. Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT\DD-MM-YYYY (where DD-MM-YYYY is the date of the backup) which is fine.
  9. under Backup options make sure both of the first two options: System registry and Current user registry are checked.
  10. Click on the Yes button to allow the folder to be created.
    After a short duration the Registry backup is complete! pop-up message will appear.
  11. Now click on OK. A registry backup has now been created.

< STOP > If you are unable to complete this step successfully, < STOP > do not continue with any fix steps, let me know immediately in your next post!

Step 2:
DeFogger

We need to disable the active CD Emulation drivers as they will almost certainly interfere with the cleanup process.

  1. Please download DeFogger by jpshortstuff and save it to your Desktop.
  2. Double click on DeFogger.exe to run the tool.
    Vista - W7 users: Right-click on DeFogger.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  3. When the application window appears click on the Disable button to disable your CD Emulation drivers.
  4. Click on the Yes button to continue.
  5. When the Finished! message appears click on the OK button.
  6. Then click on the OK button when DeFogger asks to reboot the machine.

Please do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Step 3:
Malwarebytes' Anti-Malware

I notice you already have this program installed on your computer. ;)
Let's check for updates and run the program.

Please save any items you have been working on and close any open programs. You may be asked to reboot your machine.

  1. Launch Malwarebytes' Anti-Malware
    Vista - W7 users: Right-click on the Malwarebytes' Anti-Malware desktop icon and select "Run As Administrator..." to launch the program. If you receive a UAC prompt, please allow it.
  2. You will be asked to update the program before performing a scan. Please do so.
    • If an update is found, the program will automatically downoad and install the update.
    • Click on the OK button to close that box and continue.
    • If you have any problems downloading updates download them manually from here and double-click on mbam-rules.exe to complete the installation.

On the Scanner tab:
  1. Make sure the Perform quick scan option is selected.
  2. Then click on the Scan button.
  3. If asked to select the drives to scan, leave all the drives selected and then click on the Start Scan button.
  4. The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  5. When the scan is finished, a message box will be displayed saying The scan completed successfully. Click 'Show Results' to display all objects found.
  6. Click on the OK button to close the message box and continue with the removal process.

Back at the main Scanner screen:
  1. Click on the Show Results button to see a list of any malware that was found.
  2. Check all items except items in the C:\System Volume Information folder and then click on the Remove Selected button.
    The System Volume Information items will be taken care of later.
  3. When the removal has been completed, a log report will open in Notepad and you may be prompted to restart your computer. (See Note below).
  4. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    The log can also be found here:
    C:\Documents and Settings\Account Name\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  5. Please Copy and Paste the entire contents of mbam-log-date (time).txt into your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either prompt and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Step 4:
TDSSKiller

Please download TDSSKiller.exe by Kaspersky and save it to your Desktop. <-Important!!!

  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista - W7 users: Right-click on TDSSKiller.exe and select "Run As Administrator..." to launch the program. If you receive a UAC prompt, please allow it.
    If TDSSKiller does not run rename the program file. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the Scan results - Select action for found objects and offer 3 options.
    • Ensure Cure (default) is selected and then click Continue > Reboot now to finish the cleaning process.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
  6. Copy and Paste the entire contents of the TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt file into your next reply.

Step 5:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. mbam-log-date (time).txt.
  3. TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt.

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Randal'Thor » May 7th, 2011, 6:59 pm

Howdy Scholabar. :)

Firstly, please can you confirm whether or not you connect to the university network?

I do not. My resources and internet are provided by a separate company.

Secondly, can you also let me know the source of your "repair disc" (- was it provided by the computer manufacturer, for example)?

It was downloaded as I have used it in the past already for a separate Windows 7 machine.

I had no problems following your steps. ERUNT was successful.


Here is the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
http://www.malwarebytes.org

Database version: 6528

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

8/05/2011 8:54:07 AM
mbam-log-2011-05-08 (08-54-07).txt

Scan type: Quick scan
Objects scanned: 145884
Time elapsed: 3 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is the log from TDSSKiller:

2011/05/08 08:56:56.0106 3812 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/08 08:56:57.0432 3812 ================================================================================
2011/05/08 08:56:57.0432 3812 SystemInfo:
2011/05/08 08:56:57.0432 3812
2011/05/08 08:56:57.0432 3812 OS Version: 6.1.7601 ServicePack: 1.0
2011/05/08 08:56:57.0432 3812 Product type: Workstation
2011/05/08 08:56:57.0432 3812 ComputerName: RANDALTHOR
2011/05/08 08:56:57.0432 3812 UserName: Liam
2011/05/08 08:56:57.0432 3812 Windows directory: C:\Windows
2011/05/08 08:56:57.0432 3812 System windows directory: C:\Windows
2011/05/08 08:56:57.0432 3812 Processor architecture: Intel x86
2011/05/08 08:56:57.0432 3812 Number of processors: 4
2011/05/08 08:56:57.0432 3812 Page size: 0x1000
2011/05/08 08:56:57.0432 3812 Boot type: Normal boot
2011/05/08 08:56:57.0432 3812 ================================================================================
2011/05/08 08:56:58.0119 3812 Initialize success
2011/05/08 08:57:34.0685 1108 ================================================================================
2011/05/08 08:57:34.0685 1108 Scan started
2011/05/08 08:57:34.0685 1108 Mode: Manual;
2011/05/08 08:57:34.0685 1108 ================================================================================
2011/05/08 08:57:35.0434 1108 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
2011/05/08 08:57:35.0497 1108 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
2011/05/08 08:57:35.0528 1108 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
2011/05/08 08:57:35.0575 1108 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/05/08 08:57:35.0606 1108 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2011/05/08 08:57:35.0621 1108 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2011/05/08 08:57:35.0668 1108 AFD (1151fd4fb0216cfed887bfde29ebd516) C:\Windows\system32\drivers\afd.sys
2011/05/08 08:57:35.0715 1108 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
2011/05/08 08:57:35.0746 1108 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2011/05/08 08:57:35.0762 1108 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
2011/05/08 08:57:35.0809 1108 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
2011/05/08 08:57:35.0824 1108 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
2011/05/08 08:57:35.0840 1108 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2011/05/08 08:57:35.0855 1108 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2011/05/08 08:57:35.0887 1108 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
2011/05/08 08:57:35.0918 1108 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/05/08 08:57:35.0933 1108 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
2011/05/08 08:57:35.0980 1108 Andbus (3e59df4984fbd6800d6621480b38a34e) C:\Windows\system32\DRIVERS\lgandbus.sys
2011/05/08 08:57:36.0027 1108 AndDiag (8e0bf6f3b2c9c292bc7ce0de727cdd56) C:\Windows\system32\DRIVERS\lganddiag.sys
2011/05/08 08:57:36.0043 1108 AndGps (1d2c90e25483363d54b652898bbc8f2a) C:\Windows\system32\DRIVERS\lgandgps.sys
2011/05/08 08:57:36.0074 1108 ANDModem (b1b06a95da2cac7fa19832c60c348c85) C:\Windows\system32\DRIVERS\lgandmodem.sys
2011/05/08 08:57:36.0105 1108 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
2011/05/08 08:57:36.0167 1108 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2011/05/08 08:57:36.0199 1108 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2011/05/08 08:57:36.0230 1108 aswFsBlk (9bdb29e81abceb883556df44649696c4) C:\Windows\system32\drivers\aswFsBlk.sys
2011/05/08 08:57:36.0261 1108 aswMonFlt (a80fb17ce4ed7af4a5f24aaa753e4168) C:\Windows\system32\drivers\aswMonFlt.sys
2011/05/08 08:57:36.0277 1108 aswRdr (a90cf680ca7a323913ca3a0810c8e02d) C:\Windows\system32\drivers\aswRdr.sys
2011/05/08 08:57:36.0323 1108 aswSnx (f7969934cca2e566e95df17380a3cb11) C:\Windows\system32\drivers\aswSnx.sys
2011/05/08 08:57:36.0355 1108 aswSP (478d6a0e0630c31bf4a7f5eb0a05b92c) C:\Windows\system32\drivers\aswSP.sys
2011/05/08 08:57:36.0370 1108 aswTdi (e52e45743e27fd6184c55618a10b81ab) C:\Windows\system32\drivers\aswTdi.sys
2011/05/08 08:57:36.0386 1108 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/05/08 08:57:36.0417 1108 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
2011/05/08 08:57:36.0479 1108 athr (b01751cc563aecac09bbe36aaa21fbef) C:\Windows\system32\DRIVERS\athr.sys
2011/05/08 08:57:36.0542 1108 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2011/05/08 08:57:36.0573 1108 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/05/08 08:57:36.0604 1108 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/05/08 08:57:36.0651 1108 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/05/08 08:57:36.0682 1108 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
2011/05/08 08:57:36.0698 1108 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/05/08 08:57:36.0713 1108 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/05/08 08:57:36.0745 1108 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/05/08 08:57:36.0760 1108 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/05/08 08:57:36.0776 1108 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/05/08 08:57:36.0807 1108 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/05/08 08:57:36.0823 1108 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/05/08 08:57:36.0854 1108 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/05/08 08:57:36.0885 1108 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys
2011/05/08 08:57:36.0916 1108 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2011/05/08 08:57:36.0963 1108 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/05/08 08:57:36.0994 1108 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/05/08 08:57:37.0025 1108 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
2011/05/08 08:57:37.0041 1108 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/05/08 08:57:37.0057 1108 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/05/08 08:57:37.0088 1108 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
2011/05/08 08:57:37.0119 1108 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/05/08 08:57:37.0166 1108 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
2011/05/08 08:57:37.0228 1108 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
2011/05/08 08:57:37.0244 1108 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/05/08 08:57:37.0291 1108 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2011/05/08 08:57:37.0337 1108 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/05/08 08:57:37.0384 1108 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
2011/05/08 08:57:37.0431 1108 e1express (cf0a6015f437161698c5b2a0a12cf052) C:\Windows\system32\DRIVERS\e1e6032.sys
2011/05/08 08:57:37.0509 1108 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2011/05/08 08:57:37.0587 1108 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2011/05/08 08:57:37.0634 1108 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
2011/05/08 08:57:37.0665 1108 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/05/08 08:57:37.0696 1108 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/05/08 08:57:37.0727 1108 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2011/05/08 08:57:37.0743 1108 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/05/08 08:57:37.0774 1108 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/05/08 08:57:37.0790 1108 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/05/08 08:57:37.0821 1108 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/05/08 08:57:37.0852 1108 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/05/08 08:57:37.0868 1108 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/05/08 08:57:37.0899 1108 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
2011/05/08 08:57:37.0930 1108 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/05/08 08:57:37.0961 1108 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/05/08 08:57:37.0993 1108 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/05/08 08:57:38.0039 1108 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
2011/05/08 08:57:38.0055 1108 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
2011/05/08 08:57:38.0102 1108 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/05/08 08:57:38.0133 1108 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2011/05/08 08:57:38.0149 1108 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2011/05/08 08:57:38.0195 1108 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
2011/05/08 08:57:38.0227 1108 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
2011/05/08 08:57:38.0273 1108 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
2011/05/08 08:57:38.0305 1108 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
2011/05/08 08:57:38.0336 1108 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
2011/05/08 08:57:38.0383 1108 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
2011/05/08 08:57:38.0507 1108 igfx (9467514ea189475a6e7fdc5d7bde9d3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/05/08 08:57:39.0022 1108 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2011/05/08 08:57:39.0178 1108 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
2011/05/08 08:57:39.0225 1108 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/05/08 08:57:39.0303 1108 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/05/08 08:57:39.0350 1108 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
2011/05/08 08:57:39.0365 1108 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/05/08 08:57:39.0459 1108 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/05/08 08:57:39.0490 1108 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
2011/05/08 08:57:39.0568 1108 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
2011/05/08 08:57:39.0599 1108 ivusb (994ebb45c4b438e1f6ea0b958ae9b9a3) C:\Windows\system32\DRIVERS\ivusb.sys
2011/05/08 08:57:39.0615 1108 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
2011/05/08 08:57:39.0662 1108 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
2011/05/08 08:57:39.0693 1108 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys
2011/05/08 08:57:39.0740 1108 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
2011/05/08 08:57:39.0771 1108 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/05/08 08:57:39.0802 1108 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/05/08 08:57:39.0818 1108 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/05/08 08:57:39.0849 1108 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/05/08 08:57:39.0865 1108 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/05/08 08:57:39.0880 1108 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/05/08 08:57:39.0896 1108 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2011/05/08 08:57:39.0927 1108 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/05/08 08:57:39.0958 1108 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/05/08 08:57:39.0974 1108 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/05/08 08:57:40.0005 1108 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2011/05/08 08:57:40.0036 1108 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/05/08 08:57:40.0067 1108 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
2011/05/08 08:57:40.0114 1108 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
2011/05/08 08:57:40.0145 1108 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/05/08 08:57:40.0177 1108 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
2011/05/08 08:57:40.0208 1108 mrxsmb (ed3d3419b064f28d812995ed8cadc541) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/05/08 08:57:40.0255 1108 mrxsmb10 (dc914446049169a964e27fd8888ffaee) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/05/08 08:57:40.0286 1108 mrxsmb20 (e7d90388d14fae057c166c1801e0bf94) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/05/08 08:57:40.0333 1108 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
2011/05/08 08:57:40.0364 1108 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
2011/05/08 08:57:40.0411 1108 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/05/08 08:57:40.0442 1108 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/05/08 08:57:40.0473 1108 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
2011/05/08 08:57:40.0504 1108 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/05/08 08:57:40.0520 1108 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/05/08 08:57:40.0535 1108 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/05/08 08:57:40.0567 1108 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/05/08 08:57:40.0598 1108 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
2011/05/08 08:57:40.0613 1108 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/05/08 08:57:40.0629 1108 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/05/08 08:57:40.0660 1108 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/05/08 08:57:40.0691 1108 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/05/08 08:57:40.0738 1108 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
2011/05/08 08:57:40.0769 1108 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/05/08 08:57:40.0785 1108 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/05/08 08:57:40.0816 1108 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/05/08 08:57:40.0847 1108 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/05/08 08:57:40.0879 1108 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
2011/05/08 08:57:40.0910 1108 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/05/08 08:57:40.0941 1108 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
2011/05/08 08:57:40.0972 1108 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/05/08 08:57:41.0003 1108 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/05/08 08:57:41.0019 1108 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/05/08 08:57:41.0081 1108 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
2011/05/08 08:57:41.0128 1108 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/05/08 08:57:41.0175 1108 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
2011/05/08 08:57:41.0222 1108 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
2011/05/08 08:57:41.0269 1108 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
2011/05/08 08:57:41.0315 1108 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
2011/05/08 08:57:41.0347 1108 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2011/05/08 08:57:41.0378 1108 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
2011/05/08 08:57:41.0393 1108 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2011/05/08 08:57:41.0425 1108 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
2011/05/08 08:57:41.0440 1108 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
2011/05/08 08:57:41.0471 1108 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/05/08 08:57:41.0487 1108 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/05/08 08:57:41.0518 1108 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/05/08 08:57:41.0643 1108 pgfilter (2cf226173b467ab48f89d77e89936951) C:\Program Files\PeerGuardian2\pgfilter.sys
2011/05/08 08:57:41.0690 1108 Point32 (7d7a9c17d5455203dea11e5ef886cc59) C:\Windows\system32\DRIVERS\point32.sys
2011/05/08 08:57:41.0721 1108 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/05/08 08:57:41.0752 1108 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2011/05/08 08:57:41.0783 1108 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/05/08 08:57:41.0815 1108 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2011/05/08 08:57:41.0861 1108 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/05/08 08:57:41.0877 1108 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/05/08 08:57:41.0908 1108 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/05/08 08:57:41.0939 1108 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/05/08 08:57:41.0971 1108 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/05/08 08:57:41.0986 1108 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/05/08 08:57:42.0017 1108 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/05/08 08:57:42.0049 1108 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
2011/05/08 08:57:42.0080 1108 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/05/08 08:57:42.0127 1108 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/05/08 08:57:42.0158 1108 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
2011/05/08 08:57:42.0189 1108 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/05/08 08:57:42.0205 1108 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/05/08 08:57:42.0251 1108 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
2011/05/08 08:57:42.0298 1108 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
2011/05/08 08:57:42.0361 1108 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/05/08 08:57:42.0407 1108 s1018bus (1c5c2cb892553d2cf3f45a4bb323fcd6) C:\Windows\system32\DRIVERS\s1018bus.sys
2011/05/08 08:57:42.0439 1108 s1018mdfl (38f5ea219593f19b6b3a1b9c169e3b61) C:\Windows\system32\DRIVERS\s1018mdfl.sys
2011/05/08 08:57:42.0485 1108 s1018mdm (666af6b64fc7df92d3ca4819ea91631d) C:\Windows\system32\DRIVERS\s1018mdm.sys
2011/05/08 08:57:42.0517 1108 s1018mgmt (f4ceda6e2ddff2af8bd745615a7ca9c0) C:\Windows\system32\DRIVERS\s1018mgmt.sys
2011/05/08 08:57:42.0548 1108 s1018nd5 (3622d9ff2253dcbe885b10736609a4ca) C:\Windows\system32\DRIVERS\s1018nd5.sys
2011/05/08 08:57:42.0579 1108 s1018obex (49431efda842b474531c29ffae9f5d09) C:\Windows\system32\DRIVERS\s1018obex.sys
2011/05/08 08:57:42.0610 1108 s1018unic (ac6b514cb4474f4c867d7cdc9cd54f05) C:\Windows\system32\DRIVERS\s1018unic.sys
2011/05/08 08:57:42.0688 1108 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
2011/05/08 08:57:42.0735 1108 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
2011/05/08 08:57:42.0766 1108 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\Windows\system32\drivers\SCDEmu.sys
2011/05/08 08:57:42.0797 1108 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
2011/05/08 08:57:42.0829 1108 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/05/08 08:57:42.0875 1108 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2011/05/08 08:57:42.0891 1108 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2011/05/08 08:57:42.0922 1108 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2011/05/08 08:57:42.0953 1108 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
2011/05/08 08:57:42.0969 1108 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
2011/05/08 08:57:43.0000 1108 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
2011/05/08 08:57:43.0000 1108 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/05/08 08:57:43.0047 1108 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
2011/05/08 08:57:43.0078 1108 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/05/08 08:57:43.0094 1108 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/05/08 08:57:43.0125 1108 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/05/08 08:57:43.0156 1108 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/05/08 08:57:43.0219 1108 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\System32\Drivers\sptd.sys
2011/05/08 08:57:43.0265 1108 srv (4e636465a8653ba3bf29f929aa578e6f) C:\Windows\system32\DRIVERS\srv.sys
2011/05/08 08:57:43.0297 1108 srv2 (4e4e17a3865f650ee8c67726872d9431) C:\Windows\system32\DRIVERS\srv2.sys
2011/05/08 08:57:43.0328 1108 srvnet (1346dff5be932939997d373d61a35626) C:\Windows\system32\DRIVERS\srvnet.sys
2011/05/08 08:57:43.0343 1108 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2011/05/08 08:57:43.0390 1108 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
2011/05/08 08:57:43.0406 1108 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
2011/05/08 08:57:43.0437 1108 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
2011/05/08 08:57:43.0499 1108 Tcpip (37e8fa3779668837ca9e2c36d2415949) C:\Windows\system32\drivers\tcpip.sys
2011/05/08 08:57:43.0562 1108 TCPIP6 (37e8fa3779668837ca9e2c36d2415949) C:\Windows\system32\DRIVERS\tcpip.sys
2011/05/08 08:57:43.0593 1108 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/05/08 08:57:43.0624 1108 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
2011/05/08 08:57:43.0655 1108 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
2011/05/08 08:57:43.0687 1108 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
2011/05/08 08:57:43.0718 1108 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
2011/05/08 08:57:43.0780 1108 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/05/08 08:57:43.0811 1108 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
2011/05/08 08:57:43.0858 1108 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
2011/05/08 08:57:43.0905 1108 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2011/05/08 08:57:43.0936 1108 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
2011/05/08 08:57:43.0967 1108 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
2011/05/08 08:57:44.0014 1108 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
2011/05/08 08:57:44.0030 1108 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2011/05/08 08:57:44.0092 1108 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
2011/05/08 08:57:44.0139 1108 usbccgp (7e72e7d7e0757d59481d530fd2b0bfae) C:\Windows\system32\drivers\usbccgp.sys
2011/05/08 08:57:44.0186 1108 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
2011/05/08 08:57:44.0233 1108 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
2011/05/08 08:57:44.0264 1108 usbhub (9d22aad9ac6a07c691a1113e5f860868) C:\Windows\system32\drivers\usbhub.sys
2011/05/08 08:57:44.0279 1108 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2011/05/08 08:57:44.0295 1108 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2011/05/08 08:57:44.0326 1108 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/05/08 08:57:44.0357 1108 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/05/08 08:57:44.0389 1108 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
2011/05/08 08:57:44.0420 1108 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/05/08 08:57:44.0435 1108 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/05/08 08:57:44.0467 1108 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
2011/05/08 08:57:44.0482 1108 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
2011/05/08 08:57:44.0513 1108 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2011/05/08 08:57:44.0529 1108 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
2011/05/08 08:57:44.0560 1108 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
2011/05/08 08:57:44.0576 1108 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
2011/05/08 08:57:44.0591 1108 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
2011/05/08 08:57:44.0623 1108 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/05/08 08:57:44.0638 1108 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
2011/05/08 08:57:44.0669 1108 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/05/08 08:57:44.0701 1108 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
2011/05/08 08:57:44.0716 1108 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
2011/05/08 08:57:44.0747 1108 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2011/05/08 08:57:44.0779 1108 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/08 08:57:44.0779 1108 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/08 08:57:44.0825 1108 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2011/05/08 08:57:44.0857 1108 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
2011/05/08 08:57:44.0888 1108 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/05/08 08:57:44.0935 1108 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/05/08 08:57:44.0950 1108 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/05/08 08:57:45.0013 1108 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys
2011/05/08 08:57:45.0044 1108 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
2011/05/08 08:57:45.0075 1108 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/05/08 08:57:45.0122 1108 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
2011/05/08 08:57:45.0169 1108 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/05/08 08:57:45.0231 1108 ================================================================================
2011/05/08 08:57:45.0231 1108 Scan finished
2011/05/08 08:57:45.0231 1108 ================================================================================
Randal'Thor
Active Member
 
Posts: 14
Joined: September 13th, 2008, 7:21 am

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Scolabar » May 8th, 2011, 5:16 pm

Hi Randal'Thor,

Thank you for the logs and confirming that ERUNT completed its backup successfully. :thumbright:

Can you please confirm whether or not you ran the DeFogger tool as requested?

Randal'Thor wrote:Quote:
Secondly, can you also let me know the source of your "repair disc" (- was it provided by the computer manufacturer, for example)?

It was downloaded as I have used it in the past already for a separate Windows 7 machine.

Please Note:
Regarding downloadable bootkits from the Internet you need to be aware that:
Gary R wrote:Dependant upon how the ISO image is created, these disks can be either legal or illegal.

If the software offered creates its ISO image using the User's own legal copy of Windows, then generally speaking they are legit. However if the ISO image is pre-created, then it is illegally distributing files to which Microsoft owns the copyright.

To create a bootable "Windows" disk (whichever OS) requires the disk to contain files which are the copyright of Microsoft. If those files are copied from the User's own legit set of Windows installation disks, that is alright, since Microsoft allow you to do this. However if a recovery disk comes "ready to run", then it is by law distributing files to which it does not have copyright, and as such is illegal.

There are a number of Linux disks that can be used to access an unbootable Windows OS, but their functionality in that regard is quite limited.
The best and safest course of action if you do not have the original recovery media for your PC would be to contact Acer Support.

Before we start dealing with the malware I would just to make sure there is nothing else lurking hidden on your system by running another couple of scans. :)

Again, please then read the following instructions carefully before executing and perform the steps, in the order given and make sure any open programs are closed. ;)
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Step 1:
Rkill

Firstly we will try to stop any active rogue processes that may interfere with the cleanup attempt:

  1. Please download Rkill by Grinler. Save it to your Desktop.
    Alternate download links are available as follows: Two, Three or Four.
    Note: If your security software warns about Rkill, please ignore and allow the download to continue.
  2. Double-click on the Rkill desktop icon.
    Vista - W7 users: Right-click on the Rkill desktop icon and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  3. A command window will open then disappear upon completion, this is normal.
    • If this does not happen, delete the file, then download and use the next alternative link provided.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    Do not reboot your machine until asked to do so. If no version of Rkill would run, please let me know.
  4. When finished, Notepad will open with a log file, automatically saved at C:\rkill.log.
  5. Copy and Paste the entire contents of the rkill.log file into your next reply.
    Note: Please leave Rkill on the Desktop unless instructed otherwise.
Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software, trying to "protect" itself from being terminated or removed. If you see such a warning, leave the warning on the screen, then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself, so that Rkill can perform its routine.

Step 2:
Re-Run TFC

Print these instructions. Save any unsaved work. TFC will close ALL open programs including your browser!

  1. Double-click on TFC.exe to run it.
    Vista - W7 users: Right-click on TFC.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  2. TFC will now begin cleaning up the "temp" files.
    Note: This process may take only a few seconds or it could take several minutes, depending on the amount of temp files found.
  3. If prompted to reboot, click on the Yes button to confirm.

! IMPORTANT ! If TFC prompts you to reboot, please do so immediately, before proceeding with any other steps or other use of your computer.

Step 3:
Backup MBR

As a precaution I am going to ask you to back up your PC's Master Boot Record:

  • Download MBRBackup and save it to your Desktop.
  • Double-click MBRBackup.exe to launch the program.
    Vista - W7 users: Right-click on MBRBackup.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  • Click SaveMBR (top left corner) and save the backup file to your Desktop.
  • It will have a name similar to MBR_2010-10-06.bin where the numbers correspond to the date the backup was made.
  • Exit the program.
  • I strongly suggest you keep a copy of this backup stored on an external device - on CD or USB flash drive, for example.

Step 4:
MBRCheck - Scan

Let's check the PC's Master Boot Record (MBR):

  1. Please download MBRCheck.exe © a_d_13 to your Desktop.
    Alternate links: Link 2 or Link 3
  2. Double-click on MBRCheck.exe to launch the program.
    Vista - W7 users: Right-click on MBRCheck.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  3. A small black window will open with some information. Please do not fix anything (- if it gives you an option).
  4. If an unknown boot code is detected additional options will be presented. At this time press N then press Enter twice to continue.
  5. When the scan has completed you should see the message Done! Press ENTER to exit... Press Enter to exit the program.
    A file named MBRCheck_mm.dd.yy_hh.mm.ss.txt will appear on your Desktop.
  6. Please Copy and Paste the entire contents of the MBRCheck_mm.dd.yy_hh.mm.ss.txt file into your next reply.

Step 5:
Rootkit UnHooker (RkU)

Please download Rootkit Unhooker. Save it to your Desktop.
Please Note: The resulting log file can be very long. You may need to post it separately.

  1. Double-click on RKUnhookerLE.exe to run the program.
    Vista - W7 users: Right-click on RKUnhookerLE.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  2. Click the Report tab, then click Scan.
  3. Check the Drivers, Stealth Code, Files and Code Hooks options.
  4. Uncheck the rest of the options. Then click on the OK button. (See the image below for reference.)
    Image
    The scanning will toggle through the Checked items "tabs". This can take a while, so please be patient.
  5. When the scanner is finished, select File > Save Report.
  6. Save the file Report.txt to your Desktop.
  7. Click on the Close button and then click the Yes button to confirm.
  8. Copy and Paste the entire contents of the Report.txt file into you're next reply.

Step 6:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. Did you run the DeFogger tool?
  3. MBRCheck_mm.dd.yy_hh.mm.ss.txt.
  4. Report.txt.

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Randal'Thor » May 8th, 2011, 6:48 pm

Hi Scholabar. :)

Can you please confirm whether or not you ran the DeFogger tool as requested?

Yes; the log I posted for you was the log it displayed when it finished.

Please Note: Regarding downloadable bootkits from the Internet you need to be aware that:

Understood. I obtained it through Ubuntu Support; it is not an installation disc but rather the repair version for Win 7.

The best and safest course of action if you do not have the original recovery media for your PC would be to contact Acer Support.

I have done so in the past with no luck. And since I am no longer in warranty they are not interested in me whatsoever.

I wasn't able to download Rootkit UnHooker as the site wouldn't load so I downloaded it from SpywareInfo instead. If it is the wrong version, please let me know. :)

MBR Backup was successful and I have saved an external copy.

Also, a new thing has started happening lately. Whenever I boot my computer, avast doesn't run unless I open it. It has never done this before and it happens when I boot every time now. Just thought I'd let you know.

Rkill Log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 09/05/2011 at 8:35:33.
Operating System: Windows 7 Professional

Processes terminated by Rkill or while it was running:

Rkill completed on 09/05/2011 at 8:35:58.


MBR Scan Log:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Professional
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Phoenix Technologies, LTD
System Manufacturer: Acer
System Product Name: Veriton 7900Pro
Logical Drives Mask: 0x000000fc

Kernel Drivers (total 199):
0x83C06000 \SystemRoot\system32\ntkrnlpa.exe
0x84018000 \SystemRoot\system32\halmacpi.dll
0x80BCA000 \SystemRoot\system32\kdcom.dll
0x8420B000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x84290000 \SystemRoot\system32\PSHED.dll
0x842A1000 \SystemRoot\system32\BOOTVID.dll
0x842A9000 \SystemRoot\system32\CLFS.SYS
0x842EB000 \SystemRoot\system32\CI.dll
0x8983A000 \SystemRoot\system32\drivers\Wdf01000.sys
0x898AB000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x898B9000 \SystemRoot\system32\drivers\ACPI.sys
0x89901000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8990A000 \SystemRoot\system32\drivers\msisadrv.sys
0x89912000 \SystemRoot\system32\drivers\vdrvroot.sys
0x8991D000 \SystemRoot\system32\drivers\pci.sys
0x89947000 \SystemRoot\System32\drivers\partmgr.sys
0x89958000 \SystemRoot\system32\drivers\volmgr.sys
0x89968000 \SystemRoot\System32\drivers\volmgrx.sys
0x899B3000 \SystemRoot\system32\drivers\intelide.sys
0x899BA000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x899C8000 \SystemRoot\system32\drivers\pciide.sys
0x899CF000 \SystemRoot\System32\drivers\mountmgr.sys
0x89800000 \SystemRoot\system32\drivers\vmbus.sys
0x899E5000 \SystemRoot\system32\drivers\winhv.sys
0x899F7000 \SystemRoot\system32\drivers\atapi.sys
0x84396000 \SystemRoot\system32\drivers\ataport.SYS
0x8982A000 \SystemRoot\system32\drivers\amdxata.sys
0x843B9000 \SystemRoot\system32\drivers\fltmgr.sys
0x843ED000 \SystemRoot\system32\drivers\fileinfo.sys
0x89A3A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x89B69000 \SystemRoot\System32\Drivers\msrpc.sys
0x89B94000 \SystemRoot\System32\Drivers\ksecdd.sys
0x89C17000 \SystemRoot\System32\Drivers\cng.sys
0x89C74000 \SystemRoot\System32\drivers\pcw.sys
0x89C82000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x89C8B000 \SystemRoot\system32\drivers\ndis.sys
0x89D42000 \SystemRoot\system32\drivers\NETIO.SYS
0x89D80000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x89E35000 \SystemRoot\System32\drivers\tcpip.sys
0x89F7F000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x89FB0000 \SystemRoot\system32\drivers\vmstorfl.sys
0x89FB9000 \SystemRoot\system32\drivers\volsnap.sys
0x89FF8000 \SystemRoot\System32\Drivers\spldr.sys
0x89E00000 \SystemRoot\System32\drivers\rdyboost.sys
0x89DA5000 \SystemRoot\System32\Drivers\mup.sys
0x89E2D000 \SystemRoot\System32\drivers\hwpolicy.sys
0x89DB5000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x89DE7000 \SystemRoot\system32\DRIVERS\disk.sys
0x89BA7000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x89A00000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8E632000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x8E6A2000 \SystemRoot\System32\Drivers\Null.SYS
0x8E6A9000 \SystemRoot\System32\Drivers\Beep.SYS
0x8E6B0000 \SystemRoot\System32\drivers\vga.sys
0x8E6BC000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8E6DD000 \SystemRoot\System32\drivers\watchdog.sys
0x8E6EA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8E6F2000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8E6FA000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8E702000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8E70D000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8E71B000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8E732000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8E73E000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x8E748000 \SystemRoot\system32\drivers\afd.sys
0x8E7A2000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x8E7A7000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8E7D9000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8E7E0000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8E600000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8E611000 \SystemRoot\system32\DRIVERS\netbios.sys
0x89A1F000 \SystemRoot\system32\DRIVERS\serial.sys
0x8E61F000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x89BE8000 \SystemRoot\system32\drivers\termdd.sys
0x8FA1A000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0x8FA28000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8FA69000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8FA73000 \SystemRoot\system32\drivers\mssmbios.sys
0x8FA7D000 \SystemRoot\System32\drivers\discache.sys
0x8FA89000 \SystemRoot\system32\drivers\csc.sys
0x8FAED000 \SystemRoot\System32\Drivers\dfsc.sys
0x8FB05000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8FB13000 \SystemRoot\System32\Drivers\aswSP.SYS
0x8FB5C000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8FB7D000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x90007000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x90510000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x905C7000 \SystemRoot\System32\drivers\dxgmms1.sys
0x8FB8F000 \SystemRoot\system32\DRIVERS\serenum.sys
0x8FB99000 \SystemRoot\system32\DRIVERS\e1e6032.sys
0x8FBD1000 \SystemRoot\System32\Drivers\fastfat.SYS
0x8FA00000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x90623000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x9066E000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x9067D000 \SystemRoot\system32\drivers\HDAudBus.sys
0x907D3000 \SystemRoot\system32\DRIVERS\fdc.sys
0x907DE000 \SystemRoot\system32\DRIVERS\parport.sys
0x907F6000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x90600000 \SystemRoot\system32\drivers\CompositeBus.sys
0x9060D000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x9069C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x906B4000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x906BF000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x906E1000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x906F9000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x90710000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x90727000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x90731000 \SystemRoot\system32\drivers\kbdclass.sys
0x9073E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x9074B000 \SystemRoot\system32\drivers\swenum.sys
0x9074D000 \SystemRoot\system32\drivers\ks.sys
0x90781000 \SystemRoot\system32\drivers\umbus.sys
0x9078F000 \SystemRoot\system32\drivers\usbhub.sys
0x9782C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x9783D000 \SystemRoot\system32\drivers\HdAudio.sys
0x9788D000 \SystemRoot\system32\drivers\portcls.sys
0x978BC000 \SystemRoot\system32\drivers\drmk.sys
0x97C70000 \SystemRoot\System32\win32k.sys
0x978D5000 \SystemRoot\System32\drivers\Dxapi.sys
0x978DF000 \SystemRoot\System32\Drivers\crashdmp.sys
0x978EC000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x978F7000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x97900000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x97911000 \SystemRoot\system32\DRIVERS\monitor.sys
0x97ED0000 \SystemRoot\System32\TSDDD.dll
0x9791C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x97933000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x97F20000 \SystemRoot\System32\ATMFD.DLL
0x97935000 \SystemRoot\system32\DRIVERS\wdcsam.sys
0x97938000 \SystemRoot\system32\drivers\luafv.sys
0x97953000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x9798B000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x9798E000 \SystemRoot\system32\drivers\WudfPf.sys
0x979A8000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x979B8000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x97800000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x97810000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8FA0B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x89C00000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x97823000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x89BCC000 \SystemRoot\system32\drivers\usbccgp.sys
0x84200000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8D427000 \SystemRoot\system32\DRIVERS\point32.sys
0x8D430000 \SystemRoot\system32\drivers\kbdhid.sys
0x8D43C000 \SystemRoot\system32\drivers\HTTP.sys
0x8D4C1000 \SystemRoot\system32\DRIVERS\bowser.sys
0x8D4DA000 \SystemRoot\System32\drivers\mpsdrv.sys
0x8D4EC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x8D50F000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x8D54A000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x8D565000 \SystemRoot\system32\DRIVERS\parvdm.sys
0xAC429000 \SystemRoot\system32\drivers\peauth.sys
0xAC4C0000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAC4CA000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAC4EB000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAC4F8000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAC548000 \SystemRoot\System32\DRIVERS\srv.sys
0xAC59A000 \SystemRoot\system32\DRIVERS\udfs.sys
0xAC5DA000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x97F90000 \SystemRoot\System32\cdd.dll
0x77060000 \Windows\System32\ntdll.dll
0x48240000 \Windows\System32\smss.exe
0x772A0000 \Windows\System32\apisetschema.dll
0x002D0000 \Windows\System32\autochk.exe
0x771F0000 \Windows\System32\advapi32.dll
0x76FE0000 \Windows\System32\comdlg32.dll
0x76F30000 \Windows\System32\msvcrt.dll
0x76E20000 \Windows\System32\urlmon.dll
0x76D00000 \Windows\System32\wininet.dll
0x76C50000 \Windows\System32\rpcrt4.dll
0x76AB0000 \Windows\System32\setupapi.dll
0x771E0000 \Windows\System32\psapi.dll
0x771A0000 \Windows\System32\ws2_32.dll
0x76AA0000 \Windows\System32\lpk.dll
0x76A50000 \Windows\System32\Wldap32.dll
0x76890000 \Windows\System32\iertutil.dll
0x76880000 \Windows\System32\nsi.dll
0x767E0000 \Windows\System32\usp10.dll
0x767B0000 \Windows\System32\imagehlp.dll
0x75B60000 \Windows\System32\shell32.dll
0x75AD0000 \Windows\System32\oleaut32.dll
0x75A00000 \Windows\System32\msctf.dll
0x75930000 \Windows\System32\user32.dll
0x757D0000 \Windows\System32\ole32.dll
0x75780000 \Windows\System32\gdi32.dll
0x75720000 \Windows\System32\difxapi.dll
0x75710000 \Windows\System32\normaliz.dll
0x756B0000 \Windows\System32\shlwapi.dll
0x75690000 \Windows\System32\sechost.dll
0x755B0000 \Windows\System32\kernel32.dll
0x75520000 \Windows\System32\clbcatq.dll
0x75500000 \Windows\System32\imm32.dll
0x754B0000 \Windows\System32\KernelBase.dll
0x75480000 \Windows\System32\wintrust.dll
0x75460000 \Windows\System32\devobj.dll
0x75340000 \Windows\System32\crypt32.dll
0x752B0000 \Windows\System32\comctl32.dll
0x75280000 \Windows\System32\cfgmgr32.dll
0x75270000 \Windows\System32\msasn1.dll

Processes (total 53):
0 System Idle Process
4 System
404 C:\Windows\System32\smss.exe
504 csrss.exe
556 C:\Windows\System32\wininit.exe
564 csrss.exe
616 C:\Windows\System32\services.exe
640 C:\Windows\System32\lsass.exe
660 C:\Windows\System32\lsm.exe
788 C:\Windows\System32\svchost.exe
880 C:\Windows\System32\svchost.exe
948 C:\Windows\System32\svchost.exe
1004 C:\Windows\System32\svchost.exe
1036 C:\Windows\System32\svchost.exe
1124 C:\Windows\System32\audiodg.exe
1196 C:\Windows\System32\svchost.exe
1384 C:\Windows\System32\svchost.exe
1528 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1856 C:\Windows\System32\spoolsv.exe
1884 C:\Windows\System32\svchost.exe
1980 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2012 C:\Program Files\Intel\AMT\atchksrv.exe
2036 C:\Program Files\Bonjour\mDNSResponder.exe
252 C:\Windows\System32\svchost.exe
524 C:\Windows\System32\IPROSetMonitor.exe
604 C:\Program Files\Intel\AMT\LMS.exe
1084 C:\Windows\System32\svchost.exe
1496 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
2080 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
2444 C:\Windows\System32\svchost.exe
3428 C:\Windows\System32\SearchIndexer.exe
3612 C:\Program Files\iPod\bin\iPodService.exe
2548 C:\Program Files\Windows Media Player\wmpnetwk.exe
3496 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
3308 csrss.exe
3440 C:\Windows\System32\winlogon.exe
2636 C:\Windows\System32\taskeng.exe
2244 C:\Windows\System32\taskhost.exe
3104 C:\Windows\System32\dwm.exe
3388 C:\Windows\explorer.exe
3880 C:\Program Files\iTunes\iTunesHelper.exe
4076 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3140 C:\Windows\System32\hkcmd.exe
2404 C:\Windows\System32\igfxpers.exe
2280 C:\Windows\System32\StikyNot.exe
3864 C:\Windows\System32\igfxsrvc.exe
3128 C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
3920 C:\Program Files\Mozilla Firefox\firefox.exe
3120 C:\Windows\System32\SearchProtocolHost.exe
3168 C:\Windows\System32\SearchFilterHost.exe
2384 C:\Users\Liam\Desktop\MBRCheck.exe
1816 C:\Windows\System32\conhost.exe
3412 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`f3947600 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000027`2503b000 (FAT32)
\\.\H: --> \\.\PhysicalDrive1 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200AAJS-22VWA0, Rev: 12.01B02
PhysicalDrive1 Model Number: WDMy Passport 070B, Rev: 1032

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
297 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
Done!


Rootkit UnHooker Log:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7601 (Service Pack 1)
Number of processors #4
==============================================
>Drivers
==============================================
0x90007000 C:\Windows\system32\DRIVERS\igdkmd32.sys 5279744 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
0x83C06000 C:\Windows\system32\ntkrnlpa.exe 4268032 bytes (Microsoft Corporation, NT Kernel & System)
0x83C06000 PnpManager 4268032 bytes
0x83C06000 RAW 4268032 bytes
0x83C06000 WMIxWDM 4268032 bytes
0x97C70000 Win32k 2416640 bytes
0x97C70000 C:\Windows\System32\win32k.sys 2416640 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x89E35000 C:\Windows\System32\drivers\tcpip.sys 1351680 bytes (Microsoft Corporation, TCP/IP Driver)
0x89A3A000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x90510000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x89C8B000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x842EB000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0xAC429000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8D43C000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8420B000 C:\Windows\system32\mcupdate_GenuineIntel.dll 544768 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x8983A000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x8E632000 C:\Windows\System32\Drivers\aswSnx.SYS 458752 bytes (AVAST Software, avast! Virtualization Driver)
0x8FA89000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x89C17000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x8E748000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAC548000 C:\Windows\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0x9783D000 C:\Windows\system32\drivers\HdAudio.sys 327680 bytes (Microsoft Corporation, High Definition Audio Function Driver)
0xAC4F8000 C:\Windows\System32\DRIVERS\srv2.sys 327680 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x97F20000 C:\Windows\System32\ATMFD.DLL 315392 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x90623000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x89968000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8FB13000 C:\Windows\System32\Drivers\aswSP.SYS 299008 bytes (AVAST Software, avast! self protection module)
0x898B9000 C:\Windows\system32\drivers\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x979B8000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x9078F000 C:\Windows\system32\drivers\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x842A9000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x8FA28000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xAC59A000 C:\Windows\system32\DRIVERS\udfs.sys 262144 bytes (Microsoft Corporation, UDF File System Driver)
0x89FB9000 C:\Windows\system32\drivers\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x89D42000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x8D50F000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x905C7000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x97953000 C:\Windows\system32\drivers\aswMonFlt.sys 229376 bytes (AVAST Software, avast! File System Minifilter for Windows 2003/Vista)
0x8FB99000 C:\Windows\system32\DRIVERS\e1e6032.sys 229376 bytes (Intel Corporation, Intel(R) PRO/1000 Adapter NDIS 6 deserialized driver)
0x84018000 ACPI_HAL 225280 bytes
0x84018000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x843B9000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x9074D000 C:\Windows\system32\drivers\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x89DB5000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x8E7A7000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x89F7F000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x9788D000 C:\Windows\system32\drivers\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x89E00000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x89B69000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8FBD1000 C:\Windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x8991D000 C:\Windows\system32\drivers\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x89800000 C:\Windows\system32\drivers\vmbus.sys 172032 bytes (Microsoft Corporation, Virtual Machine Bus)
0x89BA7000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x89D80000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x84396000 C:\Windows\system32\drivers\ataport.SYS 143360 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x8D4EC000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x906BF000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xAC4CA000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x8FB5C000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8E6BC000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x89A00000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x9067D000 C:\Windows\system32\drivers\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8E7E0000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x97F90000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x97938000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x8D54A000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x89A1F000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Brother Industries Ltd., Brotehr Serial I/F Driver (WDM))
0x9798E000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x8D4C1000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x978BC000 C:\Windows\system32\drivers\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x8FAED000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x907DE000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x9069C000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x906E1000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x906F9000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x90710000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8E71B000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x89BCC000 C:\Windows\system32\drivers\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x9791C000 C:\Windows\system32\DRIVERS\USBSTOR.SYS 94208 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0x899CF000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x89C00000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x89B94000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x97810000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x8E61F000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x899E5000 00000147 73728 bytes
0x9060D000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x8FB7D000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x8D4DA000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x899E5000 C:\Windows\system32\drivers\winhv.sys 73728 bytes (Microsoft Corporation, Windows Hypervisor Interface Driver)
0x89DE7000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x97900000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x843ED000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x9782C000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x89947000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x84290000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x89BE8000 C:\Windows\system32\drivers\termdd.sys 69632 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x8E600000 C:\Windows\system32\DRIVERS\vwififlt.sys 69632 bytes (Microsoft Corporation, Virtual WiFi Filter Driver)
0x979A8000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x89DA5000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x97800000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x89958000 C:\Windows\system32\drivers\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x9066E000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8FB05000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x8E611000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8E70D000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x899BA000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x89C74000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x8FA1A000 C:\Windows\System32\Drivers\SCDEmu.SYS 57344 bytes (PowerISO Computing, Inc., PowerISO Virtual Drive)
0x90781000 C:\Windows\system32\drivers\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x898AB000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x90600000 C:\Windows\system32\drivers\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x978DF000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x90731000 C:\Windows\system32\drivers\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x9073E000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0xAC4EB000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8E6DD000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8FA7D000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x8D430000 C:\Windows\system32\drivers\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x8E732000 C:\Windows\system32\DRIVERS\TDI.SYS 49152 bytes (Microsoft Corporation, TDI Wrapper)
0x8E6B0000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x978EC000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x907D3000 C:\Windows\system32\DRIVERS\fdc.sys 45056 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0x8FA0B000 C:\Windows\system32\DRIVERS\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x97911000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x84200000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x8E702000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x906B4000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8FA00000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x89912000 C:\Windows\system32\drivers\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x8E73E000 C:\Windows\System32\Drivers\aswTdi.SYS 40960 bytes (AVAST Software, avast! TDI Filter Driver)
0x978D5000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8FA73000 C:\Windows\system32\drivers\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8FA69000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x90727000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0xAC4C0000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x8FB8F000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0x8982A000 C:\Windows\system32\drivers\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0xAC5DA000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x899F7000 C:\Windows\system32\drivers\atapi.sys 36864 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x978F7000 C:\Windows\System32\Drivers\dump_atapi.sys 36864 bytes
0x89C82000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0xAC5E3000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x8D427000 C:\Windows\system32\DRIVERS\point32.sys 36864 bytes (Microsoft Corporation, Point32k.sys)
0x97ED0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x89FB0000 C:\Windows\system32\drivers\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x89901000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x842A1000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x89E2D000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x80BCA000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x8990A000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8E6EA000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8E6F2000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x8E6FA000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x89FF8000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8E6A9000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x97823000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x899B3000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x8E6A2000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8D565000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x899C8000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x8E7D9000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x907F6000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x8E7A2000 C:\Windows\System32\Drivers\aswRdr.SYS 20480 bytes (AVAST Software, avast! TDI RDR Driver)
0x9798B000 C:\Windows\System32\Drivers\aswFsBlk.SYS 12288 bytes (AVAST Software, avast! File System Access Blocking Driver)
0x97935000 C:\Windows\system32\DRIVERS\wdcsam.sys 12288 bytes (Western Digital Technologies, WD SCSI Architecture Model (SAM) driver)
0x9074B000 C:\Windows\system32\drivers\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x97933000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
0x000F0000 Hidden Image-->unknown_code_page [ EPROCESS 0x882F1600 ] PID: 1496, 40960 bytes
0x8D596F2E Unknown thread object [ ETHREAD 0x85DBDD48 ] , 600 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0007EE9C, Type: Inline - RelativeJump 0x83C84E9C-->83C84F06 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0007EEA8, Type: Inline - RelativeJump 0x83C84EA8-->83C84F13 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0007EEC4, Type: Inline - RelativeJump 0x83C84EC4-->83C84F2F [ntkrnlpa.exe]
ntkrnlpa.exe+0x0007EEEC, Type: Inline - RelativeJump 0x83C84EEC-->83C84F57 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0007F04C, Type: Inline - RelativeJump 0x83C8504C-->83C850B7 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0007F088, Type: Inline - RelativeJump 0x83C85088-->83C85105 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0007F0A4, Type: Inline - RelativeJump 0x83C850A4-->83C85113 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0007F0C0, Type: Inline - RelativeJump 0x83C850C0-->83C8512A [ntkrnlpa.exe]
ntkrnlpa.exe+0x0022516E, Type: Inline - RelativeJump 0x83E2B16E-->8FB2FBD4 [aswSP.SYS]
ntkrnlpa.exe+0x0025402C, Type: Inline - RelativeJump 0x83E5A02C-->83E5A03E [ntkrnlpa.exe]
ntkrnlpa.exe-->NtCreateProcessEx, Type: Inline - RelativeJump 0x83EE3E44-->8FB32766 [aswSP.SYS]
ntkrnlpa.exe-->ObMakeTemporaryObject, Type: Inline - RelativeJump 0x83E12B6C-->8FB2E11E [aswSP.SYS]
[1004]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[1004]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[1004]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[1004]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[1004]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[1004]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[1004]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[1036]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[1036]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[1036]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[1036]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[1036]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[1036]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[1036]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[1084]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[1084]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[1196]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[1196]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[1196]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[1196]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[1196]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[1196]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[1196]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[1384]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[1384]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[1496]WLIDSVC.EXE-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[1496]WLIDSVC.EXE-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[1496]WLIDSVC.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[1496]WLIDSVC.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[1496]WLIDSVC.EXE-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[1496]WLIDSVC.EXE-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[1496]WLIDSVC.EXE-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[1528]AvastSvc.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: Inline - PushRet 0x75603D01-->00000000 [unknown_code_page]
[1856]spoolsv.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[1856]spoolsv.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[1856]spoolsv.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[1856]spoolsv.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[1856]spoolsv.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[1856]spoolsv.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[1856]spoolsv.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[1884]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[1884]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[1884]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[1884]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[1884]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[1884]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[1884]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[1980]AppleMobileDeviceService.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[1980]AppleMobileDeviceService.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[1980]AppleMobileDeviceService.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[1980]AppleMobileDeviceService.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[1980]AppleMobileDeviceService.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[1980]AppleMobileDeviceService.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[1980]AppleMobileDeviceService.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[2012]atchksrv.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[2012]atchksrv.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[2012]atchksrv.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[2012]atchksrv.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[2012]atchksrv.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[2012]atchksrv.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[2012]atchksrv.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[2036]mDNSResponder.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[2036]mDNSResponder.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[2036]mDNSResponder.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[2036]mDNSResponder.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[2036]mDNSResponder.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[2036]mDNSResponder.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[2036]mDNSResponder.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[2080]WLIDSVCM.EXE-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[2080]WLIDSVCM.EXE-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[2080]WLIDSVCM.EXE-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[2080]WLIDSVCM.EXE-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[2080]WLIDSVCM.EXE-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[2080]WLIDSVCM.EXE-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[2080]WLIDSVCM.EXE-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[2444]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[2444]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[2444]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[2444]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[2444]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[2444]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[2444]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[252]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[252]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[252]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[252]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[252]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[252]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[252]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[2548]wmpnetwk.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[2548]wmpnetwk.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[2548]wmpnetwk.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[2548]wmpnetwk.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[2548]wmpnetwk.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[2548]wmpnetwk.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[2548]wmpnetwk.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[3104]dwm.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[3104]dwm.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[3104]dwm.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[3104]dwm.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[3104]dwm.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[3104]dwm.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[3104]dwm.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[3128]dpupdchk.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[3128]dpupdchk.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[3128]dpupdchk.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[3128]dpupdchk.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[3128]dpupdchk.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[3128]dpupdchk.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[3128]dpupdchk.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[3140]hkcmd.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[3140]hkcmd.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[3140]hkcmd.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[3140]hkcmd.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[3140]hkcmd.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[3140]hkcmd.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[3140]hkcmd.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[3388]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[3388]explorer.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[3388]explorer.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[3388]explorer.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[3388]explorer.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[3388]explorer.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[3388]explorer.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[3428]SearchIndexer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[3428]SearchIndexer.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[3428]SearchIndexer.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[3428]SearchIndexer.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[3428]SearchIndexer.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[3428]SearchIndexer.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[3428]SearchIndexer.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[3612]iPodService.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[3612]iPodService.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[3612]iPodService.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[3612]iPodService.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[3612]iPodService.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[3612]iPodService.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[3612]iPodService.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[3864]igfxsrvc.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[3864]igfxsrvc.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[3864]igfxsrvc.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[3864]igfxsrvc.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[3864]igfxsrvc.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[3864]igfxsrvc.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[3864]igfxsrvc.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[3880]iTunesHelper.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[3880]iTunesHelper.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[3880]iTunesHelper.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[3880]iTunesHelper.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[3880]iTunesHelper.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[3880]iTunesHelper.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[3880]iTunesHelper.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[3920]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[3920]firefox.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[3920]firefox.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[3920]firefox.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[3920]firefox.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[3920]firefox.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[3920]firefox.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[4076]ipoint.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[4076]ipoint.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[4076]ipoint.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[4076]ipoint.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[4076]ipoint.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[4076]ipoint.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[4076]ipoint.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[524]IPROSetMonitor.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[524]IPROSetMonitor.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[524]IPROSetMonitor.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[524]IPROSetMonitor.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[524]IPROSetMonitor.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[524]IPROSetMonitor.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[524]IPROSetMonitor.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[556]wininit.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[556]wininit.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[556]wininit.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[556]wininit.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[556]wininit.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[556]wininit.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[556]wininit.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[604]LMS.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[604]LMS.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[604]LMS.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[604]LMS.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[604]LMS.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[604]LMS.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[604]LMS.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]
[616]services.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[616]services.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[640]lsass.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[640]lsass.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[660]lsm.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[660]lsm.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[788]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[788]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[880]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[880]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[948]svchost.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x770C22B8-->00000000 [unknown_code_page]
[948]svchost.exe-->ntdll.dll-->LdrUnloadDll, Type: Inline - RelativeJump 0x770BC8DE-->00000000 [unknown_code_page]
[948]svchost.exe-->user32.dll-->SetWindowsHookExA, Type: Inline - RelativeJump 0x75966D0C-->00000000 [unknown_code_page]
[948]svchost.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7593E30C-->00000000 [unknown_code_page]
[948]svchost.exe-->user32.dll-->SetWinEventHook, Type: Inline - RelativeJump 0x759424DC-->00000000 [unknown_code_page]
[948]svchost.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7593ADF9-->00000000 [unknown_code_page]
[948]svchost.exe-->user32.dll-->UnhookWinEvent, Type: Inline - RelativeJump 0x7593B750-->00000000 [unknown_code_page]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)
Randal'Thor
Active Member
 
Posts: 14
Joined: September 13th, 2008, 7:21 am

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Randal'Thor » May 8th, 2011, 6:49 pm

Hi Scholabar.

It double posted so you can remove this post. :)
Randal'Thor
Active Member
 
Posts: 14
Joined: September 13th, 2008, 7:21 am

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Scolabar » May 9th, 2011, 5:46 pm

Hi Randal'Thor,

Thank you again for the logs. :thumbright:

Randal'Thor wrote:Quote:
Can you please confirm whether or not you ran the DeFogger tool as requested?

Yes; the log I posted for you was the log it displayed when it finished.
FYI, DeFogger does not produce a log file. The logs you posted earlier were for Malwarebytes' Anti-Malware and TDSSKiller. ;)
Please can you confirm that you actually did run the DeFogger tool?

Randal'Thor wrote:I obtained it through Ubuntu Support; it is not an installation disc but rather the repair version for Win 7.
Thanks for the confirmation.

Randal'Thor wrote:Quote:
The best and safest course of action if you do not have the original recovery media for your PC would be to contact Acer Support.

I have done so in the past with no luck. And since I am no longer in warranty they are not interested in me whatsoever.
I appreciate that can be very frustrating. :(

Randal'Thor wrote:I wasn't able to download Rootkit UnHooker as the site wouldn't load so I downloaded it from SpywareInfo instead. If it is the wrong version, please let me know.
Apologies, I can now see the connection is timing out for the link I provided. :oops:
The version you have used looks to be fine. :thumbright:

Randal'Thor wrote:MBR Backup was successful and I have saved an external copy.
Well done. :)

Randal'Thor wrote:Also, a new thing has started happening lately. Whenever I boot my computer, avast doesn't run unless I open it. It has never done this before and it happens when I boot every time now. Just thought I'd let you know.
We'll look at this as soon as we've cleared up the malware. ;)

Again, please then read the following instructions carefully before executing and perform the steps, in the order given and make sure any open programs are closed. ;)
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Step 1:
Re-Run ERUNT

Please backup the registry with ERUNT again.

Step 2:
Re-Run TFC

Print these instructions. Save any unsaved work. TFC will close ALL open programs including your browser!

  1. Double-click on TFC.exe to run it.
  2. TFC will now begin cleaning up the "temp" files.
    Note: This process may take only a few seconds or it could take several minutes, depending on the amount of temp files found.
  3. If prompted to reboot, click on the Yes button to confirm.

! IMPORTANT ! If TFC prompts you to reboot, please do so immediately, before proceeding with any other steps or other use of your computer.

Step 3:
ComboFix

Now let's run the ComboFix tool:

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.

The first thing you need to do is print out How-To-Use-ComboFix. Read these instructions thoroughly.
You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

If you have previously downloaded ComboFix please delete that version and download it again. This tool is frequently updated.

  1. Please download ImageComboFix.exe by © sUBs and save it to your Desktop. <<--- IMPORTANT!!
    Alternate download sites are available: here or here.
  2. Please disable any Anti-Virus, Anti-Spyware and Firewall programs you have active, as shown in this topic. Please close all open application windows.
    Note: ** Only ** when the above two items in Step 2 have been dealt with should you proceed with the following steps:
  3. Double-click on Combofix.exe to start the program. If you receive the "Open File - Security Warning" message click on the Run button.
    Vista - W7 users: Right-click on Combofix.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  4. Reply Yes to the Disclaimer prompt.
    The ComboFix program screen will appear indicating the program is preparing to run. ComboFix will then by begin creating a System Restore Point and then backup your Registry.
  5. If not already installed reply Yes to the Install Recovery Console prompt.
  6. Reply Yes to the Recovery Console installation results prompt and even if unsuccessful please allow ComboFix to continue the scan.
    Note: Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
  7. ComboFix will disconnect you from the Internet, may cause your desktop to disappear and also change your clock settings. This is normal, so please don't worry. They will be restored when finished. The ComboFix window data will update as the various "Stages" are completed.
    ComboFix disables the autorun of all CD, floppy and USB devices to assist with malware removal and increase security.
  8. When the program has finished ComboFix will produce a log file called log.txt which will automatically open in Notepad.
  9. Please Copy and Paste the entire contents of the log.txt file into your next reply.

** REMEMBER ** Re-Enable your Antivirus, Anti-Spyware and Firewall programs before reconnecting to the Internet!

Step 4:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. Did you actually run the DeFogger tool?
  3. log.txt.
  4. How is your computer now running?

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Randal'Thor » May 9th, 2011, 6:30 pm

Hi Scholabar. :)

FYI, DeFogger does not produce a log file. The logs you posted earlier were for Malwarebytes' Anti-Malware and TDSSKiller. ;)

Oops my bad.

Please can you confirm that you actually did run the DeFogger tool?

Even though I got confused with the logs that were produced, I did run the tool.

We'll look at this as soon as we've cleared up the malware.

I have an update for this situation. The drivers for avast are still running at startup, just the user interface isn't. I found this out when I tried to run CF and was told avast was still active.

How is your computer now running?

It's running pretty good at the moment although it takes a while to reboot. Also, sometimes the screen flickers and a warning pops up, saying the Desktop Manager has been disabled. I have fixed this by going through the Display control panel and running the troubleshooter however it still does it at random intervals.

Did the ERUNT and TFC again successfully.

Ran CF afterwards. It ran fine except after it produced its log I was no longer able to open any programs. Whenever I did I was given this message:

Illegal operation attempted on a registry key that has been marked for deletion. Windows can't open this file. Would you like to remove it from the list?


I rebooted from Last Known Good Configuration and the problem went away. Here is the CF log:


ComboFix 11-05-09.01 - Liam 10/05/2011 7:58.2.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.2022.1221 [GMT 10:00]
Running from: c:\users\Liam\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-09 to 2011-05-09 )))))))))))))))))))))))))))))))
.
.
2011-05-09 22:04 . 2011-05-09 22:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-07 22:44 . 2011-05-07 22:44 -------- d-----w- c:\program files\ERUNT
2011-05-05 06:32 . 2011-05-05 06:32 -------- d-----w- c:\program files\Common Files\InstallShield
2011-05-05 06:31 . 2010-12-07 04:23 25088 ----a-w- c:\windows\system32\drivers\lgandmodem.sys
2011-05-05 06:31 . 2010-12-07 04:23 20736 ----a-w- c:\windows\system32\drivers\lganddiag.sys
2011-05-05 06:31 . 2010-12-07 04:23 20096 ----a-w- c:\windows\system32\drivers\lgandgps.sys
2011-05-05 06:31 . 2010-12-07 04:22 14336 ----a-w- c:\windows\system32\drivers\lgandbus.sys
2011-05-05 06:31 . 2011-05-05 06:33 -------- d-----w- c:\program files\LG Electronics
2011-05-05 06:30 . 2011-05-05 06:39 -------- d-----w- C:\GT540F
2011-05-05 06:28 . 2006-05-03 22:33 53248 ----a-w- c:\windows\system32\CommonDL.dll
2011-05-05 06:28 . 2005-10-03 15:39 44544 ----a-w- c:\windows\system32\msxml4a.dll
2011-05-05 06:28 . 2011-05-05 06:43 -------- d-----w- c:\programdata\LGMOBILEAX
2011-04-28 13:01 . 2011-04-28 13:01 -------- d-----w- c:\users\Liam\AppData\Local\{74987E43-1940-46AD-AF03-C585D57775D8}
2011-04-27 02:12 . 2011-04-27 02:12 -------- d-----w- c:\program files\ESET
2011-04-22 00:07 . 2011-04-22 00:07 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-04-21 06:54 . 2011-04-21 06:54 -------- d-----w- c:\program files\Unlocker
2011-04-21 06:43 . 2011-04-21 06:44 -------- d-----w- c:\program files\iTunes
2011-04-21 06:43 . 2011-04-21 06:43 -------- d-----w- c:\program files\iPod
2011-04-21 06:42 . 2011-04-21 06:42 -------- d-----w- c:\program files\Bonjour
2011-04-20 12:33 . 2011-04-20 12:33 -------- d-----w- c:\program files\PowerISO
2011-04-17 01:44 . 2011-04-17 01:44 -------- d-----w- c:\users\Liam\AppData\Local\Apps
2011-04-15 11:40 . 2011-04-15 11:41 -------- d-----w- c:\users\Liam\Pokemon Online
2011-04-14 08:58 . 2011-04-14 08:58 -------- d-----w- c:\program files\Common Files\ResearchSoft
2011-04-14 08:47 . 2011-04-14 08:49 -------- d-----w- c:\users\Liam\AppData\Roaming\EndNote
2011-04-14 08:47 . 2011-04-14 08:47 -------- d-----w- c:\program files\Common Files\Risxtd
2011-04-14 08:46 . 2011-04-14 08:58 -------- d-----w- c:\program files\EndNote X4
2011-04-14 08:46 . 2011-04-14 08:58 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers
2011-04-13 05:02 . 2011-04-13 05:02 40984 ----a-w- c:\windows\system32\drivers\point32.sys
2011-04-12 06:54 . 2011-04-18 16:17 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 16:25 . 2010-07-19 00:26 40112 ----a-w- c:\windows\avastSS.scr
2011-04-18 16:25 . 2010-06-07 04:57 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-04-18 16:17 . 2010-06-07 04:58 307288 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-04-18 16:16 . 2010-06-07 04:58 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-04-18 16:13 . 2010-06-07 04:58 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-04-18 16:13 . 2010-06-07 04:58 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-04-18 16:12 . 2010-06-07 04:58 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-08 13:02 . 2011-04-08 13:02 390656 ----a-w- c:\windows\system32\ipcoin815.dll
2011-04-06 06:20 . 2011-04-06 06:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 06:20 . 2011-04-06 06:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-01 02:06 . 2011-04-01 02:06 185856 ----a-w- c:\windows\system32\Ncs2Setp.dll
2011-04-01 01:56 . 2011-04-01 01:56 665720 ----a-w- c:\windows\system32\ncs2dmix.dll
2011-04-01 01:56 . 2011-04-01 01:56 513144 ----a-w- c:\windows\system32\accesor.dll
2011-04-01 01:31 . 2011-04-01 01:31 135800 ----a-w- c:\windows\system32\ncs2instutility.dll
2011-04-01 01:14 . 2011-04-01 01:14 1966200 ----a-w- c:\windows\system32\ncscolib.dll
2011-03-22 08:28 . 2010-06-24 00:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-20 18:26 . 2011-03-20 18:26 139488 ----a-w- c:\windows\system32\drivers\iANSW60.sys
2011-03-18 00:20 . 2005-12-31 14:17 266440 ----a-w- c:\windows\system32\PROUnstl.exe
2011-03-12 11:23 . 2011-03-31 23:29 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:39 . 2011-03-31 23:29 148864 ----a-w- c:\windows\system32\drivers\storport.sys
2011-03-11 05:39 . 2011-03-31 23:29 1211264 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-03-11 05:39 . 2011-03-31 23:29 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-03-11 05:39 . 2011-03-31 23:29 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-03-11 05:38 . 2011-03-31 23:29 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-03-11 05:38 . 2011-03-31 23:29 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-03-11 05:38 . 2011-03-31 23:29 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-03-11 05:33 . 2011-03-31 23:29 1699328 ----a-w- c:\windows\system32\esent.dll
2011-03-11 05:31 . 2011-03-31 23:29 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-03-02 18:29 . 2011-03-02 18:29 30368 ----a-w- c:\windows\system32\drivers\iqvw32.sys
2011-02-28 06:05 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-28 03:19 . 2005-12-31 14:17 109728 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2011-02-27 21:09 . 2005-12-31 14:14 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-02-25 05:30 . 2011-03-31 23:29 2616320 ----a-w- c:\windows\explorer.exe
2011-02-22 22:27 . 2011-02-22 22:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-02-22 22:27 . 2011-02-22 22:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-02-19 06:30 . 2011-03-08 20:48 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:30 . 2011-03-08 20:48 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:30 . 2011-03-08 20:48 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-18 05:39 . 2011-03-31 23:29 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-05-04 12:42 . 2011-03-25 23:21 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-04-18 16:25 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 136176]
R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus.sys [2010-12-07 14336]
R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag.sys [2010-12-07 20736]
R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps.sys [2010-12-07 20096]
R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem.sys [2010-12-07 25088]
R3 C00D35D9;C00D35D9;c:\windows\system32\C00D35D9.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 136176]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-28 25112]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2009-03-25 86824]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [2009-03-25 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [2009-03-25 114728]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [2009-03-25 106208]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [2009-03-25 26024]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [2009-03-25 104744]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [2009-03-25 109864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-07 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-07 691696]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-04-18 53592]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-02-28 109728]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 04:58]
.
2011-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 04:58]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Liam\AppData\Roaming\Mozilla\Firefox\Profiles\bo6hgl0j.default\
FF - prefs.js: browser.search.defaulturl -
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-05-10 08:05:36
ComboFix-quarantined-files.txt 2011-05-09 22:05
ComboFix2.txt 2011-05-04 12:55
.
Pre-Run: 90,083,004,416 bytes free
Post-Run: 90,065,358,848 bytes free
.
Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 8611248606479014C279AE8DDD2C6519
Randal'Thor
Active Member
 
Posts: 14
Joined: September 13th, 2008, 7:21 am

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Scolabar » May 11th, 2011, 10:06 am

Hi Randal'Thor,

Thank you for all the feedback. :thumbright:

Regarding screen flickering issue this may be a hardware related issue. If you are still experiencing this issue after the computer is free of malware infection then I will refer you to some forums that may be able to help you on that front.

As before, please read the following instructions carefully before executing and perform the steps, in the order given and make sure any open programs are closed. ;)
lf, you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Step 1:
Avast! Antivirus - Full System Scan

  1. Double-click on the Avast! Antivirus desktop icon to launch the program.
    Vista - W7 users: Right-click on the avast! Antivirus desktop icon and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
  2. Click on the SCAN COMPUTER option on the left-hand side of the program window.
  3. Next to the Full system scan option click on the Start button.
    Please Note: Please be patient. A full system scan will take some time depending upon the size of the installed hard drive(s), the number programs installed and the amount of data stored.
  4. When the scan is complete Copy and Paste the entire contents of Full System Scan Report into your next reply.

Step 2:
Malwarebytes' Anti-Malware - Full Scan

  1. Please launch MBAM (Malwarebytes' Anti-Malware) again.
    Vista - W7 users: Right-click on the Malwarebytes' Anti-Malware desktop icon and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
    You must be connected to the Internet to obtain any updates.
  2. Click on the Update tab and then click on the Check for Updates button. <<---Important!
    Once any updates are installed or you get the message that you are up-to-date:
  3. Click on the Scanner tab.
  4. Select the Perform FULL SCAN option this time and then click on the Scan button.
    Please Note: This scan will take a while, so please be patient.
    When the scan has finished:
  5. Check all items EXCEPT any items (if present) in the C:\System Volume Information folder and then click on Remove Selected.
  6. Let MBAM remove what it can. If there are files to be deleted on reboot, please reboot the machine so MBAM can complete the removal.
    If you rebooted, then you'll need to start MBAM again.
  7. Click on the Log tab and locate the most current log file.
  8. Copy and Paste the entire contents of the most recent log (mbam-log-yyyy-mm-dd (hh-mm-ss).txt) into your next reply and exit MBAM.

Step 3:
Online Multi Anti-Virus File Scan

I need to ask you to upload a file for further inspection.

Please go to either: Jotti or Virus Total and upload - only one file per scan - the following file(s) for scanning:

    c:\windows\system32\C00D35D9.exe
    c:\windows\system32\CSVer.dll
    c:\windows\system32\ipcoin815.dll

Using Jotti

  1. Choose the appropriate language. Once a language is selected, you will see a message "Ready to receive files".
  2. Copy just one full path and file name at a time from the list above and click on the Browse button.
  3. Paste the copied file path and name into the "File name:" area of the "Choose file to upload" window. Then click on the Open button.
    The file name should now appear in the online scanner's "File to scan:" box.
  4. Click on the Submit button.
      If you receive the message: "This file has been scanned before. The results for this previous scan are listed below."
      Please click on the Scan again button, so your file will be scanned.
  5. The file will be uploaded and scanned by various Anti-Virus scanners. This may take a few minutes.
  6. When all the scans have been completed. Highlight the results text from the Jotti's malware scan box.
  7. Copy the selected text. Open Notepad. Paste the contents into Notepad. Save the file to a convenient place.
  8. Please repeat this procedure for each file listed above.
  9. Copy and Paste the entire contents of all the Jotti scan results into your next reply.

Using Virus Total

  1. Copy just one full path and file name at a time from the list above and click on the Browse button.
  2. Paste the copied file path and name into the "File name:" area of the "Choose file to upload" window. Then click on the Open button.
    The file name should now appear in the online scanner's text entry box.
  3. Click on the Send File button.
  4. The file will be queued, uploaded and scanned by various Anti-Virus scanners. This may take a few minutes.
      If you receive the message: "File has already been analysed."
      Please click on the Reanalyse file now button, so your file will be scanned.
  5. When the scan is completed click on the Compact icon.
  6. The results will be shown in a grid-like window. Right-click on the text, choose Select All, then Copy the entire contents.
  7. Open Notepad. Paste the result contents into the Notepad window. Save this file to a convenient place.
  8. Please repeat this procedure for each file listed above.
  9. Copy and Paste the entire contents of all the Virus Total scan results into your next reply.

Step 4:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. Avast! Full System Scan Report.
  3. mbam-log-yyyy-mm-dd (hh-mm-ss).txt.
  4. Online File Scan Results.
  5. How is your computer now running?

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Randal'Thor » May 12th, 2011, 5:44 pm

Hi Scholabar.

avast didn't find anything so no log was produced.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
http://www.malwarebytes.org

Database version: 6558

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

12/05/2011 9:45:08 AM
mbam-log-2011-05-012 (08-54-07).txt

Scan type: Full scan
Objects scanned: 5984392
Time elapsed: 57 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The first file couldn't be located. The other two files were 100% clean on Virus Total.

My computer seems to be running fine at the moment.
Randal'Thor
Active Member
 
Posts: 14
Joined: September 13th, 2008, 7:21 am

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Scolabar » May 13th, 2011, 2:30 pm

Hi Randal'Thor,

Thank you for all the feedback. :thumbright:

Regarding screen flickering issue this may be a hardware related issue.
If you are still experiencing this issue after the computer is free of malware infection then I will refer you to some forums that may be able to help you on that front.

Step 1:
Re-Run ERUNT

Please backup the registry with ERUNT again.

Step 2:
ComboFix - CFScript

WARNING!
This script is for THIS user and computer ONLY!
Using this tool incorrectly could damage your Operating System thereby preventing it from starting again!


You will not have Internet access when you execute ComboFix. All open windows will need to be closed!

  1. Click on Start > Run.
  2. In the text entry box type:
      Notepad
  3. Then click on the OK button.
  4. This will open an empty Notepad file.
  5. Copy and Paste the contents of the box below into the Notepad window:
    Code: Select all
    KillAll::
    
    DDS::
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
    
    Folder::
    c:\users\liam\appdata\local\{74987E43-1940-46AD-AF03-C585D57775D8}
    c:\users\liam\appdata\local\{61DB7A2E-0CD2-49E6-BFF4-A316E316075E}
    
    
  6. Save the file to your desktop as CFScript.txt
  7. Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  8. Drag the CFScript.txt (icon) onto the ComboFix.exe icon as shown in the image below:

    Image

    This will cause ComboFix to run again.
    Note: Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    Do Not touch your computer when ComboFix is running!
  9. When the program has finished ComboFix will produce a log file called log.txt which will automatically open in Notepad.
  10. Please Copy and Paste the entire contents of the log.txt file into your next reply.

** REMEMBER ** Re-Enable your Antivirus, Anti-Spyware and Firewall programs before reconnecting to the Internet!

Step 3:
ESET NOD32 Online Scan

Please Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted. Then double-click on it to install.

Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
Please go to ESET Online Scanner - © ESET (All Rights Reserved) to run an online scan.
** Make sure you are using an account that has Administrative privileges **
    Click on the ESET Online Scanner button.
  1. Check the box next to "YES, I accept the Terms of Use."
  2. Click Start.
    A window will open. It may appear nothing is happening, but please be patient.
  3. Click Yes to the run ActiveX prompt.
  4. Click Install at the install ActiveX prompt.
    Once installed, the scanner will be initialized.
  5. Click on the Start button.
    Make sure that the options:
    • Remove found threats is UNCHECKED
    • Leave the "default" settings under Advanced as they are. If not set, please check:
      • Scan for potentially unwanted applications
      • Scan for potentially unsafe applications
      • Enable Anti-Stealth Technology
  6. Click on the Start button.
    ESET scanner will begin to download the virus signatures database. When the signatures have been downloaded, the scan will start automatically.
  7. Wait for the scan to finish. It may take a while but, again, please be patient. When the scan is finished:
  8. Use Notepad to open the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt.
  9. Copy and Paste the entire contents of log.txt into your next reply.

Remember to re-enable your Anti-virus protection before continuing!

Step 4:
Include in Next Post

  1. Did you have any problems carrying out the instructions?
  2. Which file could not be found when you attempted the upload for the online file scan?
  3. log.txt (ComboFix).
  4. log.txt (ESET).
  5. Has there been any change in how your computer is now running?

Scolabar
---------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed
User avatar
Scolabar
MRU Honors Grad Emeritus
 
Posts: 1172
Joined: April 22nd, 2009, 3:10 pm

Re: Slow System Plus Multiple Program and System Crashes

Unread postby Randal'Thor » May 13th, 2011, 7:47 pm

Hi Scholabar.

Which file could not be found when you attempted the upload for the online file scan?

c:\windows\system32\C00D35D9.exe

ESET didn't find any threats so no log file to post here.

No change in how my computer is running currently.


I ran the CF script as directed but after CF did its scan it did the same thing it did last time (llegal operation attempted on a registry key that has been marked for deletion. Windows can't open this file. Would you like to remove it from the list?) so I had to reboot via Last Known Good Configuration.

Here is the CF Log:

ComboFix 11-05-13.02 - Liam 14/05/2011 8:22.3.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.61.1033.18.2022.1196 [GMT 10:00]
Running from: c:\users\Liam\Desktop\ComboFix.exe
Command switches used :: c:\users\Liam\Desktop\CFScript.txt.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\liam\appdata\local\{61DB7A2E-0CD2-49E6-BFF4-A316E316075E}
c:\users\liam\appdata\local\{74987E43-1940-46AD-AF03-C585D57775D8}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))
.
.
2011-05-13 22:28 . 2011-05-13 22:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-10 22:05 . 2011-04-09 05:56 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-10 21:38 . 2011-03-25 02:58 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-05-10 21:38 . 2011-03-25 02:58 284672 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-05-10 21:38 . 2011-03-25 02:58 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-05-10 21:38 . 2011-03-25 02:57 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-05-10 21:38 . 2011-03-25 02:57 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-05-10 21:38 . 2011-03-25 02:57 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-05-10 21:38 . 2011-04-09 06:02 3967872 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-10 21:38 . 2011-04-09 06:02 3912576 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-05-07 22:44 . 2011-05-07 22:44 -------- d-----w- c:\program files\ERUNT
2011-05-05 06:32 . 2011-05-05 06:32 -------- d-----w- c:\program files\Common Files\InstallShield
2011-05-05 06:31 . 2010-12-07 04:23 25088 ----a-w- c:\windows\system32\drivers\lgandmodem.sys
2011-05-05 06:31 . 2010-12-07 04:23 20736 ----a-w- c:\windows\system32\drivers\lganddiag.sys
2011-05-05 06:31 . 2010-12-07 04:23 20096 ----a-w- c:\windows\system32\drivers\lgandgps.sys
2011-05-05 06:31 . 2010-12-07 04:22 14336 ----a-w- c:\windows\system32\drivers\lgandbus.sys
2011-05-05 06:31 . 2011-05-05 06:33 -------- d-----w- c:\program files\LG Electronics
2011-05-05 06:30 . 2011-05-05 06:39 -------- d-----w- C:\GT540F
2011-05-05 06:28 . 2006-05-03 22:33 53248 ----a-w- c:\windows\system32\CommonDL.dll
2011-05-05 06:28 . 2005-10-03 15:39 44544 ----a-w- c:\windows\system32\msxml4a.dll
2011-05-05 06:28 . 2011-05-05 06:43 -------- d-----w- c:\programdata\LGMOBILEAX
2011-04-27 02:12 . 2011-04-27 02:12 -------- d-----w- c:\program files\ESET
2011-04-22 00:07 . 2011-04-22 00:07 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-04-21 06:54 . 2011-04-21 06:54 -------- d-----w- c:\program files\Unlocker
2011-04-21 06:43 . 2011-04-21 06:44 -------- d-----w- c:\program files\iTunes
2011-04-21 06:43 . 2011-04-21 06:43 -------- d-----w- c:\program files\iPod
2011-04-21 06:42 . 2011-04-21 06:42 -------- d-----w- c:\program files\Bonjour
2011-04-20 12:33 . 2011-04-20 12:33 -------- d-----w- c:\program files\PowerISO
2011-04-17 01:44 . 2011-04-17 01:44 -------- d-----w- c:\users\Liam\AppData\Local\Apps
2011-04-15 11:40 . 2011-04-15 11:41 -------- d-----w- c:\users\Liam\Pokemon Online
2011-04-14 08:58 . 2011-04-14 08:58 -------- d-----w- c:\program files\Common Files\ResearchSoft
2011-04-14 08:47 . 2011-04-14 08:49 -------- d-----w- c:\users\Liam\AppData\Roaming\EndNote
2011-04-14 08:47 . 2011-04-14 08:47 -------- d-----w- c:\program files\Common Files\Risxtd
2011-04-14 08:46 . 2011-04-14 08:58 -------- d-----w- c:\program files\EndNote X4
2011-04-14 08:46 . 2011-04-14 08:58 -------- d-----w- c:\programdata\Thomson.ResearchSoft.Installers
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 12:10 . 2010-07-19 00:26 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2010-06-07 04:57 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-04-12 06:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2010-06-07 04:58 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2010-06-07 04:58 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2010-06-07 04:58 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2010-06-07 04:58 53592 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2010-06-07 04:58 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-04-13 05:02 . 2011-04-13 05:02 40984 ----a-w- c:\windows\system32\drivers\point32.sys
2011-04-12 01:05 . 2011-04-12 01:05 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-04-12 01:05 . 2011-04-12 01:05 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-04-12 01:05 . 2011-04-12 01:05 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-04-12 01:05 . 2011-04-12 01:05 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-04-12 01:05 . 2011-04-12 01:05 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-04-12 01:05 . 2011-04-12 01:05 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-04-12 01:05 . 2011-04-12 01:05 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-04-12 01:05 . 2011-04-12 01:05 367104 ----a-w- c:\windows\system32\html.iec
2011-04-12 01:05 . 2011-04-12 01:05 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-12 01:05 . 2011-04-12 01:05 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-04-12 01:05 . 2011-04-12 01:05 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-12 01:05 . 2011-04-12 01:05 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-04-12 01:05 . 2011-04-12 01:05 161792 ----a-w- c:\windows\system32\msls31.dll
2011-04-12 01:05 . 2011-04-12 01:05 152064 ----a-w- c:\windows\system32\wextract.exe
2011-04-12 01:05 . 2011-04-12 01:05 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-04-12 01:05 . 2011-04-12 01:05 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-04-12 01:05 . 2011-04-12 01:05 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-12 01:05 . 2011-04-12 01:05 11776 ----a-w- c:\windows\system32\mshta.exe
2011-04-12 01:05 . 2011-04-12 01:05 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-04-12 01:05 . 2011-04-12 01:05 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-04-12 01:05 . 2011-04-12 01:05 101888 ----a-w- c:\windows\system32\admparse.dll
2011-04-08 13:02 . 2011-04-08 13:02 390656 ----a-w- c:\windows\system32\ipcoin815.dll
2011-04-06 06:20 . 2011-04-06 06:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 06:20 . 2011-04-06 06:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-04-01 02:06 . 2011-04-01 02:06 185856 ----a-w- c:\windows\system32\Ncs2Setp.dll
2011-04-01 01:56 . 2011-04-01 01:56 665720 ----a-w- c:\windows\system32\ncs2dmix.dll
2011-04-01 01:56 . 2011-04-01 01:56 513144 ----a-w- c:\windows\system32\accesor.dll
2011-04-01 01:31 . 2011-04-01 01:31 135800 ----a-w- c:\windows\system32\ncs2instutility.dll
2011-04-01 01:14 . 2011-04-01 01:14 1966200 ----a-w- c:\windows\system32\ncscolib.dll
2011-03-22 08:28 . 2010-06-24 00:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-20 18:26 . 2011-03-20 18:26 139488 ----a-w- c:\windows\system32\drivers\iANSW60.sys
2011-03-18 00:20 . 2005-12-31 14:17 266440 ----a-w- c:\windows\system32\PROUnstl.exe
2011-03-12 11:23 . 2011-03-31 23:29 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:39 . 2011-03-31 23:29 148864 ----a-w- c:\windows\system32\drivers\storport.sys
2011-03-11 05:39 . 2011-03-31 23:29 1211264 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-03-11 05:39 . 2011-03-31 23:29 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-03-11 05:39 . 2011-03-31 23:29 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-03-11 05:38 . 2011-03-31 23:29 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-03-11 05:38 . 2011-03-31 23:29 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-03-11 05:38 . 2011-03-31 23:29 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-03-11 05:33 . 2011-03-31 23:29 1699328 ----a-w- c:\windows\system32\esent.dll
2011-03-11 05:31 . 2011-03-31 23:29 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-03-02 18:29 . 2011-03-02 18:29 30368 ----a-w- c:\windows\system32\drivers\iqvw32.sys
2011-02-28 06:05 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2011-02-28 03:19 . 2005-12-31 14:17 109728 ----a-w- c:\windows\system32\IPROSetMonitor.exe
2011-02-27 21:09 . 2005-12-31 14:14 53248 ----a-w- c:\windows\system32\CSVer.dll
2011-02-25 05:30 . 2011-03-31 23:29 2616320 ----a-w- c:\windows\explorer.exe
2011-02-22 22:27 . 2011-02-22 22:27 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-02-22 22:27 . 2011-02-22 22:27 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-02-19 06:30 . 2011-03-08 20:48 805376 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 06:30 . 2011-03-08 20:48 1076736 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 06:30 . 2011-03-08 20:48 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-18 05:39 . 2011-03-31 23:29 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-05-04 12:42 . 2011-03-25 23:21 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RESTART_STICKY_NOTES"="c:\windows\System32\StikyNot.exe" [2009-07-14 354304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 136176]
R3 Andbus;LGE Android Platform Composite USB Device;c:\windows\system32\DRIVERS\lgandbus.sys [2010-12-07 14336]
R3 AndDiag;LGE Android Platform USB Serial Port;c:\windows\system32\DRIVERS\lganddiag.sys [2010-12-07 20736]
R3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows\system32\DRIVERS\lgandgps.sys [2010-12-07 20096]
R3 ANDModem;LGE Android Platform USB Modem;c:\windows\system32\DRIVERS\lgandmodem.sys [2010-12-07 25088]
R3 C00D35D9;C00D35D9;c:\windows\system32\C00D35D9.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 136176]
R3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\DRIVERS\ivusb.sys [2010-07-28 25112]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\DRIVERS\s1018bus.sys [2009-03-25 86824]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s1018mdfl.sys [2009-03-25 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s1018mdm.sys [2009-03-25 114728]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s1018mgmt.sys [2009-03-25 106208]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\DRIVERS\s1018nd5.sys [2009-03-25 26024]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s1018obex.sys [2009-03-25 104744]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\DRIVERS\s1018unic.sys [2009-03-25 109864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-07 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-07 691696]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-05-10 53592]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-02-28 109728]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 04:58]
.
2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-07 04:58]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Liam\AppData\Roaming\Mozilla\Firefox\Profiles\bo6hgl0j.default\
FF - prefs.js: browser.search.defaulturl -
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-05-14 08:36:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-13 22:36
ComboFix2.txt 2011-05-09 22:05
ComboFix3.txt 2011-05-04 12:55
.
Pre-Run: 87,931,375,616 bytes free
Post-Run: 87,848,259,584 bytes free
.
Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 74E7250CB076BE18884ABD598FBAEA67
Randal'Thor
Active Member
 
Posts: 14
Joined: September 13th, 2008, 7:21 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 297 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware