Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Realtalkrobert » January 21st, 2009, 9:45 pm

Basically some sites describe that I have a trojan virus that will crush their websites database. Within the hour I have been experiencing browser redirecting, pop-ups, and crashes.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:12 PM, on 1/21/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 3104 bytes








2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player
AppCore
Atheros Driver Installation Program
Camtasia Studio 6
ccCommon
CCleaner (remove only)
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Component Framework
Conexant HD Audio
CyberLink DVD Suite
ESU for Microsoft Vista
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.40 F1
HP Smart Web Printing
HP Total Care Advisor
HP Update
HP User Guides 0121
HP Wireless Assistant
HPNetworkAssistant
HPTCSSetup
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 11
Java(TM) 6 Update 5
LabelPrint
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.1
My HP Games
NetWaiting
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Power2Go
PowerDirector
QuickPlay SlingPlayer 0.4.6
Realtek 8169 8168 8101E 8102E Ethernet Driver
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Skype™ 3.8
SPBBC 32bit
Symantec Real Time Storage Protection Component
Synaptics Pointing Device Driver
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Viewpoint Media Player
Windows Media Player Firefox Plugin
WinRAR archiver
Realtalkrobert
Regular Member
 
Posts: 18
Joined: January 21st, 2009, 9:20 pm
Advertisement
Register to Remove

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Odd dude » January 25th, 2009, 3:24 pm

Hello and welcome to the forums!

I'm Odd dude, pleased to meet you; if it helps, you can call me OD ;). I will be helping you with your infection. However, it is important to take note of the following - quite the wall of text, I know, but please bear with me:

  • Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
  • Please carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Only YOU must use these instructions, they are not suitable for any other computer, similar issues or not.
  • Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!
  • If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
  • In Windows Vista, all tools need to be started by right clicking and selecting Run as administrator!
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you were to do the same. From this point, we're in this together ;)
    Because of this, you must reply within five days
    . I will post a reminder should you seem to fail to do this, however, if you fail to reply within five days then, unless I have been notified of your absence in advance, the topic shall be closed!
  • As I am still in training at the Malware Removal University, anything I do must be checked by an experienced malware fighter. This means there might be a slight delay in my answers.
  • Lastly, I am no magican. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

I am now analyzing your situation and hope to be back with you soon. While I am reviewing your situation, could you please do the following for me:

Make an Uninstall List
I need you to create an uninstall list so I can further analyze your situation.

  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place.

Please post back:
  • Uninstall list
  • New hijackthis log
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Realtalkrobert » January 25th, 2009, 9:10 pm

Uninstall List:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player
Atheros Driver Installation Program
Avira AntiVir Personal - Free Antivirus
Camtasia Studio 6
CCleaner (remove only)
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
COMODO Internet Security
COMODO SafeSurf
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CyberLink DVD Suite
DebugMode Wax 2.0
ESU for Microsoft Vista
HDAUDIO Soft Data Fax Modem with SmartCP
Hewlett-Packard Active Check for Health Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.40 F1
HP Smart Web Printing
HP Total Care Advisor
HP Update
HP User Guides 0121
HP Wireless Assistant
HPNetworkAssistant
HPTCSSetup
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 11
Java(TM) 6 Update 5
LabelPrint
Malwarebytes' Anti-Malware
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual Basic 6.0 Professional Edition
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.53
Microsoft Works
Mozilla Firefox (3.0.5)
MSDN Library - Visual Studio 6.0a
MSXML 4.0 SP2 (KB954430)
muvee autoProducer 6.1
My HP Games
NetWaiting
Power2Go
PowerDirector
QuickPlay SlingPlayer 0.4.6
Realtek 8169 8168 8101E 8102E Ethernet Driver
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Skype™ 3.8
Synaptics Pointing Device Driver
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Viewpoint Media Player
Windows Live Sign-in Assistant
Windows Media Player Firefox Plugin
WinRAR archiver

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:29 PM, on 1/25/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll C:\Windows\system32\cssdll32.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 3577 bytes
Realtalkrobert
Regular Member
 
Posts: 18
Joined: January 21st, 2009, 9:20 pm

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Odd dude » January 26th, 2009, 2:49 pm

GMER
Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.
Please download gmer.zip by GMER and save it to your desktop.

  • Right click the file you just downloaded and choose Extract all
  • Click Next
  • Click Browse
  • Click the + next to My Computer
  • Click Local Disk (C:)
  • Click Make new folder
  • Enter GMER
  • Click OK, then Next
  • Check Show extracted files and click Finish
  • Double click on GMER.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the GMER scan log and post it in your next reply.
  • Close GMER.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Realtalkrobert » January 26th, 2009, 4:49 pm

After the scan it said something like "Warning! Changes have been caused due to rootkit activity."

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-26 15:46:14
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0x8BEF5AD8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAlpcConnectPort [0x8BEF6982]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAlpcCreatePort [0x8BEF5F0C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0x8BEF4E8E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0x8BEF5694]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0x8BEF4BE8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0x8BEF54EA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0x8BEF5CBE]
SSDT 876FF9AC ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0x8BEF4520]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0x8BEF6604]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0x8BEF50D4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0x8BEF58CC]
SSDT 876FF998 ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0x8BEF5364]
SSDT 876FF99D ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0x8BEF4D06]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0x8BEF63BC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0x8BEF67B2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0x8BEF506E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0x8BEF5258]
SSDT 876FF9A7 ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0x8BEF4980]
SSDT 876FF9A2 ZwWriteVirtualMemory
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThreadEx [0x8BEF6018]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateUserProcess [0x8BEF6C12]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!KeSetTimerEx + 34C 81CCC910 4 Bytes [ D8, 5A, EF, 8B ]
.text ntkrnlpa.exe!KeSetTimerEx + 370 81CCC934 8 Bytes [ 82, 69, EF, 8B, 0C, 5F, EF, ... ]
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 81CCC9B8 4 Bytes [ 8E, 4E, EF, 8B ]
.text ntkrnlpa.exe!KeSetTimerEx + 40C 81CCC9D0 4 Bytes [ 94, 56, EF, 8B ]
.text ntkrnlpa.exe!KeSetTimerEx + 438 81CCC9FC 4 Bytes CALL 4358B94C
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Windows\System32\svchost.exe[320] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[320] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[320] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[320] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[320] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[320] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[320] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[320] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[320] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[320] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[472] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[472] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[472] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[472] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[472] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[472] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[472] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[472] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[472] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\SearchIndexer.exe[472] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[540] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[540] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[540] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[540] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[540] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[540] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[540] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[540] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[540] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\wininit.exe[540] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\winlogon.exe[580] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\winlogon.exe[580] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\winlogon.exe[580] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\winlogon.exe[580] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\winlogon.exe[580] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\winlogon.exe[580] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\winlogon.exe[580] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\winlogon.exe[580] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[628] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[628] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[628] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[628] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[628] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[628] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[628] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[628] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[628] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\services.exe[628] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[644] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[644] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[644] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[644] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[644] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[644] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[644] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[644] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[644] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsass.exe[644] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[652] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[652] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[652] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[652] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[652] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[652] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[652] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[652] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[652] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\lsm.exe[652] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[804] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[804] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[804] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[804] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[804] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[804] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[804] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[804] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[804] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[804] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[884] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[884] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[884] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[884] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[884] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[884] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[884] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[884] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[884] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[884] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[988] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[988] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[988] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[988] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[988] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[988] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[988] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[988] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[988] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[988] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1084] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1084] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1084] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1084] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1084] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1084] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1084] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1084] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1084] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\svchost.exe[1084] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1116] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1116] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1116] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1116] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1116] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1116] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1116] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1116] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1116] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1228] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1228] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1228] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1228] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1228] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1228] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1228] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1228] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1228] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1228] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1332] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1332] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1332] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1332] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1332] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1332] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1332] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1332] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1332] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1332] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\WLANExt.exe[1476] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\WLANExt.exe[1476] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\WLANExt.exe[1476] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\WLANExt.exe[1476] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\WLANExt.exe[1476] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\WLANExt.exe[1476] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\WLANExt.exe[1476] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\WLANExt.exe[1476] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\WLANExt.exe[1476] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\WLANExt.exe[1476] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1576] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1576] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1576] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1576] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1576] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1576] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1576] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1576] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1576] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\System32\spoolsv.exe[1576] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1628] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1628] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1628] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1628] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1628] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1628] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1628] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1628] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1628] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1628] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1840] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 00345740 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1840] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 00345810 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1840] USER32.dll!mouse_event 770B1305 5 Bytes JMP 003416D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1840] USER32.dll!EndTask 770CACCF 5 Bytes JMP 003453D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1840] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 00341550 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1840] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 00341860 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1840] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 00341230 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1840] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 003413C0 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1840] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 00345260 C:\Windows\system32\guard32.dll
.text C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe[1840] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 003450E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1892] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1892] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1892] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1892] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1892] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1892] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1892] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1892] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1892] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[1892] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1956] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1956] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1956] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1956] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1956] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1956] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1956] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1956] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1956] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1956] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1968] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1968] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1968] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1968] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1968] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1968] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1968] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1968] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1968] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[1968] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2036] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2036] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2036] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2036] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2036] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2036] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2036] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2036] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2036] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\svchost.exe[2036] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2056] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2056] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2056] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2056] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2056] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2056] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2056] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2056] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2056] OLE32.DLL!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Program Files\WinRAR\WinRAR.exe[2056] OLE32.DLL!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2312] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2312] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2312] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2312] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2312] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2312] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2312] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2312] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2312] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2312] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[2376] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[2376] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[2376] user32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[2376] user32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[2376] user32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[2376] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[2376] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[2376] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[2376] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Plugin Manager\skypePM.exe[2376] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2528] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2528] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2528] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2528] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2528] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2528] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2528] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2528] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2528] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\taskeng.exe[2528] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[2552] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[2552] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[2552] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[2552] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[2552] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[2552] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[2552] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[2552] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[2552] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\Dwm.exe[2552] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[2620] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[2620] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[2620] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[2620] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[2620] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[2620] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[2620] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[2620] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[2620] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\Explorer.EXE[2620] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\GMER\gmer.exe[2664] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\GMER\gmer.exe[2664] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\GMER\gmer.exe[2664] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\GMER\gmer.exe[2664] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\GMER\gmer.exe[2664] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\GMER\gmer.exe[2664] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\GMER\gmer.exe[2664] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\GMER\gmer.exe[2664] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\GMER\gmer.exe[2664] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2788] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2788] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2788] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2788] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2788] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2788] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2788] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2788] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2788] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnscfg.exe[2788] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\NOTEPAD.EXE[3276] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\NOTEPAD.EXE[3276] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\NOTEPAD.EXE[3276] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\NOTEPAD.EXE[3276] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\NOTEPAD.EXE[3276] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\NOTEPAD.EXE[3276] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\NOTEPAD.EXE[3276] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\NOTEPAD.EXE[3276] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\NOTEPAD.EXE[3276] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Windows\system32\NOTEPAD.EXE[3276] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Phone\Skype.exe[3364] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Phone\Skype.exe[3364] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Phone\Skype.exe[3364] user32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Phone\Skype.exe[3364] user32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Phone\Skype.exe[3364] user32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Phone\Skype.exe[3364] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Phone\Skype.exe[3364] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Phone\Skype.exe[3364] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Phone\Skype.exe[3364] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Program Files\Skype\Phone\Skype.exe[3364] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Program Files\Windows Media Player\wmpnetwk.exe[3376] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3564] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 002B5740 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3564] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 002B5810 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3564] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 002B1860 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3564] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 002B1230 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3564] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 002B13C0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3564] USER32.dll!mouse_event 770B1305 5 Bytes JMP 002B16D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3564] USER32.dll!EndTask 770CACCF 5 Bytes JMP 002B53D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3564] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 002B1550 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3564] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 002B5260 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[3564] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 002B50E0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[4072] ntdll.dll!LdrUnloadDll 77A5E89C 7 Bytes JMP 10005740 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[4072] ntdll.dll!NtClose 77A77F48 5 Bytes JMP 10005810 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[4072] USER32.dll!mouse_event 770B1305 5 Bytes JMP 100016D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[4072] USER32.dll!EndTask 770CACCF 5 Bytes JMP 100053D0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[4072] USER32.dll!keybd_event 770DD93C 5 Bytes JMP 10001550 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[4072] GDI32.dll!BitBlt 77846CE7 5 Bytes JMP 10001860 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[4072] GDI32.dll!CreateDCA 7784AC01 5 Bytes JMP 10001230 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[4072] GDI32.dll!CreateDCW 7784ADA5 5 Bytes JMP 100013C0 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[4072] ole32.dll!CoGetClassObject 77156120 5 Bytes JMP 10005260 C:\Windows\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[4072] ole32.dll!CoCreateInstanceEx 7716E1CB 5 Bytes JMP 100050E0 C:\Windows\system32\guard32.dll

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74BF7BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74C398C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74BFD3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74BEF527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74BF7599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74BEE43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74C2B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74BFD68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74BF012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74BF0095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74BE71F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74C7D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74C175E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74BEDAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74BE668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74BE66BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2620] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74BF1E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\tdx \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

---- Services - GMER 1.0.14 ----

Service system32\drivers\gaopdxrslepfyb.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxrslepfyb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxrslepfyb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxtracvkux.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxrslepfyb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxrslepfyb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxtracvkux.dll

---- EOF - GMER 1.0.14 ----
Realtalkrobert
Regular Member
 
Posts: 18
Joined: January 21st, 2009, 9:20 pm

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Odd dude » January 26th, 2009, 5:42 pm

After the scan it said something like "Warning! Changes have been caused due to rootkit activity."
Yeah...... sorry, but you need to be informed about this.

Rootkits are specialist programs designed to put a "hook" on Windows functions. This basically means that ANYTHING Windows does goes through the rootkit driver first - the same way your antivirus program intercepts every file loaded into memory to check it for malicious activity. Unlike your antivirus software, a rootkit has malevolent intentions. To keep it short - the rootkit will have TOTAL control of what you can and cannot see or do through your operating system. This means that Windows is now under total control of the rootkit, and you can't be sure that you're not being decieved by it - no matter what you do.

I'll unhook the rootkit driver in the next step(s), so don't worry, I'll make it go away, but you have to understand that EVERYTHING has passed through the rootkit, so essentially EVERYTHING will have been exposed to the virus.

This is something to keep in mind as the rootkit MAY have gathered personal information about you.

I'll first unhook the driver and then have it scanned to see whether this was its main function or not (because fortunately most rootkits can do this but don't), however you may need to take steps you deem appropriate - particularly if you have done any online banking or such lately.

ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without expert guidance.

ComboFix uses very brute tactics to rip malware off your system. Do not panic if your antivirus software warns you about the file.

:!: Please disable all your antivirus software, firewalls, and antispyware software BEFORE running ComboFix!! :!:


  • Download ComboFix from here and save it to your desktop. IMPORTANT: do NOT save it with the name "ComboFix.exe" - the rootkit may have a trigger for that. Rename it to Combifax.exe, just to be safe.
  • Disable ALL antivirus/antimalware programs before proceeding!
  • Now start ComboFix.
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running!
  • When finished, the report will open. Reenable your protection software and post the log in your next reply

If you cannot connect to the internet after running ComboFix, plug the cable/reciever/whatever you use to connect to the internet out and back in.
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Realtalkrobert » January 26th, 2009, 7:32 pm

At first it wouldn't run because I needed adminstrator capabilites since I have vista then i exited and ran it as administrator. Just letting you know.

ComboFix 09-01-21.04 - Robert 2009-01-26 18:22:35.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1978.956 [GMT -4:00]
Running from: c:\users\Robert\Downloads\ComboFix.exe
FW: COMODO Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf
D:\resycled

.
((((((((((((((((((((((((( Files Created from 2008-12-26 to 2009-01-26 )))))))))))))))))))))))))))))))
.

2009-01-26 15:25 . 2009-01-26 15:25 250 --a------ c:\windows\gmer.ini
2009-01-26 15:24 . 2009-01-26 15:24 <DIR> d-------- C:\GMER
2009-01-25 19:04 . 2009-01-25 19:04 <DIR> d-------- c:\program files\Sonic Foundry
2009-01-25 19:04 . 2009-01-25 19:04 <DIR> d-------- c:\program files\Pure Motion
2009-01-25 19:04 . 2009-01-25 19:04 <DIR> d-------- c:\program files\DebugMode
2009-01-25 01:34 . 2009-01-25 01:34 <DIR> d-------- c:\users\All Users\Avira
2009-01-25 01:34 . 2009-01-25 01:34 <DIR> d-------- c:\program files\Avira
2009-01-25 01:34 . 2009-01-25 01:34 <DIR> d-------- c:\progra~2\Avira
2009-01-25 01:05 . 2009-01-25 01:05 0 --a------ c:\windows\nsreg.dat
2009-01-24 23:53 . 2009-01-24 23:53 249,592 --a------ c:\windows\System32\cssdll32.dll
2009-01-24 23:50 . 2009-01-25 00:14 <DIR> d-------- c:\users\All Users\comodo
2009-01-24 23:50 . 2009-01-24 23:53 <DIR> d-------- c:\program files\COMODO
2009-01-24 23:50 . 2009-01-25 00:14 <DIR> d-------- c:\progra~2\comodo
2009-01-24 23:50 . 2009-01-24 23:50 147,192 --a------ c:\windows\System32\guard32.dll
2009-01-24 23:50 . 2009-01-24 23:50 99,344 --a------ c:\windows\System32\drivers\cmdguard.sys
2009-01-24 23:50 . 2009-01-24 23:50 25,104 --a------ c:\windows\System32\drivers\cmdhlp.sys
2009-01-24 23:40 . 2009-01-24 23:40 <DIR> d-------- c:\program files\Microsoft
2009-01-23 16:35 . 2009-01-23 16:35 <DIR> d-------- c:\program files\Web Publish
2009-01-23 16:35 . 2009-01-23 16:35 1,273 --a------ c:\windows\VB.INI
2009-01-23 16:35 . 2009-01-23 16:35 535 --a------ c:\windows\ODBCINST.INI
2009-01-23 16:35 . 2009-01-23 16:35 288 --a------ c:\windows\ODBC.INI
2009-01-23 16:34 . 2009-01-23 16:34 <DIR> d-------- c:\windows\msapps
2009-01-21 20:13 . 2009-01-21 20:13 <DIR> d-------- c:\program files\Trend Micro
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\users\Robert\AppData\Roaming\Malwarebytes
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\progra~2\Malwarebytes
2009-01-21 19:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-21 19:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-21 14:56 . 2009-01-21 14:56 <DIR> d-------- c:\users\Robert\AppData\Roaming\Download Manager
2009-01-20 16:16 . 2009-01-20 16:16 <DIR> d-------- c:\program files\AVG
2009-01-20 15:57 . 2009-01-20 15:57 <DIR> d-------- c:\program files\CCleaner
2009-01-20 15:46 . 2009-01-21 15:38 <DIR> d-------- c:\users\Robert\AppData\Roaming\DNA
2009-01-20 15:46 . 2009-01-21 15:28 <DIR> d-------- c:\program files\DNA
2009-01-20 15:18 . 2009-01-20 15:17 102,664 --a------ c:\windows\System32\drivers\tmcomm.sys
2009-01-20 15:16 . 2009-01-20 15:16 <DIR> d-------- c:\windows\Sun
2009-01-19 12:48 . 2009-01-19 12:48 <DIR> d-------- c:\windows\PrimoPDF4
2009-01-19 12:48 . 2006-12-11 17:12 176,235 --a------ c:\windows\System32\Primomonnt.dll
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\windows\System32\QuickTime
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\users\All Users\TechSmith
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\program files\TechSmith
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\program files\Common Files\TechSmith Shared
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\progra~2\TechSmith
2009-01-19 03:13 . 2008-07-10 14:56 107,864 --a------ c:\windows\System32\tsccvid.dll
2009-01-19 02:28 . 2009-01-19 02:29 <DIR> d-------- c:\users\Robert\E-books
2009-01-19 00:20 . 2009-01-19 00:37 <DIR> d-------- c:\program files\PC Satellite TV
2009-01-15 17:22 . 2009-01-15 17:22 <DIR> d-------- c:\users\Robert\AppData\Roaming\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-13 21:03 . 2009-01-20 15:41 <DIR> d-------- c:\users\Robert\Incomplete
2009-01-13 21:02 . 2009-01-20 16:23 <DIR> d-------- c:\users\Robert\AppData\Roaming\FrostWire
2009-01-13 21:02 . 2009-01-20 16:05 <DIR> d-------- c:\program files\FrostWire
2009-01-13 20:02 . 2009-01-13 20:10 <DIR> d-------- c:\users\Robert\AppData\Roaming\muvee Technologies
2009-01-13 19:44 . 2008-12-15 22:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-13 19:42 . 2009-01-21 15:19 <DIR> d-a------ c:\users\All Users\TEMP
2009-01-13 19:42 . 2009-01-21 15:19 <DIR> d-a------ c:\progra~2\TEMP
2009-01-11 12:51 . 2009-01-11 12:51 56 --ah----- c:\windows\System32\ezsidmv.dat
2009-01-04 17:19 . 2009-01-04 17:19 <DIR> d-------- c:\users\Robert\AppData\Roaming\Yahoo!
2008-12-31 14:12 . 2009-01-26 16:00 <DIR> d-------- c:\users\Robert\AppData\Roaming\skypePM
2008-12-31 14:11 . 2009-01-26 18:25 <DIR> d-------- c:\users\Robert\AppData\Roaming\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\users\All Users\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\program files\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\program files\Common Files\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\progra~2\Skype
2008-12-29 05:20 . 2008-12-29 05:19 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-28 11:04 . 2008-12-28 11:04 <DIR> d-------- C:\vv
2008-12-28 10:18 . 2008-12-28 10:18 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-12-26 03:59 . 2008-10-01 21:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-12-26 03:54 . 2008-10-21 21:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-26 03:47 . 2008-12-26 03:47 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-26 03:44 . 2008-06-25 21:45 12,240,896 --a------ c:\windows\System32\NlsLexicons0007.dll
2008-12-26 03:44 . 2008-06-25 21:45 2,644,480 --a------ c:\windows\System32\NlsLexicons0009.dll
2008-12-26 03:44 . 2008-10-16 00:47 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-26 03:44 . 2008-08-11 23:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-12-26 03:44 . 2008-06-25 23:29 303,616 --a------ c:\windows\System32\wmpeffects.dll
2008-12-26 03:44 . 2008-05-09 21:33 113,664 --a------ c:\windows\System32\drivers\rmcast.sys
2008-12-26 03:43 . 2008-10-31 21:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-26 03:43 . 2008-06-22 21:59 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-26 03:43 . 2008-03-08 00:21 1,695,744 --a------ c:\windows\System32\gameux.dll
2008-12-26 03:43 . 2008-10-21 01:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-12-26 03:43 . 2008-09-05 01:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-12-26 03:43 . 2008-06-22 21:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-26 03:43 . 2008-06-25 23:29 801,280 --a------ c:\windows\System32\NaturalLanguage6.dll
2008-12-26 03:43 . 2008-06-22 21:58 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-26 03:43 . 2008-10-31 23:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-26 03:38 . 2008-09-18 01:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-12-26 03:38 . 2008-09-18 01:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-12-26 03:36 . 2008-09-09 23:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-12-26 03:28 . 2008-10-16 17:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-12-26 03:28 . 2008-10-16 16:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-12-26 03:28 . 2008-10-16 17:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-12-26 03:28 . 2008-10-16 16:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-12-26 03:28 . 2008-10-16 17:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-12-26 03:28 . 2008-10-16 17:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-12-26 03:28 . 2008-10-16 17:08 34,328 --a------ c:\windows\System32\wups.dll
2008-12-26 03:27 . 2008-10-16 18:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-12-26 03:27 . 2008-10-16 17:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-12-26 03:26 . 2008-12-26 03:26 <DIR> d-------- c:\users\Robert\AppData\Roaming\Symantec
2008-12-26 03:25 . 2008-12-26 03:25 <DIR> dr------- c:\users\Robert\Searches
2008-12-26 03:25 . 2008-12-26 03:25 <DIR> dr------- c:\users\Robert\Contacts
2008-12-26 03:25 . 2008-12-26 06:37 <DIR> d-------- c:\users\Robert\AppData\Roaming\hewlett-packard
2008-12-26 03:25 . 2008-12-26 03:25 44 --a------ c:\windows\system\hpsysdrv.dat
2008-12-26 03:21 . 2008-12-26 03:21 <DIR> d-------- c:\users\Robert\AppData\Roaming\HP TCS
2008-12-26 03:20 . 2008-12-26 03:20 <DIR> d-------- c:\users\All Users\Viewpoint
2008-12-26 03:20 . 2008-12-26 03:20 <DIR> d-------- c:\users\All Users\AOL OCP
2008-12-26 03:20 . 2008-12-26 03:20 <DIR> d-------- c:\users\All Users\AOL
2008-12-26 03:20 . 2008-12-26 03:21 <DIR> d-------- c:\program files\Viewpoint
2008-12-26 03:20 . 2008-12-26 03:20 <DIR> d-------- c:\progra~2\Viewpoint
2008-12-26 03:20 . 2008-12-26 03:20 <DIR> d-------- c:\progra~2\AOL OCP
2008-12-26 03:20 . 2008-12-26 03:20 <DIR> d-------- c:\progra~2\AOL
2008-12-26 03:19 . 2009-01-20 16:04 <DIR> d-------- c:\program files\Common Files\AOL
2008-12-26 03:19 . 2008-12-26 03:21 368 --ah----- C:\IPH.PH
2008-12-26 03:18 . 2008-12-26 03:18 0 -rahs---- c:\windows\System32\drivers\103C_HP_cNB_Presario CQ50 Notebook PC_Y5335KV_0U_Q2CE835074V_E497021-001_4A_I360B_SWistron_V09.41_F.24_T080813_WV2-1_L409_M1979_J160_7Intel_86FD_92.00_#080902_N10EC8136;168C001C_(FR972UA#ABA)_XMOBILE_CN10_Z.MRK
2008-12-26 03:17 . 2009-01-25 19:36 <DIR> dr------- c:\users\Robert\Videos
2008-12-26 03:17 . 2008-12-26 06:40 <DIR> dr------- c:\users\Robert\Saved Games
2008-12-26 03:17 . 2009-01-25 21:33 <DIR> dr------- c:\users\Robert\Pictures
2008-12-26 03:17 . 2009-01-20 06:44 <DIR> d-------- c:\users\Robert\Music
2008-12-26 03:17 . 2009-01-22 08:09 <DIR> dr------- c:\users\Robert\Links
2008-12-26 03:17 . 2009-01-26 18:18 <DIR> dr------- c:\users\Robert\Downloads
2008-12-26 03:17 . 2009-01-25 20:09 <DIR> dr------- c:\users\Robert\Documents
2008-12-26 03:17 . 2008-12-26 03:17 <DIR> d--h----- c:\users\Robert\AppData
2008-12-26 03:17 . 2009-01-24 23:52 <DIR> d-------- c:\users\Robert

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-25 05:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-25 05:18 --------- d-----w c:\progra~2\Symantec
2009-01-19 04:45 --------- d-----w c:\program files\Common Files\Adobe
2009-01-19 03:37 --------- d-----w c:\program files\Yahoo!
2009-01-14 07:01 --------- d-----w c:\program files\Windows Mail
2009-01-10 10:55 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-10 10:55 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-29 09:19 --------- d-----w c:\program files\Java
2008-12-28 15:37 --------- d-----w c:\progra~2\Microsoft Help
2008-12-26 07:19 --------- d-----w c:\program files\Windows Sidebar
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini
2008-06-30 21:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2009-01-24 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-01-24 1797880]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\guard32.dll c:\windows\system32\cssdll32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C8F554C7-B099-4399-813F-8A2B38A79F77}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{926F2246-DC26-4C54-B7A0-2536A5EFCC6F}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{8F12F9D3-7DCC-4A3E-A382-4908065B56FE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3C8C8D18-6DF0-4C2D-9BCE-92F812D8F724}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{880AA6DE-1C3E-499E-BE84-F1158C0E778B}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{8C261550-CED2-40BE-B146-DD028BCD755E}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2F98A26A-90AB-4461-96DD-A58AEC925DB6}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{484A5CEB-F010-4415-AD16-9C42A209C595}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{BB4B098F-C7CE-47D2-8A03-B30DDBF3636F}"= UDP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{F95B3D0B-28A4-4927-AEC5-3F52E535258C}"= TCP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{DC9DA8A3-5640-4D39-BD4B-43E42D37A605}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{49DE17C1-3D66-4BDA-A72E-6E4B5400752D}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{0FA36D6B-517B-421F-B661-AF547DB1C6A5}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{F34600EA-84BA-4514-A335-22C7F183BE96}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [2009-01-24 99344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [2009-01-24 25104]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [2008-06-04 113664]
S4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-07-26 193840]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-07-26 361808]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-26 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
FF - ProfilePath - c:\users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\oins3cdm.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 18:25:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\guard32.dll
c:\windows\system32\cssdll32.dll

- - - - - - - > 'lsass.exe'(644)
c:\windows\system32\guard32.dll
c:\windows\system32\cssdll32.dll
.
Completion time: 2009-01-26 18:28:11
ComboFix-quarantined-files.txt 2009-01-26 22:28:04

Pre-Run: 104,602,886,144 bytes free
Post-Run: 107,975,467,008 bytes free

257 --- E O F --- 2009-01-26 19:02:38
Realtalkrobert
Regular Member
 
Posts: 18
Joined: January 21st, 2009, 9:20 pm

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Realtalkrobert » January 26th, 2009, 11:27 pm

Unfortuantley, I'm experiencing drastic changes in my system. The mouse is going slow and whenever I'm trying to move it, it takes a long time to catch up to where I dragged it. I hope this virus isn't serious enough for me to have to reformat.
Realtalkrobert
Regular Member
 
Posts: 18
Joined: January 21st, 2009, 9:20 pm

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Odd dude » January 27th, 2009, 10:03 am

The issues are most likely caused because ComboFix did not yet unhook the rootkit.

Copy and paste this to notepad:
Code: Select all
Driver::
gaopdxserv.sys
Rootkit::
c:\windows\system32\drivers\gaopdxrslepfyb.sys
c:\windows\system32\drivers\gaopdxtracvkux.dll

Save it to your desktop as "CFScript.txt", include the quotation marks.

Copy and paste this to notepad:
Code: Select all
ComboFix CFScript.txt

Save it to your desktop as "Combostart.bat", include the quotation marks.

Disable your antimalware programs again, because ComboFix is about to run.

Right click Combostart.bat and choose Run as administrator.

Next:

Submit a file for analysis

We need to have something checked for malware. Please go to Jotti's.
  • Copy and paste the following text into the field under File to upload & scan:
    Code: Select all
    c:\Qoobox\Quarantine\C\Windows\System32\drivers\gaopdxrslepfyb.sys.vir
  • Click Submit. The file will now be scanned for malware and the results will be displayed from the screen. Select the part where the virus scan results are shown (the part starting with A-squared and ending with VBA32) and copy and paste this to notepad.
  • Copy and paste the whole notepad file you just made into your reply.

Post back:
- ComboFix log
- Jotti log
- new HijackThis log
- description of how the computer is running
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Realtalkrobert » January 27th, 2009, 5:15 pm

I couldn't do the Jotti log because when I went to the site it made me browse when I clicked the area to paste the code and I don't have that file on computer as it says. So here is the Hijack and Combofix log. And my computer is doing okay but I still would like it to be 100% clean, you know?


Hijack: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:56 PM, on 1/27/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O20 - AppInit_DLLs: G G
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 3051 bytes








ComboFix:



ComboFix 09-01-21.04 - Robert 2009-01-27 15:54:44.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1978.1155 [GMT -4:00]
Running from: c:\users\Robert\Desktop\ComboFix.exe
Command switches used :: CFScript.txt
FW: COMODO Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-26 15:25 . 2009-01-26 15:25 250 --a------ c:\windows\gmer.ini
2009-01-26 15:24 . 2009-01-26 15:24 <DIR> d-------- C:\GMER
2009-01-25 19:04 . 2009-01-25 19:04 <DIR> d-------- c:\program files\Sonic Foundry
2009-01-25 19:04 . 2009-01-25 19:04 <DIR> d-------- c:\program files\Pure Motion
2009-01-25 19:04 . 2009-01-27 15:44 <DIR> d-------- c:\program files\DebugMode
2009-01-25 01:34 . 2009-01-25 01:34 <DIR> d-------- c:\users\All Users\Avira
2009-01-25 01:34 . 2009-01-25 01:34 <DIR> d-------- c:\program files\Avira
2009-01-25 01:34 . 2009-01-25 01:34 <DIR> d-------- c:\progra~2\Avira
2009-01-25 01:05 . 2009-01-25 01:05 0 --a------ c:\windows\nsreg.dat
2009-01-24 23:53 . 2009-01-24 23:53 249,592 --a------ c:\windows\System32\cssdll32.dll
2009-01-24 23:50 . 2009-01-25 00:14 <DIR> d-------- c:\users\All Users\comodo
2009-01-24 23:50 . 2009-01-24 23:53 <DIR> d-------- c:\program files\COMODO
2009-01-24 23:50 . 2009-01-25 00:14 <DIR> d-------- c:\progra~2\comodo
2009-01-24 23:50 . 2009-01-24 23:50 147,192 --a------ c:\windows\System32\guard32.dll
2009-01-24 23:50 . 2009-01-24 23:50 99,344 --a------ c:\windows\System32\drivers\cmdguard.sys
2009-01-24 23:50 . 2009-01-24 23:50 25,104 --a------ c:\windows\System32\drivers\cmdhlp.sys
2009-01-24 23:40 . 2009-01-24 23:40 <DIR> d-------- c:\program files\Microsoft
2009-01-23 16:35 . 2009-01-23 16:35 <DIR> d-------- c:\program files\Web Publish
2009-01-23 16:35 . 2009-01-23 16:35 1,273 --a------ c:\windows\VB.INI
2009-01-23 16:35 . 2009-01-23 16:35 535 --a------ c:\windows\ODBCINST.INI
2009-01-23 16:35 . 2009-01-23 16:35 288 --a------ c:\windows\ODBC.INI
2009-01-23 16:34 . 2009-01-23 16:34 <DIR> d-------- c:\windows\msapps
2009-01-21 20:13 . 2009-01-21 20:13 <DIR> d-------- c:\program files\Trend Micro
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\users\Robert\AppData\Roaming\Malwarebytes
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\progra~2\Malwarebytes
2009-01-21 19:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-21 19:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-21 14:56 . 2009-01-21 14:56 <DIR> d-------- c:\users\Robert\AppData\Roaming\Download Manager
2009-01-20 15:57 . 2009-01-20 15:57 <DIR> d-------- c:\program files\CCleaner
2009-01-20 15:46 . 2009-01-21 15:38 <DIR> d-------- c:\users\Robert\AppData\Roaming\DNA
2009-01-20 15:46 . 2009-01-21 15:28 <DIR> d-------- c:\program files\DNA
2009-01-20 15:18 . 2009-01-20 15:17 102,664 --a------ c:\windows\System32\drivers\tmcomm.sys
2009-01-20 15:16 . 2009-01-20 15:16 <DIR> d-------- c:\windows\Sun
2009-01-19 12:48 . 2009-01-19 12:48 <DIR> d-------- c:\windows\PrimoPDF4
2009-01-19 12:48 . 2006-12-11 17:12 176,235 --a------ c:\windows\System32\Primomonnt.dll
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\windows\System32\QuickTime
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\users\All Users\TechSmith
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\program files\TechSmith
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\program files\Common Files\TechSmith Shared
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\progra~2\TechSmith
2009-01-19 03:13 . 2008-07-10 14:56 107,864 --a------ c:\windows\System32\tsccvid.dll
2009-01-19 02:28 . 2009-01-19 02:29 <DIR> d-------- c:\users\Robert\E-books
2009-01-19 00:20 . 2009-01-19 00:37 <DIR> d-------- c:\program files\PC Satellite TV
2009-01-15 17:22 . 2009-01-15 17:22 <DIR> d-------- c:\users\Robert\AppData\Roaming\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-13 21:03 . 2009-01-20 15:41 <DIR> d-------- c:\users\Robert\Incomplete
2009-01-13 21:02 . 2009-01-20 16:23 <DIR> d-------- c:\users\Robert\AppData\Roaming\FrostWire
2009-01-13 20:02 . 2009-01-13 20:10 <DIR> d-------- c:\users\Robert\AppData\Roaming\muvee Technologies
2009-01-13 19:44 . 2008-12-15 22:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-13 19:42 . 2009-01-21 15:19 <DIR> d-a------ c:\users\All Users\TEMP
2009-01-13 19:42 . 2009-01-21 15:19 <DIR> d-a------ c:\progra~2\TEMP
2009-01-11 12:51 . 2009-01-11 12:51 56 --ah----- c:\windows\System32\ezsidmv.dat
2009-01-04 17:19 . 2009-01-04 17:19 <DIR> d-------- c:\users\Robert\AppData\Roaming\Yahoo!
2008-12-31 14:12 . 2009-01-26 16:00 <DIR> d-------- c:\users\Robert\AppData\Roaming\skypePM
2008-12-31 14:11 . 2009-01-26 21:40 <DIR> d-------- c:\users\Robert\AppData\Roaming\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\users\All Users\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\program files\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\program files\Common Files\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\progra~2\Skype
2008-12-29 05:20 . 2008-12-29 05:19 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-28 11:04 . 2008-12-28 11:04 <DIR> d-------- C:\vv
2008-12-28 10:18 . 2008-12-28 10:18 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-25 05:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-25 05:18 --------- d-----w c:\progra~2\Symantec
2009-01-20 20:04 --------- d-----w c:\program files\Common Files\AOL
2009-01-19 04:45 --------- d-----w c:\program files\Common Files\Adobe
2009-01-19 03:37 --------- d-----w c:\program files\Yahoo!
2009-01-14 07:01 --------- d-----w c:\program files\Windows Mail
2009-01-10 10:55 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-10 10:55 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-29 09:19 --------- d-----w c:\program files\Java
2008-12-28 15:37 --------- d-----w c:\progra~2\Microsoft Help
2008-12-26 10:37 --------- d-----w c:\users\Robert\AppData\Roaming\hewlett-packard
2008-12-26 07:47 --------- d-----w c:\program files\MSXML 4.0
2008-12-26 07:26 --------- d-----w c:\users\Robert\AppData\Roaming\Symantec
2008-12-26 07:21 --------- d-----w c:\users\Robert\AppData\Roaming\HP TCS
2008-12-26 07:21 --------- d-----w c:\program files\Viewpoint
2008-12-26 07:20 --------- d-----w c:\progra~2\Viewpoint
2008-12-26 07:20 --------- d-----w c:\progra~2\AOL OCP
2008-12-26 07:20 --------- d-----w c:\progra~2\AOL
2008-12-26 07:19 --------- d-----w c:\program files\Windows Sidebar
2008-12-26 07:18 0 --sha-r c:\windows\system32\drivers\103C_HP_cNB_Presario CQ50 Notebook PC_Y5335KV_0U_Q2CE835074V_E497021-001_4A_I360B_SWistron_V09.41_F.24_T080813_WV2-1_L409_M1979_J160_7Intel_86FD_92.00_#080902_N10EC8136;168C001C_(FR972UA#ABA)_XMOBILE_CN10_Z.MRK
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini
2008-06-30 21:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2009-01-24 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-01-24 1797880]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=G G

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C8F554C7-B099-4399-813F-8A2B38A79F77}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{926F2246-DC26-4C54-B7A0-2536A5EFCC6F}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{8F12F9D3-7DCC-4A3E-A382-4908065B56FE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3C8C8D18-6DF0-4C2D-9BCE-92F812D8F724}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{880AA6DE-1C3E-499E-BE84-F1158C0E778B}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{8C261550-CED2-40BE-B146-DD028BCD755E}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2F98A26A-90AB-4461-96DD-A58AEC925DB6}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{484A5CEB-F010-4415-AD16-9C42A209C595}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{BB4B098F-C7CE-47D2-8A03-B30DDBF3636F}"= UDP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{F95B3D0B-28A4-4927-AEC5-3F52E535258C}"= TCP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{DC9DA8A3-5640-4D39-BD4B-43E42D37A605}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{49DE17C1-3D66-4BDA-A72E-6E4B5400752D}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{0FA36D6B-517B-421F-B661-AF547DB1C6A5}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{F34600EA-84BA-4514-A335-22C7F183BE96}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [2009-01-24 99344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [2009-01-24 25104]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [2008-06-04 113664]
S4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-07-26 193840]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-07-26 361808]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-26 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
FF - ProfilePath - c:\users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\oins3cdm.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 15:57:26
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-27 15:59:51
ComboFix-quarantined-files.txt 2009-01-27 19:59:46
ComboFix2.txt 2009-01-26 22:28:12

Pre-Run: 107,165,089,792 bytes free
Post-Run: 106,820,972,544 bytes free

199 --- E O F --- 2009-01-26 19:02:38
Realtalkrobert
Regular Member
 
Posts: 18
Joined: January 21st, 2009, 9:20 pm

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Odd dude » January 28th, 2009, 2:17 am

My bad - programming error on my behalf

Copy and paste this to notepad:
Code: Select all
Driver::
gaopdxserv.sys
Rootkit::
c:\windows\system32\drivers\gaopdxrslepfyb.sys
c:\windows\system32\drivers\gaopdxtracvkux.dll
Registry::
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BB4B098F-C7CE-47D2-8A03-B30DDBF3636F}"=-
"{F95B3D0B-28A4-4927-AEC5-3F52E535258C}"=-
"{DC9DA8A3-5640-4D39-BD4B-43E42D37A605}"=-
"{49DE17C1-3D66-4BDA-A72E-6E4B5400752D}"=-
"{0FA36D6B-517B-421F-B661-AF547DB1C6A5}"=-
"{F34600EA-84BA-4514-A335-22C7F183BE96}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000000
"InternetSettingsDisableNotify"=dword:00000000
"AutoUpdateDisableNotify"=dword:00000000
Folder::
c:\users\Robert\AppData\Roaming\DNA
c:\program files\DNA
c:\users\Robert\Incomplete
c:\users\Robert\AppData\Roaming\FrostWire
C:\vv
Snapshot::

Save it to your desktop as "CFScript.txt", include the quotation marks. Overwrite the existing file.

Copy and paste this to notepad:
Code: Select all
@ComboFix c:\users\Robert\CFScript.txt

Save it to your desktop as "Combostart.bat", include the quotation marks. Overwrite the existing file.

Disable your antimalware programs again, because ComboFix is about to run.

Right click Combostart.bat and choose Run as administrator.

Next:

Submit a file for analysis

We need to have something checked for malware. Please go to Jotti's.
  • Copy and paste the following text into the field under File to upload & scan:
    Code: Select all
    c:\Qoobox\Quarantine\C\Windows\System32\drivers\gaopdxrslepfyb.sys.vir
  • Click Submit. The file will now be scanned for malware and the results will be displayed from the screen. Select the part where the virus scan results are shown (the part starting with A-squared and ending with VBA32) and copy and paste this to notepad.
  • Copy and paste the whole notepad file you just made into your reply.

Post back:
- ComboFix log
- Jotti log
- new HijackThis log
- description of how the computer is running
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Realtalkrobert » January 28th, 2009, 4:22 pm

As I said before that file can not be uploaded because when you search for the file you can't simply paste it in the bar. It makes you browse!

Here's the combofix

ComboFix 09-01-21.04 - Robert 2009-01-28 15:12:37.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1978.1072 [GMT -4:00]
Running from: c:\users\Robert\Desktop\ComboFix.exe
Command switches used :: c:\users\Robert\CFScript.txt
FW: COMODO Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 15:25 . 2009-01-26 15:25 250 --a------ c:\windows\gmer.ini
2009-01-26 15:24 . 2009-01-26 15:24 <DIR> d-------- C:\GMER
2009-01-25 19:04 . 2009-01-25 19:04 <DIR> d-------- c:\program files\Sonic Foundry
2009-01-25 19:04 . 2009-01-25 19:04 <DIR> d-------- c:\program files\Pure Motion
2009-01-25 19:04 . 2009-01-27 15:44 <DIR> d-------- c:\program files\DebugMode
2009-01-25 01:34 . 2009-01-25 01:34 <DIR> d-------- c:\users\All Users\Avira
2009-01-25 01:34 . 2009-01-25 01:34 <DIR> d-------- c:\program files\Avira
2009-01-25 01:34 . 2009-01-25 01:34 <DIR> d-------- c:\progra~2\Avira
2009-01-25 01:05 . 2009-01-25 01:05 0 --a------ c:\windows\nsreg.dat
2009-01-24 23:53 . 2009-01-24 23:53 249,592 --a------ c:\windows\System32\cssdll32.dll
2009-01-24 23:50 . 2009-01-25 00:14 <DIR> d-------- c:\users\All Users\comodo
2009-01-24 23:50 . 2009-01-24 23:53 <DIR> d-------- c:\program files\COMODO
2009-01-24 23:50 . 2009-01-25 00:14 <DIR> d-------- c:\progra~2\comodo
2009-01-24 23:50 . 2009-01-24 23:50 147,192 --a------ c:\windows\System32\guard32.dll
2009-01-24 23:50 . 2009-01-24 23:50 99,344 --a------ c:\windows\System32\drivers\cmdguard.sys
2009-01-24 23:50 . 2009-01-24 23:50 25,104 --a------ c:\windows\System32\drivers\cmdhlp.sys
2009-01-24 23:40 . 2009-01-24 23:40 <DIR> d-------- c:\program files\Microsoft
2009-01-23 16:35 . 2009-01-23 16:35 <DIR> d-------- c:\program files\Web Publish
2009-01-23 16:35 . 2009-01-23 16:35 1,273 --a------ c:\windows\VB.INI
2009-01-23 16:35 . 2009-01-23 16:35 535 --a------ c:\windows\ODBCINST.INI
2009-01-23 16:35 . 2009-01-23 16:35 288 --a------ c:\windows\ODBC.INI
2009-01-23 16:34 . 2009-01-23 16:34 <DIR> d-------- c:\windows\msapps
2009-01-21 20:13 . 2009-01-21 20:13 <DIR> d-------- c:\program files\Trend Micro
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\users\Robert\AppData\Roaming\Malwarebytes
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-21 19:09 . 2009-01-21 19:09 <DIR> d-------- c:\progra~2\Malwarebytes
2009-01-21 19:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-21 19:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-21 14:56 . 2009-01-21 14:56 <DIR> d-------- c:\users\Robert\AppData\Roaming\Download Manager
2009-01-20 15:57 . 2009-01-20 15:57 <DIR> d-------- c:\program files\CCleaner
2009-01-20 15:46 . 2009-01-21 15:38 <DIR> d-------- c:\users\Robert\AppData\Roaming\DNA
2009-01-20 15:46 . 2009-01-21 15:28 <DIR> d-------- c:\program files\DNA
2009-01-20 15:18 . 2009-01-20 15:17 102,664 --a------ c:\windows\System32\drivers\tmcomm.sys
2009-01-20 15:16 . 2009-01-20 15:16 <DIR> d-------- c:\windows\Sun
2009-01-19 12:48 . 2009-01-19 12:48 <DIR> d-------- c:\windows\PrimoPDF4
2009-01-19 12:48 . 2006-12-11 17:12 176,235 --a------ c:\windows\System32\Primomonnt.dll
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\windows\System32\QuickTime
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\users\All Users\TechSmith
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\program files\TechSmith
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\program files\Common Files\TechSmith Shared
2009-01-19 03:13 . 2009-01-19 03:13 <DIR> d-------- c:\progra~2\TechSmith
2009-01-19 03:13 . 2008-07-10 14:56 107,864 --a------ c:\windows\System32\tsccvid.dll
2009-01-19 02:28 . 2009-01-19 02:29 <DIR> d-------- c:\users\Robert\E-books
2009-01-19 00:20 . 2009-01-19 00:37 <DIR> d-------- c:\program files\PC Satellite TV
2009-01-15 17:22 . 2009-01-15 17:22 <DIR> d-------- c:\users\Robert\AppData\Roaming\de.makesoft.twhirl.0EA062BC275E7ED1E6EC3762EFFD73C7158ADF33.1
2009-01-15 17:21 . 2009-01-15 17:21 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-13 21:03 . 2009-01-20 15:41 <DIR> d-------- c:\users\Robert\Incomplete
2009-01-13 21:02 . 2009-01-20 16:23 <DIR> d-------- c:\users\Robert\AppData\Roaming\FrostWire
2009-01-13 20:02 . 2009-01-13 20:10 <DIR> d-------- c:\users\Robert\AppData\Roaming\muvee Technologies
2009-01-13 19:44 . 2008-12-15 22:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-13 19:42 . 2009-01-21 15:19 <DIR> d-a------ c:\users\All Users\TEMP
2009-01-13 19:42 . 2009-01-21 15:19 <DIR> d-a------ c:\progra~2\TEMP
2009-01-11 12:51 . 2009-01-11 12:51 56 --ah----- c:\windows\System32\ezsidmv.dat
2009-01-04 17:19 . 2009-01-04 17:19 <DIR> d-------- c:\users\Robert\AppData\Roaming\Yahoo!
2008-12-31 14:12 . 2009-01-26 16:00 <DIR> d-------- c:\users\Robert\AppData\Roaming\skypePM
2008-12-31 14:11 . 2009-01-26 21:40 <DIR> d-------- c:\users\Robert\AppData\Roaming\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\users\All Users\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\program files\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\program files\Common Files\Skype
2008-12-31 14:10 . 2008-12-31 14:10 <DIR> d-------- c:\progra~2\Skype
2008-12-29 05:20 . 2008-12-29 05:19 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-28 11:04 . 2008-12-28 11:04 <DIR> d-------- C:\vv
2008-12-28 10:18 . 2008-12-28 10:18 0 --ah----- c:\windows\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-25 05:20 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-25 05:18 --------- d-----w c:\progra~2\Symantec
2009-01-20 20:04 --------- d-----w c:\program files\Common Files\AOL
2009-01-19 04:45 --------- d-----w c:\program files\Common Files\Adobe
2009-01-19 03:37 --------- d-----w c:\program files\Yahoo!
2009-01-14 07:01 --------- d-----w c:\program files\Windows Mail
2009-01-10 10:55 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-10 10:55 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-12-29 09:19 --------- d-----w c:\program files\Java
2008-12-28 15:37 --------- d-----w c:\progra~2\Microsoft Help
2008-12-26 10:37 --------- d-----w c:\users\Robert\AppData\Roaming\hewlett-packard
2008-12-26 07:47 --------- d-----w c:\program files\MSXML 4.0
2008-12-26 07:26 --------- d-----w c:\users\Robert\AppData\Roaming\Symantec
2008-12-26 07:21 --------- d-----w c:\users\Robert\AppData\Roaming\HP TCS
2008-12-26 07:21 --------- d-----w c:\program files\Viewpoint
2008-12-26 07:20 --------- d-----w c:\progra~2\Viewpoint
2008-12-26 07:20 --------- d-----w c:\progra~2\AOL OCP
2008-12-26 07:20 --------- d-----w c:\progra~2\AOL
2008-12-26 07:19 --------- d-----w c:\program files\Windows Sidebar
2008-12-26 07:18 0 --sha-r c:\windows\system32\drivers\103C_HP_cNB_Presario CQ50 Notebook PC_Y5335KV_0U_Q2CE835074V_E497021-001_4A_I360B_SWistron_V09.41_F.24_T080813_WV2-1_L409_M1979_J160_7Intel_86FD_92.00_#080902_N10EC8136;168C001C_(FR972UA#ABA)_XMOBILE_CN10_Z.MRK
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini
2008-06-30 21:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-27_15.58.08.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-27 02:13:36 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-28 09:58:57 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-27 02:13:36 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-28 09:58:57 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-27 02:13:36 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-28 09:58:57 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-27 02:18:03 101,350 ----a-w c:\windows\System32\perfc009.dat
+ 2009-01-27 20:21:04 101,350 ----a-w c:\windows\System32\perfc009.dat
- 2009-01-27 02:18:03 595,684 ----a-w c:\windows\System32\perfh009.dat
+ 2009-01-27 20:21:04 595,684 ----a-w c:\windows\System32\perfh009.dat
- 2009-01-27 18:54:26 269,982 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-01-28 18:42:39 271,088 ----a-w c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2009-01-24 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-01-24 1797880]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=G G

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C8F554C7-B099-4399-813F-8A2B38A79F77}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{926F2246-DC26-4C54-B7A0-2536A5EFCC6F}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{8F12F9D3-7DCC-4A3E-A382-4908065B56FE}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3C8C8D18-6DF0-4C2D-9BCE-92F812D8F724}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{880AA6DE-1C3E-499E-BE84-F1158C0E778B}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{8C261550-CED2-40BE-B146-DD028BCD755E}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{2F98A26A-90AB-4461-96DD-A58AEC925DB6}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{484A5CEB-F010-4415-AD16-9C42A209C595}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{BB4B098F-C7CE-47D2-8A03-B30DDBF3636F}"= UDP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{F95B3D0B-28A4-4927-AEC5-3F52E535258C}"= TCP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{DC9DA8A3-5640-4D39-BD4B-43E42D37A605}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{49DE17C1-3D66-4BDA-A72E-6E4B5400752D}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{0FA36D6B-517B-421F-B661-AF547DB1C6A5}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (TCP-In)
"{F34600EA-84BA-4514-A335-22C7F183BE96}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent (UDP-In)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [2009-01-24 99344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [2009-01-24 25104]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [2008-06-04 113664]
S4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-07-26 193840]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-07-26 361808]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-12-26 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
FF - ProfilePath - c:\users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\oins3cdm.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 15:15:01
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-28 15:17:24
ComboFix-quarantined-files.txt 2009-01-28 19:17:20
ComboFix2.txt 2009-01-27 19:59:52
ComboFix3.txt 2009-01-26 22:28:12

Pre-Run: 106,588,319,744 bytes free
Post-Run: 106,249,457,664 bytes free

215 --- E O F --- 2009-01-26 19:02:38













Here's the Hijack this


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:22:12 PM, on 1/28/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O20 - AppInit_DLLs: G G
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 3055 bytes
Realtalkrobert
Regular Member
 
Posts: 18
Joined: January 21st, 2009, 9:20 pm

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Odd dude » January 29th, 2009, 4:35 pm

OK - for some reason CFScript doesn't get read. So we'll have to try another tool which can accomplish the same thing.

The Avenger
Download The Avenger and save it to your desktop.

  • Right click the file you just downloaded and choose Extract all.
  • Accept all defaults.
  • A folder will be created on your desktop, and it should pop up automatically.
  • Start the tool by right clicking avenger.exe and choosing Run as administrator.
  • Click OK when prompted.
  • Put a check next to Scan for rootkits and Automatically disable any rootkits found.
  • Copy and paste this to the Input script here: box:
    Code: Select all
    Drivers to delete:
    gaopdxserv.sys
    
    Files to delete:
    c:\windows\system32\drivers\gaopdxrslepfyb.sys
    c:\windows\system32\drivers\gaopdxtracvkux.dll
    
    Registry keys to delete:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}
    HKLM\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}
    
    Registry values to delete:
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows|AppInit_DLLs
    
    Folders to delete:
    c:\users\Robert\AppData\Roaming\DNA
    c:\program files\DNA
    c:\users\Robert\Incomplete
    c:\users\Robert\AppData\Roaming\FrostWire
    C:\vv
    
    Programs to launch on reboot:
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    
  • Click the Execute button.
  • The Avenger will inform you it has been set up and it will kindly offer you to reboot. Please allow it to reboot your computer.
  • It may be that the Avenger needs another reboot to completely remove some deeply entrenched malware. In this case, it will force a blue screen crash error (Blue Screen of Death) after the first reboot. Please don't freak out when this happens.
  • After the reboot(s) have taken place, a command window zipping up all the removed malware should quickly pop up and disappear, along with the log file. The log can also be found as avenger.txt in the root of your drive (usually C:\).
  • Post the log in your next reply, along with a new hijackthis log (as you can see from the script I conveniently have it launch hijackthis for you).
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Realtalkrobert » January 29th, 2009, 7:43 pm

Eh, I think you forgot to tell me to disable all firewalls and antivirus but I did so anyway. It restarted twice but I didn't get a blue screen maybe because I have vista? But it just came to a black screen with white text that said either put pc in repair mode or start windows normally and it had a little countdown form 30 I believe. So I just picked start windows normally. It took a while for the desktop to load but the avenger log and hijack was running right off the boot. I don't know why but I seems like things aren't going to plan with this? Every time you tell me to do something it doesn't go crisp. Sorry about that by the way. My laptop is confusing. It's not your fault. But here are the logs.

Avenger:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gaopdxserv.sys" deleted successfully.

Error: file "c:\windows\system32\drivers\gaopdxrslepfyb.sys" not found!
Deletion of file "c:\windows\system32\drivers\gaopdxrslepfyb.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\drivers\gaopdxtracvkux.dll" not found!
Deletion of file "c:\windows\system32\drivers\gaopdxtracvkux.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "c:\users\Robert\AppData\Roaming\DNA" deleted successfully.
Folder "c:\program files\DNA" deleted successfully.
Folder "c:\users\Robert\Incomplete" deleted successfully.
Folder "c:\users\Robert\AppData\Roaming\FrostWire" deleted successfully.
Folder "C:\vv" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}" deleted successfully.

Error: registry key "HKLM\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}" not found!
Deletion of registry key "HKLM\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry value "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows|AppInit_DLLs" deleted successfully.
Program "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" successfully queued to run on reboot.

Completed script processing.

*******************

Finished! Terminate.






Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:41 PM, on 1/29/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... io&pf=cnnb
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 2937 bytes
Realtalkrobert
Regular Member
 
Posts: 18
Joined: January 21st, 2009, 9:20 pm

Re: Troj/Rustok-N Browser Redirecting and Crashing/Sites Unacces

Unread postby Odd dude » January 30th, 2009, 10:22 am

Eh, I think you forgot to tell me to disable all firewalls and antivirus but I did so anyway.

In the future, please do not assume things. Disabling those applications wasn't necessary. You did no harm but next time I'd rather you ask ;)

It restarted twice but I didn't get a blue screen maybe because I have vista?

That may be a default setting in Vista that is different from XP. I know that it's possible to turn off error message on system crash and just have it reboot right away.

But it just came to a black screen with white text that said either put pc in repair mode or start windows normally and it had a little countdown form 30 I believe. So I just picked start windows normally.

That was normal.

It took a while for the desktop to load but the avenger log and hijack was running right off the boot.

That was normal and expected.

I don't know why but I seems like things aren't going to plan with this? Every time you tell me to do something it doesn't go crisp.

Yeah, looks like it :lol:
Anyway, we'll get there in the end, if one tool fails we have plenty of others to work.

Sorry about that by the way. My laptop is confusing. It's not your fault. But here are the logs.

Neither is it your fault, so no need to apologize :)

Show hidden files and folders
We need to slightly adjust some settings.

  • Open the Control Panel (Start > Control Panel)
  • Double-click Folder Settings
  • On the View tab, uncheck Hide protected system files (recommended). A warning will show, just click Yes.
  • Check Show the contents of system directories
  • Uncheck Hide extensions for known file types
  • Scroll down and choose Show hidden files and folders
  • Press OK to save changes.

Please check if you can see these files:
c:\windows\system32\drivers\gaopdxrslepfyb.sys
c:\windows\system32\gaopdxtracvkux.dll

Also run another GMER scan to be sure it's gone. By the way - make a new uninstall list from hijackthis as well.

Copy and paste this to notepad:

Code: Select all
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="c:\windows\system32\guard32.dll c:\windows\system32\cssdll32.dll"


Save it to your desktop as "fix.reg". Right click it and choose Run as administrator if it's available (not sure whether it will be available on normal files too - I don't have Vista). When asked to merge click yes. Then run a new scan with hijackthis.

Kaspersky Online Scan
I would like you to run an online antivirus scan. Please click HERE to be taken to the Kaspersky site.

  • The site will present you with a list of important items. Read those. If you're unsure about something, stop and ask! If you're sure everything is all right, close all other windows.
  • Now, click Accept.
  • It will start a download rougly 10 MB in size. If prompted by your firewall to allow internet access, allow.
  • Once the download has finished, click Next.
  • Under Please select a target to scan, choose My Computer
  • Get a cup of coffee and watch some TV. Do not run any other programs while Kaspersky is scanning! If you're on dial-up, you can now terminate the internet connection if you wish.
  • Once finished, you will be presented with the results. Click Save as text and save the log to your desktop.

Post the results in your next reply.

Post back:
- Could you find those files?
- New GMER log
- New HJT log
- New uninstall list
- Kaspersky log
User avatar
Odd dude
Retired Graduate
 
Posts: 2819
Joined: May 18th, 2008, 11:16 am
Location: The Netherlands (GMT +1)
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 286 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware